Table of Contents
Ransomware attacks are a daily threat for UK businesses. High-profile incidents like those at Marks & Spencer (2025), the British Library (2023) and Synnovis (2024) have highlighted the enormous operational and financial costs. The average ransom payment in late 2024 exceeded £438,500, with some demands reaching millions. For many organisations, the decision to pay can feel like a matter of survival.
Yet beyond immediate costs lie deeper dilemmas. Paying ransom may appear to be a quick fix, but it carries serious strategic, legal and ethical risks. This blog explores the current ransomware landscape, the well-known and hidden risks of paying, UK legal considerations and effective alternative strategies.
Key Takeaway
Paying a ransom may seem like a shortcut to business recovery, but it can inadvertently reinforce criminal networks, attract repeat attacks and expose your organisation to legal and regulatory scrutiny.
📊 The Current Landscape of Ransomware in the UK
Ransomware remains a significant threat in the UK, with 54% of UK firms experiencing ransomware attacks in 2024. Of those that experienced attacks, 59% paid the ransom. According to Veeam’s analysis of Coveware data, the average ransomware payment in Q1 2025 was £435,000. This figure represents a slight decrease of 0.2% from Q4 2024. Although the average payment decreased, the median payment rose to $200,000 (approximately £157,000), marking an 80% increase from the previous quarter.
Case Study – Marks & Spencer (2025)
In April 2025, M&S was hit by a major ransomware attack linked to Scattered Spider, a sophisticated ransomware-as-a-service group known for exploiting supply chain vulnerabilities. The attackers used phishing and social engineering to breach M&S’s network via a flaw in third-party inventory software, a weakness that had gone unmonitored by cyber security teams.
The breach forced M&S to suspend online orders and contactless payments across the UK, severely disrupting operations. Financial losses were estimated at £300 million in operating profit, with a £750 million drop in market value.
Customer trust was further impacted by delayed communication, damaging the company’s reputation. The incident underscored the high stakes of third-party cyber risk and the need for stronger vendor oversight, real-time monitoring, and faster incident response.
⚠️ Well Known Risks of Paying the Ransom
Most people are already aware of the ‘usual’ risks when paying a ransom:
- Financial Cost: Payments can be exorbitant with no guarantee of full data recovery.
- Operational Disruption: Even with decryption keys, recovery may take weeks.
- Reputational Damage: News of a payment can erode customer trust.
Key Takeaway
Even when paying seems expedient, these costs can spiral, undermining both immediate and long-term business stability.
🕵️♂️ Five Lesser Known Risks To Paying Ransoms
1. Re-Targeting via ‘Sucker Lists’
Paying a ransom signals vulnerability. Many victims who pay are re-attacked within 12 months and sold on dark web “sucker lists” as prime targets.
For example, criminals are known to share successful extortion targets on hacking forums, providing details on how the organisation was compromised and highlighting its willingness to pay. This information incentivises new attackers to launch further attacks, often using the same or similar tactics.
Recent reports from UK cyber crime intelligence teams show that small and medium-sized enterprises (SMEs) that have paid ransoms have a significantly higher likelihood of repeated attacks. The high-profile ransomware attack on the British Library in 2023 underscored this risk, as the attackers threatened to auction stolen data to the highest bidder if payment was not made.
Key Takeaway
Paying a ransom may temporarily fix one problem, but it can increase your organisation’s risk of becoming a repeat victim, often with attackers sharing your details with others on dark web forums. Paying a ransom signals vulnerability. Many victims who pay are re-attacked within 12 months and sold on dark web “sucker lists” as prime targets.
Case Study – British Library (2023)
In October 2023, the British Library suffered a major ransomware attack by the Rhysida group, known for targeting public institutions and leaking sensitive data. The attackers exploited an unpatched vulnerability in a legacy content management system that had not been updated in years due to a result of inadequate security reviews and patching.
The breach caused severe disruption, including loss of access to digital archives, research materials, and internal systems. Around 600GB of sensitive data, including user and research information, was exfiltrated and auctioned on the dark web.
Although the library refused to pay the £600,000 ransom, it faced £7 million in recovery costs and lasting reputational harm. The incident impacted partnerships and public trust, and underscored the risks of outdated infrastructure, the importance of regular updates, and the fact that even unpaid ransoms can result in complex recovery challenges (thetimes.co.uk).
2. Cyber Criminals Aren’t a Trustworthy Bunch
Paying a ransom to criminals may seem like the easiest way to restore systems, but it’s fraught with risks and unreliable outcomes.
