Is it illegal to pay a ransomware ransom?

In most jurisdictions, paying a ransom is not explicitly illegal. However, the US Treasury OFAC (Office of Foreign Assets Control) can impose penalties on organisations that make payments to sanctioned entities, even if the organisation did not know the attacker was on a sanctions list. Several ransomware groups (including affiliates of Conti, Evil Corp, and groups tied to North Korean state operations) are on OFAC sanctions lists. The EU and UK have similar sanctions frameworks. Before any payment, legal counsel must conduct a sanctions-screening analysis. Some cyber-insurance policies now require this screening as a condition of claim coverage.

Do attackers actually provide working decryption keys after payment?

Most established ransomware groups do provide decryption tools after payment, because their business model depends on the reputation that payment leads to recovery. However, the decryption tools are often buggy, slow, and incomplete. Coveware data shows that only 65% of organisations recover all their data after paying, and decryption tools from some groups corrupt files during the decryption process. Large RaaS operations like LockBit and BlackCat have historically maintained reliable decryption, while smaller or newer groups are unpredictable. Even with a working key, full decryption of a large environment can take days to weeks.

How do ransomware negotiators reduce the ransom amount?

Professional negotiators use several tactics: (1) Establishing communication early to build rapport with the attacker. (2) Presenting evidence that the organisation cannot afford the initial demand (financial hardship claims). (3) Extending the negotiation timeline to reduce attacker urgency. (4) Requesting proof-of-life by asking the attacker to decrypt 2-3 sample files to verify the key works. (5) Making incremental counter-offers starting at 10-20% of the initial demand. (6) Leveraging knowledge of the specific group norms, as each RaaS operation has characteristic negotiation patterns. Average reductions of 40-60% from the initial demand are common.

Ransomware Negotiation: Should You Ever Pay the Ransom

No organisation plans to negotiate with criminals. Yet every year, thousands of organisations find themselves in exactly that position: staring at a ransom note on encrypted systems, with no clean backups, business operations halted, and a clock ticking toward data publication on a leak site. The question of whether to pay the ransom is never purely technical. It is a decision that sits at the intersection of law, ethics, business continuity, insurance, and cold economic calculus.

This article does not advocate for or against payment. It provides the technical, legal, and strategic framework that organisations need to make an informed decision if they ever face one, and more importantly, the preparation that ensures they never have to.

The Economics of Ransomware

How Ransomware Groups Set Ransom Amounts

Ransom demands are not arbitrary. Sophisticated RaaS (Ransomware-as-a-Service) operations conduct reconnaissance on their victims before setting the price. The factors include:

Revenue analysis — attackers check annual revenue through public filings, LinkedIn employee counts, Dun & Bradstreet, and industry databases. The typical initial demand is 1-3% of estimated annual revenue.
Cyber-insurance coverage — attackers actively search for cyber-insurance policy documents during the intrusion. Finding a policy with a ransomware-payment endorsement significantly increases the demand because the attacker knows the organisation has coverage.
Data sensitivity — healthcare records, legal communications, financial data, and intellectual property command higher ransoms because the double-extortion threat (publishing stolen data) carries greater reputational and regulatory damage.
Backup status — if attackers confirm that backups have been destroyed or encrypted, they increase the demand because the victim has no recovery alternative.

Payment Statistics

Average ransom payment in 2025: $568,000 (Coveware)
Median ransom payment: $200,000 (the average is skewed by multi-million-dollar payments from large enterprises)
Percentage of victims who pay: 28-34% (declining from 46% in 2021 as backup strategies improve)
Percentage who recover all data after paying: 65%
Percentage attacked again after paying: 80% within 12 months
Total ransomware payments globally in 2025: estimated $1.1 billion

Figure 1 — Ransomware payment statistics. The declining payment rate (28-34%) reflects improved backup strategies, while the 80% re-attack rate demonstrates why payment is not a solution.

Legal and Regulatory Framework

OFAC Sanctions Risk

The most significant legal risk associated with ransom payment is sanctions compliance. The US Treasury's OFAC maintains lists of sanctioned individuals, organisations, and countries. Making a payment to a sanctioned entity is a strict-liability offence — meaning the payer can be penalised even if they did not know the recipient was sanctioned.

