The ransomware decision is not technical. It is strategic, financial, and legal — made by the CEO and counsel, with the CFO and cyber insurer in the room, informed by the IR team. The question should never be "should we pay?" first. It should be "are we permitted to pay, and if we are, is paying the best option?"

Here is the framework I use.

1. Check OFAC First, Before Anything Else

The US Treasury Department's Office of Foreign Assets Control (OFAC) maintains the Specially Designated Nationals (SDN) list. A payment — directly or indirectly — to a sanctioned person or entity can be a federal crime even if the victim is unaware of the sanction.

Sanctioned ransomware actors and variants include historical designations around Evil Corp (Maksim Yakubets), Conti operators, and various DPRK-linked groups. OFAC's 2020 and 2021 advisories made it clear that "we didn't know" is not a defense — strict liability applies in many cases.

  • OFAC SDN search: sanctionssearch.ofac.treas.gov
  • OFAC ransomware advisories: search "OFAC ransomware advisory" at home.treasury.gov
  • License application: if there are compelling circumstances, OFAC may issue a specific license. This is a legal process your counsel runs, not a form you fill out alone.

Your ransomware negotiation vendor (Coveware, GroupSense, Kivu, etc.) does OFAC due diligence as standard practice, but responsibility sits with the victim. If the actor cannot be cleanly cleared, payment is off the table.

2. Is a Free Decryptor Available?

Before paying, check No More Ransom: nomoreransom.org. It is a joint project of Europol, law enforcement, and security vendors and hosts decryptors for dozens of ransomware families. Periodically law enforcement seizes a group's infrastructure and publishes keys — LockBit, Hive, BlackMatter, and others have seen this happen in recent years.

Also check:

  • ID Ransomware (id-ransomware.malwarehunterteam.com) to identify the family from a sample file.
  • Your IR firm's internal decryptor library — the major firms keep inventories that are not public.
  • The FBI — occasionally they have keys they can share under specific conditions.

If a working decryptor exists, paying is almost never the right call.

3. What Does Your Insurance Say?

Cyber insurance has tightened aggressively since 2021. Most policies now:

  • Require approval from the carrier before any ransom discussion.
  • Require use of an approved negotiation vendor.
  • Sub-limit extortion coverage separately from the main policy (often $1-5M against a much larger aggregate).
  • Exclude OFAC-prohibited payments entirely.

The carrier's position often drives the economic answer. If they cover only a fraction of the demand and require full cooperation on other remediation costs, paying may shift money that is better spent on reconstitution and notification.

4. The Reconstitution Economics

Honest math:

  • What is the ransom demand?
  • What is the projected cost and time to rebuild from backups?
  • What is the business cost per day of downtime?
  • What is the incremental cost for data you cannot recover (legal exposure, customer churn, regulatory)?

Three outcomes:

  1. Backups clean, downtime manageable. Do not pay. Rebuild.
  2. Backups compromised, business-critical data gone. Payment becomes a defensive option, subject to OFAC and insurance.
  3. Data extortion only (no encryption). Payment almost never buys certainty that the data is deleted. The industry data here is bleak.

5. "We Paid and Still Got Leaked"

This is the uncomfortable reality. Coveware and other trackers publish figures annually showing that post-payment data leaks happen in a meaningful minority of cases, ranging in recent years from around 15-30%. Some actors honor the deal. Some double-extort. Some groups disband, spin up a new brand, and leak the data from the last brand to punish former victims.

Specifically for data-theft-only cases, payment buys:

  • A promise to delete.
  • A claim that no backup copies exist.
  • A possibly doctored proof-of-deletion video.

None of that is independently verifiable. Treat exfiltrated data as public regardless of what you pay.

When Payment Might Be the Right Call

I have seen payment be the least-bad option in these specific situations:

  • A healthcare environment where patient safety depends on system availability and reconstitution cannot happen in time.
  • A manufacturer where downtime costs exceed the ransom by an order of magnitude per week and backups are gone.
  • A situation where legal counsel and insurance have cleared OFAC, approved the payment, and the actor has a reasonable track record.

None of these are "we can't be bothered to restore." Payment is a last resort, not a first option.

Always Do These, Payment or Not

  • File with the FBI IC3 (ic3.gov) and call your local FBI field office.
  • Notify your cyber insurer within the policy window.
  • Preserve all forensic evidence before any remediation.
  • Identify the actor and likely sanctions exposure.
  • Plan the notification strategy assuming stolen data will be public, regardless of what the negotiator says.
  • Work toward a root-cause fix before restoring services. Restoring without patching the initial access vector is how you get ransomed a second time.

The ransomware decision is an executive decision made on incomplete information in hostile conditions. Slow it down. Get legal and insurance in the room. Assume the worst-case disclosure outcome regardless. And if you pay, pay because the math and the law say to — never because it "feels faster."