9 Introduction Ransomware has evolved from a disruptive security incident into a broader operational and financial risk. Organizations are no longer deciding only how to restore encrypted data. They are evaluating legal exposure, regulatory obligations, customer impact, and long-term resilience under significant time pressure. At the same time, the economics of ransomware are shifting. Payment rates are declining, outcomes from paying are inconsistent, and attackers are adjusting their tactics in response. These changes are forcing organizations to rethink how they prepare for and respond to incidents. A modern ransomware recovery strategy now depends less on negotiation and more on the ability to recover data and resume operations independently. The Changing Economics of Ransomware Over the past several years, ransomware has moved away from a predictable exchange model toward a more complex form of cyber extortion. Attackers no longer rely solely on encryption. Instead, they combine data exfiltration, operational disruption, and reputational pressure to increase leverage. Recent data shows that payment rates have dropped to around 20% by late 2025, reflecting a steady decline over multiple years . At the same time, the average ransom payment has increased, driven by a smaller number of high-impact incidents rather than widespread compliance. This divergence highlights a key shift. Organizations are increasingly capable of refusing payment, but when recovery options are limited, the financial stakes are significantly higher. Why Paying a Ransom Delivers Limited Value The assumption that paying a ransom resolves a ransomware incident does not hold up under closer examination. While payment may appear to offer a faster path to recovery, the actual outcomes are often uncertain and incomplete. Data recovery remains unreliable Decryption tools provided by attackers vary in quality and performance. Even when a key is delivered, the process of decrypting large datasets can take days and may introduce additional complications such as file corruption or compatibility issues. In some cases, data that was actively in use during encryption cannot be fully restored. Data exposure is not mitigated Payment does not eliminate the risk associated with stolen data. Attackers may retain copies, reuse information in future campaigns, or release portions of the data over time. As a result, organizations must still address regulatory requirements, legal exposure, and customer communication regardless of whether a ransom is paid. Repeat targeting increases risk Organizations that pay may be more likely to experience subsequent attacks. Payment signals that an organization is willing to negotiate, which can attract further attempts by the same or different threat actors. These factors collectively reduce the strategic value of paying and reinforce the need for alternative recovery approaches. Why Non-Payment Is Increasing The decline in ransom payments is not accidental. It reflects a combination of improved defensive capabilities and a better understanding of ransomware outcomes. Mature backup and recovery practices Organizations have invested in backup strategies that are more reliable and better aligned with recovery objectives. Regular testing, improved retention policies, and the adoption of immutable storage have increased confidence in recovery without relying on attackers. Stronger incident response capabilities Security and IT teams now have more experience handling ransomware incidents. This includes isolating affected systems, identifying attack vectors, and coordinating cross-functional responses. As a result, organizations are less dependent on attackers to regain control. External pressure from regulators and insurers Regulatory frameworks and cyber insurance policies increasingly emphasize resilience and discourage unnecessary payments. Organizations are expected to demonstrate that they can recover data and maintain operations without defaulting to ransom negotiations. Together, these factors are shifting the default response away from payment. The Role of Data Exfiltration in Modern Attacks Data exfiltration has become a standard component of ransomware campaigns. Attackers use the threat of data exposure to increase pressure on victims, particularly when encryption alone is not sufficient to force payment. However, the effectiveness of this tactic is declining. Organizations are becoming more skeptical of attacker claims and more capable of verifying what data has actually been compromised. In many cases, attackers exaggerate the scope of exfiltration or present incomplete evidence. Even when data is confirmed to be stolen, payment does not guarantee that it will be deleted or withheld from public release. This reduces the leverage associated with exfiltration and contributes to the broader decline in payment rates. Backup Failures as the Primary Driver of Payment Despite improvements in backup strategies, failures in backup execution remain a leading cause of ransom payments. In many incidents, organizations discover that their backups are incomplete, outdated, or unusable at the moment they are needed. These failures often stem from gradual configuration drift rather than deliberate neglect. Backup policies may appear adequate on paper but fail under real-world conditions due to changes in infrastructure, data