Ransomware 2026: What Happens When Companies Pay – and What Happens When They Don’t

7 Min. Read

The executive team is in the crisis room, the servers are encrypted, operations have ground to a halt. The attackers are demanding USD 800,000. The IT director says the backups are three weeks old. And now the question that nobody wants to answer hangs in the air: Do we pay? The answer is more complex than a simple yes or no. But the data makes one thing clear: paying is almost never the right decision.

Key Takeaways

Willingness to pay ransomware demands has hit an all-time low: only 25 percent of victims paid in Q4 2024 (Coveware).
The average ransom payment dropped from USD 2 million in 2024 to around USD 592,000 by end of 2025 (Coveware Q4 2025).
80 percent of ransomware victims in Germany are small and mid-sized businesses (BKA National Cybercrime Situation Report 2024).
Total damage from cyberattacks in Germany rose to EUR 266.6 billion in 2024, a 29 percent increase (Bitkom).
Companies that pay recover only around 60 percent of their data on average. Full restoration is the exception, not the rule.

Warning: Payment is no guarantee

Even if a company pays the ransom, there is no guarantee of full data recovery. According to the Sophos State of Ransomware 2025 report, companies that paid received only about 60 percent of their data back on average. The decryption tools provided by attackers are often faulty, slow, or incomplete. And paying signals a willingness to pay again, which increases the risk of a follow-up attack.

The Numbers Behind the Dilemma

The trend over the past two years is unambiguous: fewer and fewer companies are paying. According to quarterly reports from Coveware, a firm specializing in ransomware negotiations, the payment rate fell to an all-time low of 25 percent in Q4 2024. In 2025 it edged back up to 28 percent, but remains far below the 62.8 percent that paid as recently as 2023.

At the same time, average payment amounts are falling. While companies paid an average of USD 2 million in 2024, the average in Q4 2025 was USD 592,000. The median was USD 325,000. In Q3 2025 the average had even dropped to USD 377,000, a 66 percent decline quarter-over-quarter.

25%

of ransomware victims paid the ransom in Q4 2024 – an all-time low that confirms the trend toward non-payment.

USD 813.55 million

Total ransomware payments in 2024, a 35 percent decline from the record year 2023.

EUR 266.6 billion

Total damage from cyberattacks in Germany in 2024, with a significant share attributable to ransomware and business interruption.

Sources: Coveware Q4 2024, Chainalysis Crypto Crime Report 2025, Bitkom Wirtschaftsschutz 2024

These numbers tell two stories at once. The good news: companies are learning not to pay. The bad news: total damages are rising anyway, because the costs of business interruption, recovery, and reputational harm far exceed the ransom demand itself. According to the IBM Cost of a Data Breach Report 2025, the average total cost of a ransomware incident was USD 5.13 million – regardless of whether the ransom was paid.

What Happens When Companies Pay

The idea that paying a ransom restores normal operations is the most dangerous illusion in ransomware defense. The reality looks very different.

First, data recovery is incomplete. Paying companies recover only around 60 percent of their data on average. The decryption tools attackers provide are often slow and unreliable. Some file types are not decrypted at all. Databases that were active during encryption are frequently corrupted and must be restored from backups regardless.

Second, payment marks the company as a repeat target. Ransomware groups share information about paying victims. Having paid once signals: there is money here to be had, and the security vulnerabilities likely still exist. Studies from multiple security vendors show that companies which have paid once face significantly higher odds of being attacked again.

Third, the ancillary costs are substantial. On top of the ransom payment come expenses for forensic investigation, legal counsel, crisis communications, notification of affected customers under GDPR, higher insurance premiums, and often months of lost productivity. These costs typically exceed the ransom amount by a factor of three to five.

Fourth, there are regulatory risks. Within the EU, paying ransomware ransoms is not illegal, but it can violate sanctions law if the recipients appear on sanctions lists. The Office of Foreign Assets Control (OFAC) in the United States and corresponding EU bodies maintain such lists. A company that unwittingly pays a sanctioned group exposes itself to criminal liability. The BSI and EU law enforcement authorities explicitly advise against payments. Companies subject to NIS2 must report incidents within 24 hours and risk additional regulatory scrutiny if they have paid.

Fifth, every payment funds the criminal ecosystem. Ransomware groups operate as professional businesses with developers, affiliates, and support staff. Revenue from ransom payments flows into the development of new attack tools, recruitment of new affiliates, and in some cases into the financing of state-sponsored operations. According to Chainalysis, total payments to ransomware groups in 2024 amounted to USD 813.55 million. Every individual payment strengthens that ecosystem.

What Happens When Companies Don’t Pay

Not paying is not a free pass. It means recovery takes longer and requires more operational effort. But the long-term outcomes are better.

The recovery process without payment takes a median of 14 to 30 days according to Sophos, depending on the complexity of the IT environment and the quality of available backups. During that time, emergency processes run in parallel: manual workflows replace digital ones, critical systems are prioritized for restoration, and forensic analysis identifies the attack vector. That is painful and costs revenue. But it fixes the actual problem rather than bridging its symptoms.

An often underestimated advantage of non-payment is the ability to conduct forensic analysis without time pressure. Companies that pay are under pressure to get decrypted systems back into production quickly, often without fully understanding the root cause. Companies that don’t pay and instead rebuild cleanly have the opportunity to fundamentally improve their security architecture. Many IT directors report in retrospect that the forced rebuild permanently strengthened their security posture.

