Published by Jessica Weisman-Pitts
Posted on January 28, 2025
6 min readLast updated: February 26, 2026
Add as preferred source on Google
There are all kinds of cyber threats in the digital landscape today - from business email compromise scams to nation-state hackers stealing intellectual property. But none of these hacking perils seem quite as terrifying or overtly malicious as ransomware attacks. In an instant, ransomware can brin...
There are all kinds of cyber threats in the digital landscape today - from business email compromise scams to nation-state hackers stealing intellectual property. But none of these hacking perils seem quite as terrifying or overtly malicious as ransomware attacks.
In an instant, ransomware can bring even multi-billion dollar global companies to their knees by hijacking critical data and threatening to destroy it forever unless firms pay extortion fees. So, it's no wonder ransomware captures executive mindshare - it's one of the quickest ways to upend business operations catastrophically.
Yet, as it turns out, more and more companies are taking a hard and bold stance against this rising threat—choosing not to pay out. So, is this move a commendable stroke of bravery, or is it a naive play to try to deter hackers? Let’s explore.
Firstly, what is ransomware? It’s a type of malware that effectively holds files on ransom from users or organizations. Malicious actors encrypt files belonging to organizations and demand a ransom payment for the decryption key. Ransomware attacks have become ubiquitous. Hardly a week goes by without another significant incident making headlines. From schools and universities to the NHS, these cyber extortion schemes are disrupting organizations of all kinds. The problem only continues to grow, with numbers showing ransomware attacks increasing yearly.
For most victims, the attacks follow a similar pattern. Hackers gain access, often through phishing emails or exploiting vulnerabilities. They covertly install malware that silently encrypts critical files across the network. Then springs the trap – a ransom note demanding payment to release the hijacked data. The sums typically run from hundreds to tens of thousands, sometimes even millions - all paid in cryptocurrencies like Bitcoin.
Faced with this criminal shakedown, it may seem that paying the fee is the only way to limit damage and restore operations. Indeed, many businesses hand over the money. However, many companies are now refusing to give in to these demands on principle. Many enterprise security experts are also increasingly advising clients against meeting ransomware payment requests.
With hackers upping ransom demands and no guarantee files will be released, what accounts for this principled stand? There are several compelling reasons more and more businesses won't pay up:
Giving in to extortionists only encourages further criminal activity. Like kidnappings, paying the ransom makes the attacks profitable. So, by taking payments off the table, organizations hope to disrupt the ransomware business model and disincentivize future campaigns. This collective stand requires strength in numbers but promises to reduce overall attack frequency.
For many business leaders, paying ransoms also represents an ethical line they're unwilling to cross. Even with insurance policies that reimburse cyber extortion fees, they object on principle to directly funding criminal organizations. This unintentionally helps hackers advance their technological capabilities and expand operations. To these decision-makers, refusing payments is the moral choice despite the near-term impacts of lost data access.
Announcing a formal non-payment ransomware policy also showcases organizations' resolve in the face of future attacks. Publicly declaring this stand makes it much harder for leadership to subsequently override the position when faced with real pressure after a breach. Consider it deliberately closing potential loopholes in advance to avoid temptation later.
Here's another underappreciated point – even businesses that agree to ransoms sometimes don't get their data back. After receiving payments, hackers sometimes simply go dark without restoring system access. Or they'll provide the decryption keys, but they only work partially, if at all. Moreover, companies can pay ransomware and still get hit by a second attack from the same hackers anyway. With such a grim reality, enterprises are reluctant to even engage with extortionists that can't be trusted.
To be absolutely clear, refusing to pay ransoms is still extremely risky. Without decrypted files, companies can face weeks of disrupted operations, permanent data losses, or even bankruptcy. However, for a moral vanguard, tolerating those worst-case scenarios is preferable to enabling criminal hackers.
Of course, the very best outcome is avoiding ransomware attacks entirely through comprehensive cybersecurity plans. With staunch non-payment stances becoming more widespread, all organizations need to redouble efforts around IT security basics. This includes regularly patching vulnerabilities, restricting application permissions, training employees on phishing prevention, keeping offline backups, and implementing layered defense systems.
Stabilizing those fundamental precautions is the only reliable way to prevent the impossible dilemma of weighing non-payment principles against potential business catastrophe. In effect, governments and industry groups hope refusing ransoms will help motivate improved security hygiene when lives or fortunes are on the line.
With high stakes on both sides, why has the tide turned so sharply against meeting hacker ransom demands? Beyond the reasons outlined above, additional pivotal factors are expanding the adoption of strict non-payment policies:
Cyber insurance providers also insert clauses in policies that void coverage if companies don't meet minimum security standards. This seeks to curb the moral hazard problem of customers paying insufficient attention to defence measures when insurers bear the costs. The result incentivizes policyholders to adopt better protocols just to maintain insurance eligibility, which in turn makes ransomware attacks less likely while simultaneously limiting options to cover ransoms through existing policies.
Paying ransoms increasingly causes too much reputational damage, especially for prominent brands concerned with maintaining trust. Customers lose confidence that companies can safeguard their data. Business partners hesitate to share information that is vulnerable to compromise. Investors grow wary of firms exhibiting cybersecurity weaknesses. Board directors face scrutiny over breach response decisions. This presents a significant risk for companies highly sensitive to brand perception.
Top talent also avoids working for organizations viewed as having inadequate security controls. This exacerbates the already fierce competition for hiring scarce cybersecurity professionals. When candidates have options, businesses with ransom payout track records are screened out of consideration. Without talent to bolster defenses, the cycle repeats, with organizations unable to pay ransoms or prevent ongoing attacks.
In this intensifying standoff, something has to go between hackers continually upping attacks and victims refusing payments. But for businesses taking a moral line in the sand, there are no more fallback options – it's lockdown security or bust.
It’s a bold stance, but it’s likely the right play in the long term—not just for the businesses themselves but for their industries and the economy as a whole.
Explore more articles in the Business category
