404 Network Ninjas

Cybersecurity

We Tested What Happens If You Don't Pay the Ransom

By Nick Cappello
We Tested What Happens If You Don't Pay the Ransom

People ask me sometimes, usually half-joking, whether we’d ever just tell a client to pay a ransom. So let’s actually talk about it honestly, because most of what gets said about ransomware online is either fear-mongering or a sales pitch, and I’d rather just tell you what’s true.

Here’s the honest answer: paying doesn’t reliably get your data back, and it definitely doesn’t get your afternoon back. You’re negotiating with criminals who have zero obligation to hold up their end, no customer service line, and no reason to care whether you ever recover. Sometimes the decryption key works. Sometimes it’s slow, broken, or partial. Sometimes you pay and simply never hear from them again. There’s no refund policy in ransomware.

The actual question that matters

The real question was never “should we pay the ransom.” It’s “why is this the position we’re in at all.” Because a business with a real backup strategy — one that’s actually tested, not just scheduled and forgotten — genuinely has the option to say no. They restore from yesterday, lose a day, and move on with their week. A business without one is stuck making a bet on criminals, because there’s no third option left.

That gap between those two businesses isn’t about budget as much as people assume. It’s about whether anyone ever actually tried restoring from the backup before the day they desperately needed it to work. I’ve seen businesses with a backup system running for years that had quietly stopped completing successfully six months earlier, and nobody noticed because nobody was watching, and nobody had tried using it.

What “actually tested” means

A backup you’ve never restored from isn’t a backup. It’s a hope. A real backup strategy means someone can tell you, right now, how long it would take to get your systems back up if everything disappeared tonight — and that number should be measured in hours, not “we’re not totally sure.”

Ransomware isn’t really an IT problem. It’s a business continuity problem wearing an IT costume. If your recovery plan is “hope it doesn’t happen to us,” that’s not a plan, that’s a wish. If you want an honest look at whether your business could actually recover from a bad Tuesday, that’s exactly the conversation we have with clients before anything goes wrong — because after it happens is a much worse time to find out the answer.