growth, or overlooked dependencies. Attackers are increasingly targeting these weaknesses. Instead of attempting to delete backups outright, they modify configurations, reduce backup frequency, or allow clean copies to age out. By the time the attack is executed, recovery options are significantly limited. This dynamic underscores the importance of treating backups as active components of security strategy rather than passive safeguards. The Reality of Decryption and Recovery Timelines One of the most persistent misconceptions in ransomware response is that paying for a decryption key leads to a rapid return to normal operations. In practice, the recovery process remains complex even after payment. Industry data indicates that recovery using a decryption key can take approximately eight days on average, even with advanced tooling . This timeline does not account for additional delays caused by corrupted files, system dependencies, or incomplete data restoration. Organizations must also verify that the attacker no longer has access to the environment and that restored systems are secure before resuming operations. These steps are necessary regardless of whether a ransom is paid. As a result, payment does not eliminate downtime. It introduces an additional layer of complexity to the recovery process. Decision-Making Under Pressure Ransomware incidents create conditions where decisions must be made quickly with incomplete information. Attackers exploit this environment by presenting inflated claims, imposing deadlines, and applying external pressure through customers or partners. This can lead to decisions that prioritize short-term relief over long-term outcomes. A common challenge is the reliance on external benchmarks. High-profile incidents are often used as reference points, but these comparisons are rarely valid. Each ransomware attack differs in terms of systems affected, data sensitivity, and recovery capabilities. Effective decision-making requires a clear understanding of internal conditions rather than assumptions based on external examples. When Payment Becomes a Last Resort In most cases where organizations choose to pay, the decision is driven by operational necessity rather than strategic preference. This typically occurs when critical systems are unavailable, recovery timelines are unacceptable, or external pressures are too significant to ignore. These scenarios highlight a key principle. The decision to pay is often determined long before the attack occurs, based on the strength of backup systems, the effectiveness of recovery plans, and the organization’s ability to absorb disruption. Reducing reliance on payment therefore requires investment in these areas well in advance. Building a Ransomware Recovery Strategy A resilient ransomware recovery strategy focuses on ensuring that data can be restored quickly, reliably, and independently of attackers. Validate backup reliability Backups must be tested regularly through full restoration exercises. This ensures that data can be recovered within acceptable timeframes and that all critical systems are included. Secure backup infrastructure Backup systems should be protected with the same level of security as production environments. This includes access controls, monitoring, and the use of immutable storage to prevent unauthorized changes. Plan for delayed recovery Recovery does not begin immediately after an attack. Organizations must first confirm that the threat has been removed and that backups are clean. This process can take several days and should be accounted for in recovery planning. Conduct realistic testing Scenario-based exercises help organizations identify gaps in their response plans and improve coordination across teams. These exercises should reflect real-world conditions rather than idealized scenarios. Align recovery with business priorities Recovery strategies should focus on restoring critical business functions first. This requires a clear understanding of dependencies and the potential impact of downtime on operations. Conclusion Ransomware is no longer a problem that can be solved through payment alone. The declining effectiveness of ransom payments, combined with the increasing sophistication of attacks, has shifted the focus toward resilience and recovery. Organizations that are able to recover without paying share common characteristics. They test their assumptions, validate their backups, and prepare for the operational realities of an attack before it occurs. In this environment, a well-defined ransomware recovery strategy is essential. It provides the foundation for maintaining control during an incident and ensures that recovery decisions are driven by capability rather than necessity. Further reading: Ransomware recovery with object storagehttps://www.solved.scality.com/ransomware-recovery-restore-faster-with-object-storage/ How to build ransomware-proof backup protectionhttps://www.solved.scality.com/ransomware-backup-protection-how-to-build-immutable-recoverable-backups/ Immutable storage for ransomware defensehttps://www.solved.scality.com/what-is-immutable-storage-definition-benefits-and-how-it-works/ 3-2-1-1-0 backup strategy for cyber resiliencehttps://www.solved.scality.com/3-2-1-1-0-backup-strategy-explained/ Enterprise backup strategy for ransomware recoveryhttps://www.solved.scality.com/enterprise-backup-strategy/