Several ransomware groups and their operators are on OFAC lists:

Evil Corp (Maksim Yakubets) — sanctioned since December 2019
Conti / Trickbot operators — multiple individuals sanctioned
North Korean state-affiliated groups — payments to DPRK-linked operations violate multiple sanctions programmes
Russian state-affiliated entities — expanded sanctions since 2022 create uncertainty around groups with possible Russian intelligence ties

The challenge: ransomware groups do not identify themselves by their OFAC designation. Groups rebrand, merge, and splinter regularly. An organisation negotiating with a group calling itself "DarkAngels" has no reliable way to determine whether the operators are sanctioned individuals operating under a new brand.

Reporting Requirements

CIRCIA (US) — the Cyber Incident Reporting for Critical Infrastructure Act requires critical infrastructure entities to report ransom payments to CISA within 24 hours
SEC (US) — public companies must disclose material cybersecurity incidents within 4 business days (Form 8-K)
GDPR (EU/UK) — if personal data is compromised, notification to the supervisory authority within 72 hours and to affected individuals without undue delay
State-level laws (US) — most states have breach-notification requirements triggered by ransomware incidents involving personal data

Insurance Implications

Cyber-insurance policies increasingly govern ransomware response. Key policy considerations:

Ransomware payment coverage — not all policies cover ransom payments. Those that do often require pre-approval from the insurer before any payment is made.
Negotiation panel — insurers typically require the use of their approved incident-response and negotiation firms. Using an unapproved firm may void coverage.
Sanctions screening — insurers will not approve payments to sanctioned entities and require a sanctions check before authorising payment.
Sublimits — ransom payment coverage often has a sublimit (e.g., $500,000 on a $5 million policy), and the deductible may apply separately to the ransom payment and business-interruption components.
Premium impact — making a ransomware claim, especially with payment, increases future premiums by 50-200% and may result in non-renewal.

How Ransomware Negotiation Works

Initial Contact

Ransom notes typically include a Tor hidden-service URL or a dedicated email address for communication. Established RaaS operations run customer-service-style portals with chat interfaces, countdown timers, and file-upload capabilities for proof-of-life decryption tests.

The first rule of negotiation: do not communicate until you have assembled your team. Premature contact signals desperation. The recommended team includes:

Incident-response firm (technical assessment and recovery effort)
Legal counsel with cybersecurity and sanctions expertise
Ransomware negotiation specialist (if payment is being considered)
Insurer's appointed firms (if cyber-insurance is in place)
Law enforcement liaison (FBI, CISA, or local equivalent)

Professional Negotiation Tactics

Ransomware negotiators are a specialised profession that emerged from the convergence of crisis negotiation (hostage/kidnap) and cybersecurity incident response. Their approach includes:

Intelligence gathering — identify the attacker group, research their negotiation history, typical discount patterns, and decryption reliability. Some groups are known to honour agreements; others are not.
Timeline management — attackers set artificial deadlines ("pay within 72 hours or the price doubles"). Negotiators demonstrate that these deadlines are flexible by continuing to communicate past them.
Financial hardship narrative — present evidence (selectively) that the organisation cannot afford the initial demand. Provide limited financial information that supports a lower payment without revealing the organisation's true capacity.
Proof-of-life request — before any payment discussion, request decryption of 2-3 sample files to verify that the attacker actually holds the decryption key and that it works.
Incremental counter-offers — start at 10-20% of the initial demand and negotiate upward in small increments. The goal is typically settlement at 30-50% of the initial ask.
Payment mechanics — negotiate the payment cryptocurrency (Bitcoin is most common; Monero provides more privacy for the attacker), wallet address, and the handover process for the decryption tool.

Typical Negotiation Timeline

Hours 0-12 — discovery, containment, team assembly. No contact with attacker.
Hours 12-24 — initial assessment of backup viability, scope of encryption, data-exfiltration exposure. Legal counsel engaged.
Day 2-3 — if payment is being considered, initial contact through negotiator. Proof-of-life request. Sanctions screening.
Day 3-7 — negotiation exchanges (typically 4-8 rounds of counter-offers). Parallel recovery effort from backups.
Day 7-14 — final negotiation, payment execution (if authorised), decryption tool receipt and testing. Recovery continues regardless of payment outcome.

