The Ransomware Dilemma

The decision on whether to pay up when cybercriminals hold data hostage is shaped by choices leaders made long before an attack.

Reading Time: 9 min 



An MIT SMR initiative exploring how technology is reshaping the practice of management.
More in this series
Permissions and PDF

A. Richard Allen/

The ransomware business is booming: In the United States alone, this form of cyberattack increased in frequency by 200% between 2019 and 2021. It’s an urgent threat, but too many leaders are caught flat-footed when it happens to them. Ransomware is malicious software that uses encryption to prevent access to data on the infected machine, effectively paralyzing the computer system. The culprits behind the attack then demand payment in exchange for decrypting the files and restoring access to the infected systems. The tactic dates to the 1980s, but it became a prominent threat to businesses after 2010 with the rise of cryptocurrency, criminals’ preferred mode of payment.

It’s a threat riddled with uncertainties, which makes planning a response difficult. Many organizations just want to find the quickest way out, and that often means paying the ransom, even though the financial burden may be considerable and the outcome far from certain. In a recent study of 300 companies, 64% revealed that they had experienced a ransomware attack within the previous 12 months, and a staggering 83% of those paid the ransom. On average, only 8% of organizations that paid up recovered all of their data, while 63% got about half of it back.

Some organizations receive a demand for a second (and perhaps even higher) ransom, despite having paid the first one on time, but the worst-case scenario is when the victim pays but either never receives the decryption key or it doesn’t work as intended.1

Organizations that decide not to pay also bear costs in terms of business downtime and lost revenues. And organizations that are caught unprepared, without a reliable backup system or an incident response plan, end up suffering the most — not only financially but also reputationally.

If your organization is hit with a ransomware attack, your first step should be to notify law enforcement and, if applicable, relevant data protection authorities. But the options open to you after that depend on how well your organization is prepared to handle such attacks. This article aims to help top management teams decide what to do via six clarifying questions.



An MIT SMR initiative exploring how technology is reshaping the practice of management.
More in this series


1.What Happens When Victims Pay Ransomware Attackers?” Trend Micro, Dec. 10, 2018,

2.Ransomware Guide,” PDF file (Washington, D.C.: Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center, September 2020),; and “Protecting Data From Ransomware and Other Data Loss Events: A Guide for Managed Service Providers to Conduct, Maintain, and Test Backup Files,” PDF file (Gaithersburg, Maryland: National Cybersecurity Center of Excellence at the National Institute of Standards and Technology, April 2020),

3. P. Hack and Z. Wu, “‘We Wait, Because We Know You.’ Inside the Ransomware Negotiation Economics,” NCC Group, Nov. 12, 2021,

4. Ö. Işik, T. Jelassi, and V. Keller-Birrer, “Five Lessons of Cybersecurity the Public Sector Can Offer,” European Business Review, forthcoming.

Reprint #:


More Like This

Add a comment

You must to post a comment.

First time here? Sign up for a free account: Comment on articles and get access to many more articles.

Comment (1)
david turner
The ransomware dilemma has become a growing concern among organizations in the digital age. When cybercriminals hold data hostage, organizations must decide if they should pay the ransom or not. This decision is shaped by the choices made by their leaders long before the attack. As organizations become increasingly reliant on technology, they must consider the security measures they have in place to mitigate potential cyberattacks. Organizations should prioritize the implementation of strong security controls to protect their information and limit the potential for a ransomware attack. Furthermore, organizations should consider their contingency plans in the event of a ransomware attack, including the decision of whether or not to pay the ransom.

Here is another great article I recently came across on the same topic: