Should You Pay a Ransomware Ransom? The Honest Answer

The moment ransomware hits, the operational pressure to pay is intense. Your systems are down. Staff cannot work. Clients are calling. The attackers are offering a path back to normal operations for a specific price, on a countdown timer.

Under this pressure, many business owners pay — not because they have made a considered decision, but because payment feels like the fastest route out of the situation. Whether it actually is depends on factors most organisations have not thought through in advance.

This article gives you the honest assessment: what paying gets you, what it does not, the South African legal context, and the circumstances under which it may — or may not — be the right call.

What Paying Actually Gets You

When you pay a ransomware ransom, you are purchasing a decryption key from the criminal group that attacked you. In the best case, the key works, your files are decrypted, and your operations resume. In practice, several things can go wrong with this transaction.

Decryption is not guaranteed. Studies of ransomware incidents consistently find that 20–40% of organisations that pay do not receive a working decryption key. Some groups take the payment and provide no key. Some provide a partial key that decrypts some systems but not others. Some provide a key that works but corrupts a percentage of files during decryption. You are dealing with criminals — there is no consumer protection, no contract enforcement, and no recourse.

Decryption is slow. Even when a key works, decrypting terabytes of data through the attacker's tool running on your own hardware takes time — often days. You are not operational the moment payment clears.

Payment does not remove the attacker from your environment. Paying the ransom does not guarantee that the ransomware has been removed, that the initial access point has been closed, or that the attacker has not left persistence mechanisms for a future attack. Many organisations that pay are attacked again within months — having demonstrated both willingness and financial capacity to pay.

Your data may have already been exfiltrated. Modern ransomware groups commonly exfiltrate data before encrypting it, using the threat of public release as additional leverage. Payment addresses the encryption — it does not address the exfiltrated data or the threat of its publication. Some groups accept payment for decryption and then separately extort payment for not releasing the stolen data.

The South African Legal Context

There is no law in South Africa that explicitly prohibits paying a ransomware ransom. However, several legal considerations bear on the decision.

POPIA breach notification. Regardless of whether you pay, a ransomware attack that results in unauthorised access to personal information triggers POPIA Section 22 notification obligations. Payment does not discharge this obligation. The Information Regulator must be notified as soon as reasonably possible, and affected data subjects must be informed. Organisations that pay and then attempt to keep the incident quiet — hoping that payment means the problem is resolved — face regulatory exposure when the notification obligation is later discovered to have been ignored.

Financial intelligence obligations. Cryptocurrency payments to criminal organisations may engage South Africa's Financial Intelligence Centre Act (FICA) provisions and anti-money laundering obligations, depending on the payment mechanism and amounts involved. The SARB and FIC have published guidance on virtual asset service providers and crypto transactions that is relevant here. Take legal advice before making any crypto payment to a criminal group.

Cyber insurance policy conditions. Many cyber insurance policies require the insurer's prior consent before a ransom payment is made. Paying without notifying your insurer may void your coverage — not just for the ransom payment itself, but for the entire incident response cost. Read your policy and call your broker before authorising payment.

Sanctions exposure. International sanctions regimes (primarily US OFAC) prohibit payments to certain designated criminal groups, including several ransomware operations. South African organisations making payments that route through sanctioned entities can face secondary sanctions exposure. Your legal counsel should verify that the attacker group is not a designated entity before any payment is made.

The Cases Where Payment May Be Considered

The general recommendation — do not pay — is sound as a default position. It funds criminal operations, provides no reliable guarantee of recovery, and does not address the underlying compromise. However, there are circumstances in which payment may be the least-bad option.

No viable backup exists. If your organisation has no working backup, or if the backup has been compromised by the attack, and the data encrypted is genuinely irreplaceable — customer records, years of project files, regulated data that cannot be reconstructed — payment may be the only path to any recovery. This is the scenario that proper backup is specifically designed to avoid.

The data has unique operational value. For some organisations — hospitals with patient records, engineering firms with proprietary designs, law firms with client matter files — the encrypted data has irreplaceable value that cannot be reconstructed from other sources and whose loss would have consequences beyond operational disruption.

The decryption key is the fastest path to regulatory compliance. In some breach scenarios, the fastest way to scope the incident accurately for POPIA notification purposes is to decrypt and audit the affected systems. Without decryption, the scope cannot be determined.

If you find yourself in any of these circumstances, payment should be treated as a last resort taken after: exhausting backup recovery options, confirming with a forensic firm that alternative recovery is not viable, obtaining legal advice on the notification and payment obligations, and notifying your insurer.

The Decision Framework

Before the incident, the question to answer is: do we have a clean, tested backup that can restore our systems without paying? If yes, payment is never your best option. If no, you have a backup strategy problem that needs solving now — not when ransomware is running on your network.

During an incident, if payment is being considered:

1. Do not pay immediately under pressure from the countdown timer. Attackers use artificial urgency to prevent considered decision-making.
2. Engage a professional incident response firm. They can assess whether alternative recovery is viable, negotiate with the attacker if payment is ultimately decided, and preserve evidence for regulatory and insurance purposes.
3. Notify your insurer before authorising payment.
4. Take legal advice on notification obligations, sanctions exposure, and FICA considerations.
5. Initiate the POPIA breach notification process regardless of the payment decision.

The strongest position to be in when ransomware hits is one where paying is not a question you need to answer — because you have a clean, immutable backup that makes it irrelevant. That is what genuine ransomware resilience looks like.