The Payment Decision Framework

The decision to pay should be treated as a structured risk assessment, not an emotional response to the crisis. The framework evaluates four conditions, all of which must be met before payment is considered rational:

Condition 1: No Viable Recovery Alternative

Payment should only be considered if:

All backups have been verified as destroyed, encrypted, or corrupted
No decryption tool exists for the ransomware variant (check nomoreransom.org)
Shadow copies and recovery partitions are confirmed destroyed
Forensic analysis confirms no recovery path from the encrypted data itself

Condition 2: Existential or Life-Safety Risk

The business impact must be severe enough to justify the risks of payment:

Patient safety in healthcare (encrypted medical-device systems, unavailable records)
Critical infrastructure (water treatment, power grid, emergency services)
Business survival (small business without the resources to rebuild from scratch)
Irreplaceable data (research data that cannot be recreated, legal evidence)

Condition 3: Sanctions Clearance

Legal counsel must confirm:

The attacker group is not on OFAC SDN, EU sanctions, or UK sanctions lists
The group's lineage does not trace to a sanctioned predecessor (e.g., Conti successors)
The payment mechanism does not route through sanctioned jurisdictions

Condition 4: Law Enforcement Notification

Law enforcement should be notified before payment. In some cases, law enforcement may have intelligence that affects the decision (e.g., the attacker group is known to provide faulty decryption, or a free decryptor is about to be released).

The Case Against Payment

Funding the criminal ecosystem — every ransom payment funds the development of more sophisticated ransomware, finances the RaaS ecosystem, and incentivises new entrants into cybercrime
Targeting signal — paying identifies the organisation as a future target. The 80% re-attack rate demonstrates this clearly.
Unreliable recovery — 35% of payers do not recover all data. Decryption tools are frequently buggy, slow, and require significant manual intervention.
Double-extortion persistence — payment for decryption does not address the exfiltrated data. Attackers may still publish stolen data or use it for future extortion.
Insurance and premium impact — claims involving payment result in dramatically higher premiums and potential policy non-renewal
Regulatory scrutiny — regulators increasingly view ransomware payment as evidence of inadequate security controls and may levy additional penalties

Figure 2 — The four conditions that must all be satisfied before ransom payment is a rational option. The strongest position is eliminating condition 1 entirely through immutable backups.

Preparation: Eliminating the Need to Pay

The organisations that never face the payment decision are those that have eliminated the conditions under which payment becomes rational. The preparation portfolio includes:

Immutable Backups

Immutable backups (WORM — Write Once Read Many) cannot be modified or deleted by ransomware, even if the attacker has domain-admin credentials. Implementations include:

Cloud object storage with immutability locks (AWS S3 Object Lock, Azure Immutable Blob Storage)
Tape backups stored offline (air-gapped by definition)
Immutable repository configurations in backup products (Veeam Hardened Repository, Rubrik)

Tested Recovery Procedures

Backups are only useful if recovery works. Quarterly recovery tests should include:

Full-system restoration to verify backup integrity
Recovery-time measurement (compare against RTO requirements)
Restoration to alternative infrastructure (in case primary is compromised)
Application-level testing (not just file restoration but functional verification)

Incident-Response Retainer

Pre-establish relationships with an IR firm, legal counsel, and negotiation specialist before an incident occurs. During a ransomware crisis, these firms are in high demand with wait times of 24-48 hours. Retainer agreements guarantee priority response.

Cyber Insurance with Clear Terms

Understand your policy before an incident:

Is ransomware payment covered?
What is the sublimit for ransom payment?
Which IR and negotiation firms are on the approved panel?
What actions require insurer pre-approval before proceeding?
Does the policy cover business interruption during recovery?

The most effective ransomware-defence posture is one in which the payment question is irrelevant. Organisations with immutable backups, tested recovery procedures, and pre-established response teams recover from ransomware in 3-5 days without paying. The attackers' only leverage is the threat of data publication, and organisations with strong data-classification and encryption-at-rest practices can significantly mitigate even that risk.

Preparation removes the leverage that makes ransomware profitable. If every organisation could recover without paying, the ransomware business model would collapse.