Let's be clear: paying ransomware operators feels wrong. Morally, strategically—every fiber of our being says this is wrong. We know the arguments. Instead, we’re rewarding criminals, encouraging further attacks, and creating a never-ending cycle. I get it. You get it. What if the alternative is worse?

Business Realities Trump Moral High Ground

Headlines scream about the falling ransom prices. They’re down about a third from last year, and median payments are down by half! That sounds like progress, right? Like we're winning. But look closer. Despite reducing requests, almost 50% of institutions continue to spend on the rainy day fund. In fact, 49% are still investing. This isn't some abstract theoretical debate. These aren’t political games, this is real money, real businesses, and real consequences.

It’s easy to sit on our ivory tower and preach about the importance of being cyber hygiene. So what are we supposed to do when a hospital’s patient records are suddenly locked down? Now imagine a shipper—a small manufacturing company, perhaps—that’s headed for bankruptcy because they’re unable to deliver on orders. Asking them to simply “reject the ransom” is akin to advising an underwater swimmer to go ahead and breathe under the sea.

Here's the cold, hard truth: Businesses exist to survive. Their foremost duty is to their workers, their consumers and their investors. Sometimes, that means making hard choices. Unpleasant choices. Creative decisions that will leave you feeling dirty and in need of a shower. Paying a ransom can obviously be one of those decisions. It was a risk, but a measured one. The consequences of not paying—lost productivity, loss of data, reputational injury, and potential legal liability—are much greater than the ethical issues associated with funding criminals.

Think about it: A lawyer friend of mine had his entire client database encrypted. Years of work, gone in an instant. Thank goodness, he had backups, but they were corrupted as well. The ransom was surprisingly low, about $5,000. He paid. Why? Because being sued for breach of confidentiality by all his clients that wanted to sue him would have bankrupted him. He made a cold, hard business decision. After all, no one wants to be the last virtuous company left in a graveyard filled with ill-fated bankruptcies.

Unknown Gaps, Unpatched Holes, Human Error

The stats are grim. A whopping 32% of ransomware attacks originate from known vulnerabilities. The other 40% of victims are caught off guard by security holes that they weren’t even aware were a threat. This isn’t even a concern about sophisticated hacking, friends — it’s about something much simpler — basic bumbling mismanagement. It’s not, no, unpatched systems, weak passwords and employees clicking on dodgy links.

And that brings me to the unexpected connection: Ransomware is the ultimate user experience (UX) problem. With these systems combined, we can build the most secure electoral systems in the world. If an end user is socially engineered into clicking on a hostile link, all that work is for naught. The recent Microsoft 365 “Direct Send” phishing vulnerability serves as a prime example. Threat actors have been using this legitimate internal feature to exploit it to go undetected. It's ingenious, and it's terrifyingly effective. Readily available is not a good thing when it’s security. It’s like leaving the keys to the kingdom under the doormat.

The decline extends even to backup usage, which has fallen to a six-year low, with just 54% of firms employing this strategy. This is not progress. This is negligence. We're so focused on the threat of ransomware that we're forgetting the basic blocking and tackling of cybersecurity.

A Blanket Ban's Unintended Consequences

The most common knee-jerk reaction is to outlaw ransom payments entirely. "Just make it illegal!" the pundits cry. What happens then?

Do we honestly believe that would stop bad guys in their tracks? No. They'll adapt. They'll go underground. Next, they’ll go after smaller businesses that have a lower cost for not having a robust security. And they may even begin to destroy data rather than encrypt it, removing the chance of recovery completely. For attackers, this is business. For victims, it is their life.

A ban disproportionately hurts small businesses. While larger corporations can sometimes weather the storm of downtime and data loss, a smaller entity may be driven out of business. It’s a brutal Darwinian outcome, the well-resourced weather the storm while the vulnerable fail and die. This is more than dollars and cents, this is people’s livelihoods and communities.

The Brother printer vulnerability, as just one example. Retention of hundreds of models, sometimes with unfixable security flaws and default passwords that can be easily cracked. A small business that’s dependent on these printers is a dead duck. Are we really going to say you can’t pay the ransom? What if that decision puts us out of business?

Pragmatism, Not Capitulation Is Key

Paying a ransom is never ideal. In the real world, it’s often the lesser of evils. It’s a short-term solution to a long-term problem. It's a band-aid on a gaping wound.

I'm not advocating for complacency. Businesses must invest in robust security measures. They need to fix their security systems, learn from their mistakes, and adopt smart backup practices. They need to approach cybersecurity as an essential business operation rather than a secondary consideration.

Ransomware isn’t going away anytime soon. The true answer is a world where every system is secure and every user remains appropriately vigilant. In such a world, paying the ransom might be the only reasonable choice. It could be the practical move that’s most likely to keep them alive.

Though sold to the public as a true convenience, it adds an additional, unintended layer of complexity and vulnerability. Are we trading convenience for security? Just as ransomware exploits vulnerabilities we didn't know existed, AI integrations could create new attack vectors we haven't even considered yet. The future is already here, and it is decidedly more complicated and easier to exploit.

Let's be realistic. Paying up isn’t a win, it’s damage control. But sometimes, damage control is the best you can do on a dime.