The Sherlock Forensics incident-response practice has handled ransomware events across mid-market and enterprise customers for two decades. The data is consistent across years and threat actor families. Paying the ransom does not reliably get your files back. Multi-industry surveys show that roughly one in three organizations who pay the ransom never recover their data at all. Of those who do receive a decryptor, recovery is partial and slow more often than complete and fast. Treating ransom payment as a guaranteed restore path is one of the most costly misconceptions in modern incident response.
What the data actually says
Sophos publishes the most widely-cited annual survey on ransomware recovery outcomes. The 2024 State of Ransomware report covered 5,000 IT and cybersecurity leaders across 14 countries. Of organizations who paid the ransom, only 56% reported full recovery of their data. The remaining 44% either received no decryptor at all, received a broken decryptor that did not work or recovered only some files before the decryptor stopped functioning.
Coveware publishes quarterly ransomware threat intelligence reports based on their actual incident-response casework. Their data consistently shows that average recovery rates after ransom payment hover around 60-65% of encrypted data, not 100%. Some campaigns recover well above that. Some recover well below. The "you pay, you get files back" model is statistically false at the aggregate level.
FBI Internet Crime Complaint Center data echoes the same pattern. Ransom payment does not correlate with reliable recovery. The 2023 IC3 report explicitly warns that paying the ransom emboldens the attacker and offers no guarantee of file restoration.
Why decryptors fail
The reason ransom payment does not guarantee recovery is technical, not motivational. Several specific failure modes account for the partial-recovery and no-recovery outcomes.
Decryption is slower than encryption. Ransomware encrypts files in parallel using multiple CPU cores, often skipping file headers or encrypting only the first portion of large files (chunked encryption) to maximize throughput. The decryptor that the attacker provides has to undo this exact pattern. If the decryptor implementation is buggy or assumes a different encryption pattern than what was actually applied, files that look encrypted will not decrypt cleanly. Customers regularly report decryption running for days only to fail partway through a multi-terabyte dataset.
Some files are damaged during encryption. Ransomware operators write code under time pressure and often without quality assurance for edge cases. Files with unusual headers, files held open by other processes during encryption, files that span network shares with intermittent connectivity plus files compressed by other tools mid-encryption can be corrupted in ways the decryptor cannot reverse. The damage was done before the ransom was paid. No decryption key can undo lost bytes.
The attacker may not have your key. Some ransomware variants use per-file unique encryption keys derived from a session key plus per-file nonces. The full key material lives only in memory on the victim system during encryption and is supposed to be exfiltrated to the attacker's command and control server. If exfiltration was incomplete or partial or interrupted by network filtering or by EDR action, the attacker has only some of the key material. The decryptor handles the files they captured keys for and fails on the rest.
Backup-disable scripts run alongside encryption. Modern ransomware first deletes Volume Shadow Copies, disables Windows Defender, terminates known backup processes plus corrupts Veeam / Acronis / similar agents. These actions destroy data the decryptor cannot restore. Even if every encrypted file decrypts perfectly, the backups that survived the attack are smaller than the dataset before the attack.
The attacker may double-encrypt or refuse to provide keys. Multi-actor groups sometimes encrypt the same victim twice (different affiliates hitting the same target) and only one of the affiliate operators has the actual keys for some files. Other operators take payment and disappear. Other operators provide a decryptor that demands a second payment to unlock additional features. The transactional ethics of organized criminal extortion are not reliable.
Time pressure forces shortcuts that lose data. Victims under business-continuity pressure run the decryptor without testing it first, without filesystem snapshots, without isolating the recovery path from the original infection vector. The result is sometimes a partially-decrypted environment that gets re-encrypted during attempted recovery. Sometimes it is a successful decryption that immediately re-encrypts because the attacker still has access to the network.
The financial math beyond the ransom itself
The headline ransom number is a small fraction of total cost in most cases. Recovery cost categories that survive the ransom payment:
Incident response engagement. Forensic examiners, IR firms, legal counsel, breach coaches plus crisis communications support all bill at incident-response rates. Engagement for a real ransomware event runs hundreds of thousands of dollars at minimum for a mid-market business. Cost rises well into seven figures for enterprise. None of that cost is removed by paying the ransom.
Downtime cost. Even with a working decryptor, decrypting a multi-terabyte environment takes days. The decryption window plus rebuild plus validation plus re-onboarding to production easily reaches two weeks for mid-market and four to six weeks for enterprise. Lost revenue, missed contractual obligations plus customer churn during that window often exceed the ransom by an order of magnitude.
Breach notification and regulatory cost. Ransomware events that touched protected data trigger regulatory notification (HIPAA, PIPEDA, GDPR, state-level breach laws). Notification cost is dollar-per-affected-individual plus the legal and forensic substrate to prove what was and was not accessed. Privacy regulators across the Five Eyes have explicitly stated that paying ransom does not extinguish notification obligation.
