Ransom Demands: The Fight Against Payment vs Data

[lwptoc]

Cybersecurity analysts have noticed something surprising: ransomware attacks are happening more often, but fewer victims are choosing to pay the attackers’ ransom demands.

Verizon’s latest Data Breach Investigations Report (DBIR), which analyzed over 12,000 breaches across 139 countries, finds that ransomware appeared in 44% of confirmed breaches, up 37% from the year before. Yet at the same time, the median ransom paid has fallen sharply (to about $115,000), and a growing majority of victims are simply refusing to negotiate.

Verizon notes that 64% of ransomware victims did not pay the criminals’ demands, a notable increase from 50% two years earlier. Likewise, blockchain analysts report a roughly 35% drop in total ransom payments in 2024 compared to 2023. In plain terms, this means the volume of attacks is up, but the amount of money going to criminals is down.

These trends stem from a mix of defensive improvements and shifting attitudes. Companies now often have backups and incident-response plans, so they can rebuild systems without funding attackers. Insurance and government advisories also play a role: major regulators worldwide,  notably the EU, discourage paying ransoms, arguing it perpetuates the threat and does not guarantee data recovery.

In practice, increased law-enforcement crackdowns (for example on notorious gangs like LockBit) have disrupted the ransomware business model, and many organizations simply conclude that they won’t deal with cybercriminals, focusing instead on recovery and resilience.

Security leaders and incident responders point to several reasons more companies are hardening their stance against ransom payments. Firstly, improved preparedness: a lot of firms now invest in off-site or immutable backups, network segmentation, and cyber insurance. These defenses mean paying cybercriminals is often seen as a last resort. In practice, if encrypted data can be rebuilt or clean copies restored, there’s little incentive to negotiate.

Secondly, pressure from authorities and insurers: international law enforcement has been hunting major ransomware groups, seizing their digital infrastructure and crypto wallets. Such operations reduced some gangs’ income by nearly 80% in 2024. At the same time, ransomware clauses in cyber insurance contracts and even new regulations (e.g. bans on public-sector ransom payments) are nudging organizations away from payouts. A lot of boards now view paying as a reputational and ethical risk. Governments have made clear that paying fuels the problem and offers no guarantee of success.

Finally, a practical culprit: distrust of criminals. High-profile cases (like the BlackCat gang leaking a healthcare provider’s data even after payment) remind victims that attackers don’t always keep their word. With that in mind, many victims choose to accept operational pain and loss of some data rather than reward the attacker.

Faced with falling profits and stiffer defenses, ransomware operators are not standing still. Cybersecurity analysts warn that criminals are evolving their tactics. Some of the old giants (LockBit, BlackCat/ALPHV) have been dismantled or gone bust, leaving a fragmented underworld of smaller ransomware-as-a-service outfits. These new groups tend to target mid-sized companies with smaller demands. As one analyst puts it, many attackers are “focus[ing] efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands”. By aiming at less well-protected companies, criminals hope more victims will still pay.

Other adaptations are emerging. Double and even triple extortion schemes (threatening to dump stolen data publicly or attack customers of the victim) are now commonplace. Cybercriminals are also experimenting with rebranded strains or new tech, including AI tools to speed up network intrusions or negotiation fraud. Law enforcement successes have pushed some operators to exit scam, with some disappearing with payments (as allegedly happened with BlackCat), or to hoard cryptocurrency in personal wallets and cross-chain bridges to avoid seizures.

All these shifts suggest a cat-and-mouse dynamic: as victims invest in defenses, attackers pivot. The overall volume of breaches may stay high, but the payoff per attack is dropping. The good news is most victims refuse to pay, but the bad news is that often means companies suffer longer recoveries and may still lose some data.

Whether to pay a ransom is both a strategic and an ethical question, and organizations around the world answer it differently. Some feel compelled to pay when important systems are down or sensitive data is at stake; others consider payment akin to negotiating with criminals or even funding sanctions-busting foreign actors. Cyber insurance contracts may require engagement with authorities and insist on permissible handling of payments. U.S., European and international policies somewhat discourage ransom payments, arguing it only strengthens attackers’ business models.

In practice, policies vary. A survey of U.S. CISOs found many favored paying to restore operations, but recent high-profile refusals (or failures to fully negotiate) in both public and private sectors have shifted sentiment. In some regions, regulators have floated outright bans on payments by government agencies, which influences corporate attitudes as well. On the other hand, executives worried about their customers or employees might still believe that paying, if it quickly ends a breach, is the responsible choice to protect people’s data and jobs. 

There is a clear stigma either way: organizations that pay can face public criticism for giving in to cybercriminals, while those that refuse can face pressure from stakeholders demanding a quick fix.

Even when a company does decide to pay, success is far from guaranteed. A ransomware trends report found that 81% of victims paid the ransom, but only about two-thirds of those saw their data restored. The rest never got the promised decryption or their data back, raising deep questions about the value of paying. Case studies abound of attackers simply vanishing with the money or leaking data anyway, which only adds to victims’ reluctance.

This means that the calculus often comes down to more than “will my data be safe?”; companies also weigh trust and negotiation practices. Some are now hiring cybersecurity negotiators or legal counsel to deal with attackers, trying to hedge bets. Others report that paying some ransom might yield partial keys, but rarely all, or that attackers demand second or third payments. Ultimately, data suggests that paying is no panacea: organizations paying ransoms often end up with exorbitant total costs (downtime, recovery, legal fines) even if they regain access.

The choices around ransom payment also affect people. Employees who lose access to email, systems or customer data overnight can experience confusion, fear, and frustration. They may wonder why IT didn’t keep better backups or why the company is handing off money to criminals. Similarly, customers and partners whose personal data is at risk are likely to question whether a breach was inevitable, whether the company responded properly, and whether the root problem is being fixed. Some customers may demand compensation or legal action if they feel their data was endangered.

A lot of people in the industry believe that being seen to not pay can be a form of assurance: it signals to all stakeholders that the organization is fighting crime, not funding it. Others counter that transparency is key: if paying is the fastest way to restore services (for example in hospitals or life-and-death scenarios), then doing so can be framed as acting in the public interest. There’s no easy answer, but what’s clear is that the trend is global. From North America to Europe to Asia, companies report similar tensions. In some regions, cultural factors or regulatory frameworks tilt one way or the other, but the data show a consistent fact: the era when most victims quietly paid up is currently fading.

As ransomware continues to develop, one thing is certain: the financial consensus has changed. The return on investment for cybercriminals is shrinking, and tactics must adapt. For people who work in cybersecurity, the focus is shifting to resilience and attribution: making it as hard as possible for attackers to profit at all. For now, the global shift away from ransom payments is seen as a net positive. 

Whether this will break the ransomware business model or simply transform it is still unfolding. What is clear, though, is that organizations now have more incentive than ever to build defenses and recovery plans that never involve paying the attacker – both to protect their people and to undermine the criminals’ bottom line. 

Discover how BlackFog can help your organization stay ahead of threats at BlackFog.com.