Companies that don’t pay end up in a better long-term position because they are forced to actually close their security gaps. Payment bridges the pain but does not eliminate the cause. A company that pays and leaves the same vulnerability open will be attacked again. A company that doesn’t pay and closes the vulnerability has permanently raised its security level.

The key lies in preparation. Companies with tested backup strategies, a documented incident response plan, and a cyber insurance policy with incident response coverage are able to survive a ransomware incident without paying. The 36 percent who did not have to pay in 2025 typically already had these foundations in place.

German Mid-Market as Primary Target

In Germany, ransomware disproportionately hits mid-market businesses. According to the BKA National Cybercrime Situation Report 2024, 80 percent of all ransomware victims are small and mid-sized enterprises. The BSI recorded 950 reported ransomware attacks, with the actual number likely significantly higher. Many SMEs do not report incidents in order to avoid reputational damage. The real attack count is therefore likely considerably higher than official figures suggest.

The vulnerability has structural causes. SMEs on average meet only 56 percent of basic IT security requirements, while frequently overestimating their own level of protection. 83 percent of SMEs are struggling with a severe shortage of IT specialists. A dedicated security team capable of professionally managing a ransomware incident simply does not exist in most mid-market companies.

The BSI recommends the CyberRisiko-Check under DIN SPEC 27076 as an entry point for SMEs. This standardized assessment identifies the most critical gaps and costs a few thousand euros. Federal and state funding programs for IT security consulting in the mid-market are available as a complement.

The Other Side: When Payment Can Be Rational

There are scenarios where not paying poses an existential threat to the organization. A hospital with encrypted patient data and no current backups faces a fundamentally different calculation than a software company with redundant systems. A manufacturer losing six-figure revenue for every day of downtime calculates the break-even point differently.

In these extreme cases, payment can be the pragmatic decision – if three conditions are met: the backups are genuinely unusable, the business interruption causes greater damage than the ransom, and a professional negotiation specialist is engaged. The latter can reduce the demand by an average of 47 percent, according to Coveware.

But even then: payment must never happen without parallel incident response. The attack vector must be identified and closed. Otherwise, the next encryption event is only a matter of time.

Checklist: Ransomware Preparation for the Worst Case

Prevention

Implement a 3-2-1 backup strategy: 3 copies, 2 media types, 1 offsite copy, tested regularly
Implement network segmentation: separate production, office, and backup networks
Activate multi-factor authentication for all remote access and privileged accounts
Establish patch management with a maximum 72-hour window for critical vulnerabilities

Preparation for the Worst Case

Document an incident response plan: who decides, who communicates, who leads the forensic investigation
Keep contact details for incident response providers and legal counsel available offline
Review and maintain cyber insurance with incident response coverage
Conduct a tabletop exercise at least once a year: run through a ransomware scenario

When It Happens

Isolate affected systems immediately – do not shut them down (preserve forensic data)
Notify BKA and BSI (observe mandatory reporting requirements under NIS2)
Engage a professional incident response provider
Do not communicate with the attackers independently

Conclusion: The Decision Is Made Before the Attack

The question of whether a company should pay in a ransomware attack cannot be answered in the crisis room. It is decided months earlier: by the quality of the backups, the existence of a documented and tested incident response plan, and whether anyone in the organization knows what to do when it happens.

The data is unambiguous: willingness to pay is declining, total costs are rising, and companies that are prepared consistently fare better. The BSI’s CyberRisiko-Check is a good starting point. An annual tabletop exercise running through a ransomware scenario costs one working day and can save millions in a real incident. Those who have done this groundwork will never have to seriously consider paying. Those who haven’t will pay a high price regardless – with or without a ransom.

Frequently Asked Questions

Should companies pay ransomware demands?

The BSI, BKA, and EU law enforcement authorities explicitly advise against paying. The data shows that paying companies recover only around 60 percent of their data on average and face elevated risk of follow-up attacks. In extreme exceptional cases – where backups are genuinely unusable and the business interruption poses an existential threat – payment via a professional negotiation specialist can be considered.

What is the average ransomware demand?

The average ransom payment in Q4 2025 was around USD 592,000 with a median of USD 325,000 (Coveware). Demands vary significantly by company size and industry. Professional negotiators can reduce demands by an average of 47 percent.

How long does recovery take without paying?

Recovery from backups takes a median of 14 to 30 days according to Sophos, depending on the complexity of the IT environment and the quality of the backups. During this time, emergency processes keep business operations running. Companies with tested backup strategies and a documented incident response plan significantly shorten this window.

What does a ransomware attack cost in total?

According to the IBM Cost of a Data Breach Report 2025, the average total cost of a ransomware incident is USD 5.13 million. This includes forensic investigation, legal counsel, crisis communications, GDPR notifications, productivity loss, and higher insurance premiums. These costs arise regardless of whether the ransom was paid.

Is paying ransomware illegal?

In the EU, paying ransomware ransoms is not fundamentally illegal. However, it can violate sanctions law if the recipients appear on EU or US sanctions lists. Companies should conduct a sanctions compliance check before any payment. The BSI and law enforcement authorities advise against payments for criminal policy reasons, as they fund the attackers’ business model.