Back to Posts

Ransomware Payments Must Be Outlawed

May 11, 2026

Zoomed in map of confirmed ransomware attacks in Europe

Originally published July 28, 2025.

Update history: May 10, 2026: Updated ransomware payment statistics with 2024 and 2025 figures from Chainalysis, Coveware, and Sophos; added UK ban confirmation (July 2025) and private-sector payment prevention requirement; added Tennessee to state-level legislation; added FAQ section.

Negotiating with Terrorists

For decades, the United States and its allies have maintained a firm policy against negotiating with terrorists. This stance reflects a pragmatic understanding that when you pay a ransom, you incentivize more kidnappings and fund the next operation. Yet when it comes to cybercrime, businesses and even governments routinely violate this principle, transferring billions annually to criminal enterprises.

This policy inconsistency is beginning to change as jurisdictions recognize the collective danger of continuing to pay ransoms. The UK's confirmation of a public-sector payment ban represents the most high-profile move in this direction, but it's not alone.

North Carolina blazed this trail in 2021, becoming the first U.S. state to prohibit public ransomware payments. Florida followed with similar legislation in 2022, and Tennessee has since passed its own public-sector restrictions. Several other states, including New York, Pennsylvania, and Texas, have considered ransomware payment bans but haven't yet enacted them.

At the global level, an alliance of 48 countries has pledged not to pay ransoms, though most lack binding legislation to enforce this commitment. These pioneering efforts demonstrate growing recognition that the only sustainable solution is cutting off the financial incentives driving the ransomware epidemic.

Economic Reality of Ransomware

The numbers tell a paradoxical story. According to Chainalysis's 2026 Crypto Crime Report, total ransomware payments fell for a second consecutive year in 2025, coming in at roughly $820 million, down about 8% from 2024. The share of victims who chose to pay dropped to an all-time low of 28%. By that measure, the pressure being applied by law enforcement, payment bans, and improved resilience is working.

But the rest of the picture isn't encouraging. Claimed ransomware attacks surged 50% in 2025, the most active year on record. More than 8,000 businesses were publicly named on leak sites. The median ransom demand jumped from roughly $12,700 in 2024 to nearly $60,000 in 2025. A cyberattack on Jaguar Land Rover in late 2025 alone caused an estimated $2.5 billion in damage. Attackers are hitting more targets, demanding more per victim, and making up in volume what they're losing in payment rates.

When factoring in downtime, recovery, reputational damage, and lost business beyond the ransom itself, total ransomware-related costs are projected to reach $265 billion annually by 2031, according to Cybersecurity Ventures.

This isn't just a cybersecurity problem. It's an existential economic threat.

Why Companies Continue to Pay

Despite the risks, businesses continue to pay ransoms for understandable reasons. When critical systems are encrypted, paying often seems like the fastest path to recovery. Many cyber insurance policies cover ransom payments, creating a moral hazard. Companies worry about reputational damage from admitting to a breach. And inadequate backups leave few alternatives when systems go down.

Yet data shows paying doesn't guarantee results. According to Sophos's State of Ransomware 2024 report, 84% of victims who paid a ransom failed to fully recover their data. Halcyon's research found that nearly 80% of companies that paid were hit a second time. The practice not only funds criminal operations but frequently fails to solve the immediate problem it's intended to address.

Different studies report varying results, but nearly all show paying ransoms is far from a reliable path to recovery. This evidence strengthens the argument for global bans on ransomware payments, as the payments sustain the criminal ecosystem while offering no reliable guarantee of restoration.

Case for Global Ban

The argument for banning ransomware payments is compelling. Every dollar paid to ransomware operations directly finances their expansion. Cutting off this revenue stream disrupts the entire criminal business model. When attacks become unprofitable, their frequency naturally decreases. FBI operations that have disrupted payment mechanisms have shown measurable decreases in attack volumes.

Companies facing a no-payment reality would also be forced to invest seriously in prevention, detection, and recovery rather than treating ransoms as an expensive but viable fallback. The continued decline in payment rates through 2025 already shows this effect. More victims are restoring from backups rather than paying, and the record low payment rate of 28% in 2025 is evidence the strategy is shifting behavior.

There's also an equity argument. Ransomware groups target sectors with the most to lose and the least resilience, including hospitals, schools, and local governments. A ban removes the financial incentive to attack the institutions communities depend on most.

