Ransomware: To Pay or Not to Pay? A New Study Explores the True Cost

A researcher from the University of Texas at Dallas has proposed viewing the fight against ransomware not solely through the lens of technology, but also through political intervention. Atanu Lahiri, Professor of Information Systems, examines in his work which measures can genuinely deter cybercriminals, and under what circumstances banning ransom payments may yield more benefit than harm.

Lahiri identifies ransomware as one of the foremost threats to organizations worldwide. Most such attacks are launched via phishing emails or through the exploitation of unpatched software vulnerabilities. In 2024 alone, the FBI’s Internet Crime Complaint Center recorded over 3,000 incidents. Total ransom payments exceeded $800 million, though the true cost is far higher, as many organizations choose not to disclose breaches.

The study demonstrates that bans or penalties on ransom payments do not always produce clear-cut results. On the one hand, transferring money strengthens attackers and fuels further assaults — a phenomenon Lahiri and colleagues describe as “extortionality,” an external infection effect where the concessions of some companies increase the vulnerability of others. On the other hand, an outright ban can prove disastrous, especially for hospitals, where the loss of access to critical information may put patients’ lives at risk.

Through mathematical modeling, Lahiri concludes that the optimal strategy in many cases is not to pay attackers. Yet such a stance only succeeds when organizations act collectively. If even a portion of victims capitulates, the overall risk escalates. Thus, legislative responses must be carefully calibrated: fines or levies could be imposed on companies that pay ransoms, while hospitals and critical infrastructure should be granted exceptions.

Lahiri emphasizes that even the discussion of a potential ban can incentivize companies to invest in backup systems and recovery training. As an alternative to strict prohibition, he envisions encouraging resilience through subsidies for backup technologies, mandatory recovery drills, and awareness programs.

According to Lahiri, the most reliable defense remains thorough preparation: consistent data backups and rehearsed restoration scenarios. Without such measures, organizations will continue to pay, perpetuating and nourishing the ransomware economy.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy