Back to Posts The Ransom Paradox: Why Paying Cybercriminals Must Be Outlawed

The Ransom Paradox: Why Paying Cybercriminals Must Be Outlawed

July 28, 2025

For decades, the United States and its allies have maintained a firm policy against negotiating with terrorists. This stance reflects a pragmatic understanding: when you pay a ransom, you incentivize more kidnappings and fund the next operation. Yet when it comes to cybercrime, businesses and even governments routinely violate this principle, transferring billions annually to criminal enterprises.

This policy inconsistency is beginning to change as jurisdictions recognize the collective danger of continuing to pay ransoms. The UK's recent decision to ban public-sector entities from paying ransomware demands represents the most high-profile move in this direction, but it's not alone.

North Carolina blazed this trail in 2021, becoming the first U.S. state to prohibit public ransomware payments. Florida followed with similar legislation in 2022, though with a narrower scope focusing on state agencies. Several other states, including New York, Pennsylvania, and Texas, have considered ransomware payment bans but haven't yet enacted them. At the global level, an alliance of 48 countries has pledged not to pay ransoms, though most lack binding legislation to enforce this commitment. These pioneering efforts demonstrate growing recognition that the only sustainable solution is cutting off the financial incentives driving the ransomware epidemic.

Economic Reality of Ransomware

The numbers tell a sobering story. Global ransomware payments reached $1.1 billion in 2023, more than doubling from the previous year. The average payment has skyrocketed from $400,000 in 2023 to $2 million in 2024. That's a staggering 500% increase.

These direct payments represent only a fraction of the total cost. Note that only a fraction of breaches and ransomware payments are reported. The majority of breached companies don't tell anyone, even when they are mandated to do so. When we factor in downtime, recovery efforts, reputational damage, and lost business opportunities, predictions indicate ransomware will cost the world $57 billion in 2025 and $275 billion annually by 2031.

This isn't just a cybersecurity problem. It's an existential economic threat.

Why Companies Continue to Pay

Despite the risks, businesses continue to pay ransoms for many reasons:

  • When critical systems are encrypted, paying often seems like the fastest path to recovery
  • Many cyber insurance policies cover ransom payments, creating moral hazard
  • Companies worry about reputational damage if they admit to being compromised
  • Inadequate backups and recovery plans leave few alternatives

Yet data shows paying doesn't guarantee results. A recent Search Logistics study found only 8% of all ransom-paying companies got their data back after paying the ransom, meaning 92% of payments didn't result in full data recovery. Even worse, once a business pays, it often becomes a target for future attacks. In fact, 80% of companies that paid a ransom were hit a second time, with 40% of these hacked businesses paying ransomware twice. And the second time has not been charming, with 70% of hacked corporations paying a higher ransom the second time around.

Different studies report varying results, but nearly all show that paying ransoms is far from a reliable path to data recovery and often leads to additional attacks. This evidence strengthens the argument for global bans on ransomware payments, as the practice not only funds criminal enterprises but frequently fails to solve the immediate problem it's intended to address.

The Case for a Global Ban

The argument for banning ransomware payments is compelling:

  • Every dollar paid to ransomware operations directly finances their expansion. By cutting off this revenue stream, we disrupt the entire criminal business model.
  • When attacks become unprofitable, their frequency naturally decreases. FBI operations that have disrupted payment mechanisms have shown measurable decreases on attack volumes.
  • Currently, cybercriminals focus on ransomware because it's profitable. A payment ban would force them to pursue other, potentially less damaging tactics, or abandon cybercrime entirely.
  • Companies facing a no-payment reality would be forced to invest in prevention, detection, and recovery capabilities rather than treating ransoms as an expensive but viable fallback.

Implementing an Effective Ban

While the concept of banning payments is straightforward, implementation requires careful consideration:

Phased Approach

A complete ban overnight would be disastrous for unprepared enterprises. A more practical approach would start with bans for public sector entities, extend to critical infrastructure and regulated industries, provide a transition period for private businesses, and offer exemptions only in cases of imminent threat to life.

Support Mechanisms

Governments implementing payment bans must also provide support, such as:

  • Expanded incident response capabilities
  • Recovery assistance for affected organizations
  • Improved threat intelligence sharing
  • Tax incentives for security investments

International Coordination

For maximum effectiveness, payment bans must be coordinated internationally. The 48 countries that have pledged not to pay ransoms represent a strong foundation, but binding legislation is needed to create real change.

The Way Forward

The shift to a world where ransomware payments are prohibited won't be easy. There will undoubtedly be painful transitions as businesses adapt. Some firms may fail after attacks if they haven't prepared adequately.

But we must consider the alternative: continuing to feed a criminal ecosystem that grows more sophisticated and damaging with each payment. The current trajectory is unsustainable, with ransomware costs projected to increase more than 400% in just six years.

As the UK, North Carolina, and Florida have recognized, stopping the flow of money is the only viable long-term solution. Companies should begin preparing now for what is increasingly looking like an inevitable global shift away from ransomware payments.

The question is no longer whether payment bans will become widespread, but when – and whether your company will be ready when they do.

Cybersecurity Risk Assessment

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cyber's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Learn More