IronSights
All insights

incident response

Should you pay the ransom? An honest guide for Australian businesses

Hit by ransomware and staring at a payment demand? The honest answer is that paying is usually a last resort, not a first move, and often it is not even necessary. Here is how to think it through, what Australian law now requires, and what to check before you consider paying.

By IronSights Editorial, Practitioner team11 July 20265 min read
ByIronSights Editorial11 July 20265 min read

When locks up your business and a payment demand appears on the screen, one question tends to crowd out every other: do we just pay and make this go away? It is an understandable reaction. Operations have stopped, staff are standing around, and the attacker is offering what looks like the fastest way out.

The honest answer is that paying is usually a last resort, not a first move, and in many cases it is not even necessary. This guide walks through why, what Australian law now requires of you, and what to check before you consider paying. It is general guidance, not legal advice, and you should get your own advice on the specifics of your situation.

Paying does not guarantee you get your data back

A ransom demand is a promise from a criminal. When you pay, you are trusting that promise. Sometimes the attacker provides a working key. Often the result is worse than expected. The key may never arrive, it may decrypt slowly or incompletely, or the data may already be corrupted from the itself. A meaningful proportion of organisations that pay do not recover everything, and some recover nothing. You are buying a chance, not a certainty, and you are buying it from the party that attacked you.

You may not have to pay at all

Before payment even enters the conversation, it is worth knowing that a great deal of ransomware-encrypted data is recoverable without the attacker's key. There is a clear order to work through, from the cleanest option to the last resort.

  • Clean, verified backups. If you have offline or immutable backups that were not reached by the attack, restoring from them is the simplest path. Check they are genuinely intact before trusting them.
  • Volume shadow copies or snapshots, if the attacker did not delete them.
  • Partial-encryption recovery. Many modern ransomware families encrypt large files only partially, for speed, which leaves most of the underlying data intact. Where that is the case, the surviving data can often be located and rebuilt without the key. This is exactly the path that has recovered business databases for Australian organisations after every backup had failed.
  • A public decryptor, if one exists for the strain. These are rare, but worth checking through resources such as the No More Ransom project.
  • Rebuilding from source systems, where the data can be regenerated from elsewhere.

The point is simple. Recovery is frequently a technical problem to be worked, not a payment to be made. The right question in the first hours is not "how much do we pay" but "what can we recover, and in what order."

Paying carries costs well beyond the ransom

Even set aside the money, payment has consequences that are easy to overlook under pressure.

  • It funds and encourages the offender, and the wider criminal market that targets Australian businesses.
  • It marks you as an organisation that pays. Victims who pay are more likely to be targeted again, sometimes by the same group.
  • It may carry legal exposure. Depending on who is behind the attack, a payment can raise sanctions and other legal considerations, which is another reason to involve legal counsel early.

Do not assume the data-theft threat is real

Many attackers now claim to have stolen your data as well as encrypted it, and threaten to leak it unless you pay. Treat that claim as something to be assessed, not accepted. Data-theft claims in ransom notes are frequently a bluff, and even where data was taken, paying does not guarantee it is deleted. You would again be trusting a criminal to keep their word. What was actually accessed should be established through proper technical examination, not taken from the attacker's note.

What Australian law now requires

Two obligations are worth understanding, and both are reasons to bring in legal advice rather than act alone.

  • Ransomware payment reporting. The Cyber Security Act 2024 introduced an obligation for businesses above a turnover threshold to report a ransomware payment within a short deadline. This is a separate duty that is triggered by the act of paying.
  • Notifiable data breaches. Under the Privacy Act, if was accessed, you may need to assess the breach and potentially notify the and the affected individuals. Unauthorised access can be enough to trigger this, and it applies regardless of whether you pay.

Neither obligation depends on the recovery outcome, and both can apply at the same time. Reporting the incident to the 's through ReportCyber, and to police, is also part of a proper response.

What to do in the first hours instead

The decisions you make early determine what is recoverable later, so the priority is preservation and containment, not payment.

  • Isolate, do not power off. Disconnect affected machines from the network, but avoid wiping, re-imaging, or shutting them down, which can destroy recoverable data and evidence.
  • Preserve everything. Keep the encrypted files, the ransom note, and the logs. Partially encrypted files are often recoverable, and deleting them forecloses that option.
  • Protect and check your backups. Take them offline and verify whether they are intact before you rely on them.
  • Engage incident response early. The right first moves, preservation, scoping, and containment, are what make recovery possible, and they are hard to get right under pressure.

The bottom line

Paying a ransom is a decision to make with clear eyes, legal advice, and only after the recovery options have been properly assessed, not a reflex in the first frightening hour. In our experience, organisations that pause, preserve, and bring in the right help recover far more often than the panic of the moment suggests. If you are in the middle of a ransomware incident now, our team can help you work out what is recoverable and what your obligations are. You can read more about how we recover data from partially encrypted files on our ransomware data recovery page, and about our wider response work on our page.

Keep reading

More from the IronSights team.