Implementing an Effective Ban

Phased Approach

A complete ban overnight would be disastrous for unprepared businesses. A more practical approach would start with bans for public sector entities, extend to critical infrastructure and regulated industries, provide a transition period for private businesses, and offer exemptions only in cases of imminent threat to life. This is roughly the model the UK has adopted, which includes a firm ban for public sector and critical national infrastructure operators, paired with a "payment prevention" regime for private companies that requires notifying authorities before any payment is made.

Governments implementing payment bans must also provide support. Expanded incident response capabilities, recovery assistance for affected companies, improved threat intelligence sharing, and tax incentives for security investments are all part of making a ban workable in practice rather than just in policy.

International Coordination

For maximum effectiveness, payment bans must be coordinated internationally. The 48 countries that have pledged not to pay ransoms represent a strong foundation, but binding legislation is needed to create real change. A patchwork of bans creates arbitrage opportunities for attackers who simply shift focus to jurisdictions with fewer restrictions.

Way Forward

The shift to a world where ransomware payments are prohibited won't be easy. There will undoubtedly be painful transitions as businesses adapt. Some firms may face serious consequences after attacks if they haven't prepared adequately.

But consider the alternative. Continuing to feed a criminal ecosystem that grows more sophisticated and damaging with each payment is unsustainable, with ransomware costs projected to increase dramatically over the next several years.

As the UK, North Carolina, Florida, and Tennessee have recognized, stopping the flow of money is the only viable long-term solution. Payment rates have now fallen to a record low of 28%, and total ransomware revenue has declined two years running. The strategy is beginning to work. Companies should begin preparing now for what is increasingly looking like an inevitable global shift away from ransomware payments.

The question is no longer whether payment bans will become widespread, but when. And whether your company will be ready when they do.

Is Your Business Ready for a No-Payment Future?

The best time to build ransomware resilience is before an attack, not during one. That means tested backups, a documented incident response plan, and the right security controls in place so paying a ransom is never your only option. STACK Cybersecurity works with businesses across Michigan and beyond to assess risk, close gaps, and build the kind of layered defense that holds up when attackers come knocking.

Schedule a risk assessment and find out where your business stands before legislation forces the issue.

Frequently Asked Questions

Is paying a ransom illegal?

For most private businesses in the U.S., paying a ransom isn't currently illegal. However, it may violate federal sanctions law if the ransomware group is on the Treasury Department's OFAC sanctions list. North Carolina, Florida, and Tennessee prohibit public sector entities from paying. The UK has confirmed a ban for public sector and critical national infrastructure operators, with mandatory notification requirements for private companies. That regulatory landscape is expanding, and what's permitted today may not be tomorrow.

Will my cyber insurance still cover a ransom payment?

It depends on your policy and who you're paying. Many cyber insurance policies cover ransom payments, but coverage isn't guaranteed. Insurers won't reimburse payments made to sanctioned entities, and some policies have begun excluding or capping ransom coverage as underwriting requirements tighten. As payment bans expand, insurers are likely to adjust further. Review your policy language carefully and consult your broker before assuming you're covered.

What should our business do instead of paying a ransom?

The most effective alternative is building the resilience to recover without paying. That means maintaining tested, offline backups, documenting and practicing an incident response plan, and deploying layered security controls that reduce the likelihood of a successful attack. Companies that invest in these capabilities before an attack are far more likely to restore operations quickly and avoid the ransom decision entirely. Reporting the incident to the FBI's Internet Crime Complaint Center is also strongly recommended.

Does the UK ransomware payment ban affect U.S. businesses?

Not directly, but it signals where global policy is heading. The UK ban covers public sector entities and critical national infrastructure operators, and requires private companies to notify authorities before making any ransom payment. U.S. businesses operating in the UK or with UK clients should be aware of these requirements. More broadly, the move adds momentum to international coordination efforts, and U.S. federal and state legislation is likely to follow.

What if paying is the only way to recover critical data?

This is the hardest scenario, and it's exactly why preparation matters so much. When businesses lack adequate backups or a tested recovery plan, paying can feel like the only option. But it doesn't guarantee recovery. According to Sophos's State of Ransomware 2024 report, 84% of victims who paid a ransom failed to fully recover their data, and Halcyon's research found that nearly 80% were attacked a second time. The better answer is to build the infrastructure now so that paying is never your only path. A cybersecurity risk assessment is a practical first step.

Related Resources

Cybersecurity Consultation

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cybersecurity's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Explore our Risk Assessment