The Ransom Reckoning: Why Paying Was Never a Recovery Strategy
For most of the past decade, the ransomware conversation inside enterprise boardrooms turned on a single, agonising decision made under maximum pressure: should we pay? That question, according to the security leaders now advising organisations through these incidents, has quietly become obsolete. The decision is increasingly settled long before an attacker’s note arrives.
What has taken its place is a more uncomfortable inquiry, one that cuts to how exposed these organisations were all along. Meriam ElOuazzani, Vice President for Middle East, Turkey, and Africa at Censys, has watched the old framing collapse entirely. “Two years ago, the question was almost always some version of: ‘Should we pay?’ Today, that question has already been answered internally before anyone calls me,” she said. “What I’m hearing now is different: ‘We paid last time, it didn’t work, and we need to understand why we’re still exposed.’” That shift, she added, arrives with a realisation most organisations would rather not confront, and it is reshaping how the entire pay-or-not-pay calculus now plays out.
The data turned payment from a solution into a subscription
The figure driving the change is difficult to argue with once it reaches a board. “The data behind it is striking: 83% of organisations that paid a ransom were attacked again,” ElOuazzani said. “Once that number circulates in a boardroom, the conversation changes permanently. Payment stops feeling like a solution and starts feeling like a subscription to future attacks.”
What paying actually revealed, in her account, is more uncomfortable than the second attack itself.
“The harder conversation I’m having now is about what paying actually revealed: that the attacker had a cleaner picture of the organisation’s infrastructure than the organisation itself did,” she explained. The remedy Censys offers, she said, is the outside-in view, “the same one the adversary used to find the entry point in the first place. Most organisations, when they finally look at themselves that way, are uncomfortable with what they see.” Her summary of where CISOs have landed was blunt: “CISOs aren’t asking whether to pay anymore. They’re asking how they became the target. That’s the right question, and it’s arriving about two years too late.”
Independent industry data confirms the move away from payment
This is not a regional anomaly or a single vendor’s anecdote. Mena Migally, Regional Vice President for EMEA East at Veeam, described the same trajectory from a different vantage point. “While we do not see ransom payments directly, broader industry data and our own customer experience point to a clear shift in behaviour,” he said. “According to Coveware by Veeam’s most recent quarterly Ransomware Report, the percentage of organisations paying a ransom has fallen to historic lows, with just around 23% of victims paying in Q3 2025, continuing a multiyear downward trend.”
What sits beneath those numbers, Migally explained, is a change in posture rather than a fall in attack volume. “Attacks have not slowed, but payments are increasingly seen as a last resort rather than an assumed outcome,” he said.
“Organisations are entering incidents with stronger recovery capabilities and clearer executive mandates around nonpayment, influenced by regulation, insurer expectations and the realisation that paying does not reliably prevent data exposure or repeat attacks.” The governing question itself has moved, he added: “Over the past 24 months, the conversation has shifted decisively from ‘can we pay’ to ‘can we recover fast enough not to,’ which is precisely what regulators and policymakers are now trying to accelerate through payment bans.”
Where bans are in force, the expected relief has not materialised
The jurisdictions that have already removed payment as a legal option offer the closest thing to a controlled experiment, and the early signal from inside them is not reassurance. “What we hear most consistently from customers in those jurisdictions is not relief. It’s a sharper version of the anxiety they already had,” ElOuazzani said. “The ban removes one option from the table, but it doesn’t remove the attacker. What shifts is where the pressure goes.”
Migally’s reading of those same jurisdictions tracks closely. “The number of attacks has not dropped significantly, but the nature of incidents has changed,” he said. “Attackers are more aggressive in applying pressure, while organisations are more disciplined in response and quicker to involve legal and regulatory stakeholders.”
The divide ElOuazzani drew was between organisations doing the real work and those merely hoping. The serious ones, she said, “are investing in recovery architecture, backup hygiene, and understanding what their infrastructure actually looks like from the outside. The ones who aren’t are simply hoping they won’t be tested.”
Her warning on what a ban does and does not deliver was unsparing: “Bans force a more honest conversation internally. That’s not a small thing. But honest conversations without operational follow-through don’t protect you. The calculus shifts. The preparedness often doesn’t.”
Attacker tactics are adapting to a market that refuses to pay
A ransomware economy under pressure does not dissolve; it mutates. “There is less reliance on encryption alone and more emphasis on data theft, reputational threat and accelerated timelines designed to force difficult decisions quickly,” Migally said. The business model is being defended through psychology as much as cryptography.
ElOuazzani placed the defensive answer earlier in the timeline than most organisations expect to find it. “The question underneath the pay-or-not-pay decision is always: how did they get in, and what else do they have access to that we haven’t found yet?” she said.
With 44% of data breaches now involving ransomware, she argued, a policy that exists only on paper becomes a danger in itself: “When 44% of data breaches now involve ransomware, that document becomes a liability, not a safeguard.”
The constraint most boards have failed to test, in her view, is recovery itself. “Refusing to pay means nothing if you cannot restore operations within a window that your business can survive,” she said. “That’s the constraint most boards haven’t stress-tested.”
Insurers and regulators have stopped asking what you own
The pressure reshaping enterprise security is arriving as much through underwriting as through legislation. Both leaders independently described a shift in what insurers and regulators now demand. “What I’m hearing from insurers and regulators right now isn’t really about products. It’s about proof,” ElOuazzani said.
“They want documentation. They want practised incident response plans, not theoretical ones. They want to see that someone has actually run the drill.” Migally compressed the identical requirement to a single word, telling The Source Code that what insurers and regulators want now is “evidence. Proof of resilience, process maturity and recovery outcomes.”
The more revealing change, in ElOuazzani’s account, is like the question. “A few years ago, the insurer’s questionnaire asked what tools you had. Now it asks how you know what you have,” she said. “That’s a fundamentally different question, and most organisations aren’t ready for it.” She flagged a risk no underwriter is yet pricing, where mandated controls set a floor but tempt organisations toward the wrong goal.
“Organisations are starting to optimise for coverage renewal rather than actual resilience. Those are not the same thing,” she said. “Compliance becomes the goal, and real security gets deferred. That’s the risk no underwriter is pricing yet.” The reckoning both leaders describe was always coming. The bans have merely accelerated the arrival of a truth the data had already settled: payment was never a recovery strategy.