Cyber insurance impact. Some policies pay the ransom directly through the carrier's incident-response panel. Others reimburse after the fact. All policies that pay ransom raise the next renewal premium materially. Many carriers now exclude ransom payment entirely. The downstream insurance premium increase across the next three-year renewal cycle often equals the ransom itself.
Reputational cost. Customers, partners plus prospects who learn of the ransomware event update their risk assessment of your organization. Some customers move business. Some partners require new contractual protections that cost money to provide. Sales velocity slows. None of this is recoverable by paying the ransom faster.
The defensible incident-response path
The reliable path through a ransomware event does not run through payment as the first option. The standard incident response sequence:
Isolate first. Take affected systems off the network immediately. Do not power them off (memory forensics value disappears). Do not run cleanup tools that overwrite encrypted artifacts (the encryption pattern is forensic evidence). The Sherlock Forensics Disk Imager with chain-of-custody capture is the right acquisition tool for the affected hosts during this phase.
Acquire forensic images. Image every affected host before any restoration work. The images preserve evidence for: insurance claim documentation, legal counsel review of breach notification obligations, threat actor attribution work, decryptor analysis (some ransomware decryptors can be reverse-engineered from the encrypted artifacts) plus downstream litigation preservation. The forensic timeline reconstructed from these images often surfaces the initial access vector, which dictates whether the recovered environment is actually safe to bring online.
Identify the variant and check for free decryptors. Several ransomware families have had keys leaked or reverse-engineered and have publicly available decryptors at nomoreransom.org. Free decryptor avoidance is a high-value first step that costs only the analyst time to confirm.
Restore from backups validated as clean. If immutable backups exist and the recovery time objective tolerates the restore window, restoration from validated backups is the only path that does not involve paying organized criminal extortion. Backup validation must happen on an isolated network segment with the original infection vector closed.
Engage IR and legal counsel before negotiating. If payment is being considered as a last resort (backups failed, no free decryptor, business continuity at stake), the negotiation should happen through a professional ransomware negotiator with established threat actor relationships. They negotiate average reductions of 60-70% off initial demand, set realistic decryption-quality expectations plus document the transaction in a way that supports insurance recovery and regulatory defensibility. Direct victim-to-attacker negotiation typically results in worse outcomes on every dimension.
Plan for re-compromise. The infection vector that let the attacker into the environment the first time is still present on day zero of recovery. Hardening the environment before bringing recovered systems back into production is the difference between recovery and re-encryption. The Sherlock Forensics Universal Events Viewer supports the post-incident timeline reconstruction needed to identify the initial access vector and verify it has been remediated.
What this means for security planning
The practical preventive posture treats ransomware payment as a worst-case-last-resort, not as a routine recovery path. The investments that actually reduce ransomware impact:
Immutable backups that survive a ransomware event. Air-gapped or offline or write-once-read-many backup architectures where the production attacker cannot reach the backup store. Cloud snapshot-and-replicate patterns that include the snapshot deletion authority in a separate trust domain. Validated restore procedures tested quarterly. Backups that exist but have never been restored are not backups, they are file copies that hope to work.
EDR with real isolation capability. Endpoint Detection and Response products that can isolate a compromised host from the network within seconds of detection, before the encryption phase completes. Major vendors include CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Sophos Intercept X. EDR alone does not prevent ransomware but materially reduces blast radius when it fires.
Privileged access constraint. Removing standing local administrator rights from regular user accounts limits how far ransomware can spread when it lands. Privileged Access Management products gate the privileged-credential moments. The Sherlock Forensics services practice routinely finds that customers with constrained privileged access had smaller ransomware blast radii than customers with broad standing admin.
Tabletop exercise the response. Most organizations have never practiced a ransomware event. The first time the IR runbook gets used is during a real incident under time pressure, with leadership making decisions they have not modeled. Quarterly tabletop exercises that walk through detection plus isolation plus forensic acquisition plus backup restoration plus communications plus legal coordination expose the real gaps in your response plan before an attacker does.
Incident response retainer. Pre-negotiated retainer agreements with forensic IR firms remove the negotiation friction during the active incident. The retainer activates within hours rather than days. The Sherlock Forensics incident response retainer is structured this way. Talk to our team about retainer terms or active incident response.
Source citations
- Sophos State of Ransomware annual report: multi-year survey data on actual recovery rates after ransom payment
- Coveware quarterly ransomware threat intelligence reports: incident-response casework aggregate recovery rate trending
- FBI Internet Crime Complaint Center (IC3) annual report: federal-level ransomware data and explicit warning against ransom payment
- CISA #StopRansomware campaign: federal guidance on ransomware incident response and reasons to avoid payment
- nomoreransom.org: free decryptor catalog maintained by Europol and private-sector partners
- NIST SP 800-184 Guide for Cybersecurity Event Recovery: federal framework for incident response sequencing
Sherlock Forensics has responded to ransomware events for two decades. Talk to our team about active incident response, IR retainer terms plus proactive ransomware-readiness assessment.