Pay or not pay ransom in a ransomware attack? Experts agree: do not pay as a first response – it supports crime, does not guarantee the return of data, and can get you labeled a “payer.” The key is preparedness: incident response plans, solid backups, and sensible communication.
Pay the ransom? Why it’s smarter to say no
Among both governments and experts, a clear line prevails: do not pay the ransom. Slovakia subscribes to the principles of the Counter Ransomware Initiative, which points out that payment supports organized crime, with no guarantee of data return or deletion. Moreover, in some jurisdictions, sanctions may apply if the money ends up with sanctioned groups. From a game-theory perspective, trust in an attacker’s promises is weak – there is no certainty they won’t strike again.
Payment can open the door to repeated extortion or so‑called multi‑extortion, in which stolen data is traded. Even though there are exceptional situations where the economic balance tempts one to consider paying, the first step should be recovery on your own: restoring from backups, possibly using decryption tools, and assistance from expert teams. It is important to resist panic – incidents are not best handled “on the fly,” but according to a prepared procedure with a team that can withstand pressure.
Who is attacking and how they choose their victims
The ransomware scene is a diverse ecosystem with specialized roles: from access brokers through groups that encrypt, all the way to “negotiators.” Many attacks are opportunistic – attackers will encrypt anyone with a vulnerability; it’s not always about “rich” targets or politics. Some gangs target large organizations, others bet on large numbers of small and medium-sized businesses, where the business model pays off in volume. The myth “we’re not interesting” therefore does not hold.
Preparedness is decisive: plan, people, and backups
Create an incident plan – even a “high‑level” version with clear roles, 24/7 contacts, and regular table‑top exercises will do. Make sure you know who declares an incident, who communicates, and whom to bring in (e.g., the database or network team). Do not blindly rely on vendors: responsibility for risk management remains with the organization, and supply chain attacks do happen. At the same time, have a team that can withstand the pressure to “just pay quickly” and makes decisions based on facts.
The technical foundation is resilient backups: separated from production, with different accounts, and ideally non‑rewritable (immutable). Attackers often disable backups first and only then encrypt – so protect them and regularly test restores. Keep crisis plans printed and physically available in case the digital infrastructure is not functioning. Transparent, factual communication usually reduces reputational damage; well-handled cases from abroad (e.g., open post‑incident reports by large companies) show that honesty and swift measures pay off.
