If you were hit by ransomware tomorrow, would you pay to get your data back? That’s what more than half of CISOs in a recent survey said their organization would do.
It’s a situation more companies are going to face in future. “Attacks are increasing and continuing to increase,” said Christy Wyatt, CEO of security vendor Absolute Software, which commissioned the survey. “Companies are better prepared to deal with them: Some of the training is paying off and AI is helping. But remember that attackers have all the tools that defenders have.”
In the survey of 750 CISOs in the US and UK, 58% said their organization would be willing to pay to end a ransomware incident.
This flies in the face of advice from the authorities in both countries. “It is the UK government’s long-standing position, alongside law enforcement partners, that it does not encourage, endorse nor condone the payment of ransom demands,” said a spokeswoman for the UK National Cyber Security Centre.
The FBI, too, warns not to give in to ransomware demands, noting that paying only encourages the perpetrators to attack others.
Another reasons law enforcers advise enterprises not to pay is that there is no guarantee they will get their data back if they do.
Given the risks, and the disapproval of law enforcement, how many of those CISOs who say they are willing to pay would do so if it came to the crunch?
It’s hard to get firm statistics because of the perceived stigma, but the evidence suggests a significant number do so.
Among those companies hit by ransomware, 37% paid the ransom, according to an IDC survey last year, but IDC research director for security services David Clemente suspects the proportion is higher. “I’m sure that there are many more who have paid it but don’t want to be open about it,” he said.
That wasn’t the end of things for all who paid the ransom, though: about 5% of them found that “the decryption was incomplete,” according to IDC.
A late 2025 survey from insurance provider Hiscox found that only 60% of SMEs that paid a ransom successfully recovered all or part of their data as a result.
Absolute’s Wyatt warned, “You may get your data back, you may not.” And if you do get your data back, that doesn’t mean you’re the only one who has it: “We have heard instances of companies paying up and finding that their credentials are being shared,” she said.
So, does that mean enterprises shouldn’t pay the ransom?
IDC looked at that and found that companies that had planned for such attacks would be able to resist — but with ill effects. About 29 percent of companies were able to recover encrypted files from backup,” said Clemente. “However, 33% of companies that didn’t pay, found that they could not recover anything.”
UK retailer M&S didn’t pay up when it was hit by ransomware in April 2025, disrupting internal logistics systems and forcing it to close its online store for months. It estimated the cost of the incident at $400 million in lost operating profit.
The ransomware payment dilemma remains an issue for CISOs, but the lesson M&S may point to is that, if a ransomware attack happens, your best bet may be to pay the ransom unless you have confidence in the quality and robustness of your backup. Government and law enforcement may not like it, but they won’t be the ones facing the wrath of shareholders.