Paying cybercriminals doesn’t solve the problem—in fact, it may make it worse. According to the Veeam 2025 Ransomware Trends and Proactive Strategies Report, 69% of global organizations that paid a ransom in the past year were targeted again. Under pressure and fearing legal, financial, and reputational fallout, many companies choose to give in to extortion. But this approach is rarely effective: nearly 1 in 5 organizations (17%) that paid the ransom still failed to recover their data.
The report underscores that the most effective defense against ransomware is a comprehensive data resilience strategy combined with a formally defined decision-making protocol regarding ransom payments. However, only 26% of organizations report having such a procedure in place.
Ransomware Attacks: A Critical Moment for Any Business
When ransomware hits, entire infrastructures grind to a halt. Security teams operate under extreme pressure, while attackers engage in psychological manipulation, using increasingly sophisticated social engineering tactics. Veeam notes the growing prevalence of “double extortion” attacks, where cybercriminals not only encrypt data but also exfiltrate it—threatening to release it publicly unless their demands are met.
Moreover, the “dwell time”—the period between a breach and the actual ransomware deployment—is shrinking, often to under 24 hours. In such high-stress situations, many businesses opt to pay the ransom, hoping to limit the damage.
A Vicious Cycle That Fuels Crime
Paying the ransom, however, rarely resolves the issue. Of the companies surveyed by Veeam that paid, 17% were unable to recover their data. Worse yet, nearly 70% of these companies experienced subsequent ransomware incidents. Paying once sends a clear message to cybercriminals: this organization will likely pay again.
This perpetuates a self-reinforcing cycle, encouraging both original attackers and opportunistic copycats to strike again. Every ransom payment directly finances further criminal operations, enabling ransomware gangs to launch more sophisticated campaigns.
International Pushback Against Ransom Payments
Recognizing this growing threat, global initiatives like the Counter Ransomware Initiative (CRI)—founded in 2021 and involving 68 countries—aim to mitigate the impact of ransomware and discourage ransom payments. Legal restrictions are emerging as well. In the UK and in several U.S. states, public sector agencies are now prohibited from paying ransoms. Companies choosing to pay may soon face not just business consequences, but potential legal liabilities.
If Not Paying, Then What?
In today’s cyber landscape, the question is no longer “if” or “when” a ransomware attack will occur—but how often. The best form of protection is preparation.
This means developing a comprehensive data resilience strategy, which includes:
- Clear data management policies (labeling, storing, and locating data appropriately)
- Regular backups stored in secure, immutable environments
- A proven recovery plan that ensures data can be restored quickly and safely
An effective response also requires close collaboration between IT and security teams. Yet, 52% of companies surveyed admit this coordination needs to be significantly improved in their organizations. Crucially, awareness training for all employees—not just IT staff—is necessary to keep pace with the constantly evolving threat landscape.
This Is No Time to Panic
One essential preparation tool is a cybersecurity playbook—a structured set of procedures for before, during, and after an incident. When stress levels peak, this playbook becomes the anchor for effective decision-making. Encouragingly, 98% of companies have such a document in place. However, fewer than half include core technical components such as:
- Verified, regularly updated backups
- Contingency IT infrastructure
- Isolation protocols for compromised systems
Only 26% of companies have a formal procedure for deciding whether to pay a ransom, and just 30% have an established “chain of command”—a decision-making hierarchy modeled on military best practices. During a crisis, there’s no time for debate. Everyone must know who to report to, who decides, and who is accountable. Without clear roles, even the best plans can fall apart.
A Test No Company Can Afford to Fail
Paying ransom offers no guarantee of recovery or future safety. A successful incident response begins long before any malware is launched. Clear strategy, rehearsed action plans, and seamless collaboration between departments are essential.
Ransomware today is no longer just a one-time event—it’s a test of organizational resilience. From technology to processes to people, companies that pass this test have one thing in common: they know exactly what to do before it’s too late.
Author: Tomasz Krajewski
Technical Sales Director for Eastern Europe, Veeam
Source: Manager Plus