Many organisations assume that paying the ransom will result in a fully functioning decryption key, but criminals often provide flawed or incomplete decryption tools. Real-world examples include the Travelex attack of 2020, where despite paying a significant ransom, the company suffered massive data loss and eventually collapsed into administration.
Attackers may also provide decryption keys that do not fully restore services, leaving some files permanently corrupted or inaccessible. This is common in attacks using older ransomware variants where de-cryptors are poorly written or intentionally sabotaged. Even advanced ransomware gangs sometimes provide keys that fail to restore all systems, requiring further costly IT remediation.
Furthermore, paying criminals emboldens them. Once attackers know a business is willing to pay, they may threaten to leak sensitive data or launch further attacks to extract additional payments. This dynamic reinforces criminal enterprises and funds further attacks against other organisations.
Key Takeaway
Trusting criminals to restore your systems after payment is a risky gamble. Many businesses find themselves paying twice: once in ransom and again in costly IT remediation. Decryption tools from criminals often fail to fully restore systems. For example, in the 2020 Travelex attack, paying didn’t prevent massive data loss and eventual administration.
3. Regulatory and Legal Fallout
Paying a ransom can trigger scrutiny from the FCA, PRA and AML regulators. Recent UK guidance warns of potential civil or criminal penalties if payments breach financial sanctions.
In recent years, UK regulators have become increasingly concerned about ransomware payments inadvertently funding sanctioned groups or terrorist organisations. The National Crime Agency (NCA) has flagged that even well-intentioned payments can violate UK sanctions laws if funds ultimately reach designated entities. This risk is particularly pronounced when ransomware gangs operate through complex international networks that make it hard to trace where the money goes.
Furthermore, paying ransoms can raise anti-money laundering (AML) red flags within banks and financial institutions. Financial services firms are required by law to report suspicious payments, which could lead to further scrutiny, account freezes and potential penalties. Failure to adhere to AML reporting obligations can expose a business to significant fines and reputational damage.
Case law in the UK is evolving in this area, but recent incidents have shown that regulators will investigate companies who make payments without sufficient due diligence or legal advice. UK case law is evolving because ransomware payments raise new legal questions that challenge existing frameworks for sanctions, data protection, AML and corporate governance. Courts are responding to these challenges by developing legal precedents that clarify how businesses should respond to ransomware attacks.
Legal counsel should be consulted immediately when ransomware payments are under consideration.
Key Takeaway
Paying a ransom may seem like the simplest way to restore systems, but it carries serious regulatory and legal risks that can ultimately harm your business more than the initial attack.
4. Reputation Rebuild is Becoming Harder
Negotiation chats and payment evidence are sometimes leaked, causing public backlash. Ransom payments can tarnish a brand’s reputation, as seen in high-profile cases. For example:
In January 2023, Royal Mail suffered a ransomware attack by the LockBit group, disrupting international mail services. After Royal Mail refused to pay the £66 million ransom, LockBit leaked stolen files and the full negotiation transcript online. The published chats revealed the negotiation tactics and internal deliberations of Royal Mail, leading to public scrutiny and criticism of their handling of the incident.
Organisations that pay ransoms risk their decision becoming public, either through attackers leaking negotiation chats or journalists uncovering the payment. In some high-profile cases, the public has harshly criticised companies for supporting criminal activity, damaging trust with customers and partners.
Moreover, once a ransomware payment is public knowledge, companies often find it harder to rebuild their reputation. Investors may be concerned about the company’s governance and risk management. Even existing clients may question the security of their data, leading to lost business and a weakened market position.
Case Study – Caesars Entertainment (2023)
In September 2023, Caesars Entertainment suffered a cyber attack that compromised the personal data of loyalty programme members, including driver’s licence and Social Security numbers. The company reportedly paid a $15 million ransom to prevent public release of the stolen data.
The ransom payment drew widespread media attention and public criticism, with concerns that it could encourage further attacks and set a dangerous precedent. Despite containment efforts, the breach raised questions about Caesars’ cyber security posture and transparency.
The case highlights a broader risk: organisations that pay ransoms are more likely to be targeted again. Repeat attacks not only pose technical and financial challenges but also deepen reputational damage and erode stakeholder trust. Paying once can trap organisations in a cycle of extortion and recovery, underscoring the importance of preventative controls and incident response maturity.
5. Loss of Traction on Cyber Security
Paying a ransom can reduce urgency to strengthen defences, leaving critical risks unaddressed.
Once a ransom is paid and systems are partially restored, organisations may wrongly assume that the crisis is over. Senior leadership might prioritise business continuity over investing in long-term cyber resilience. This mindset creates a false sense of security, leaving the door open for future attacks.
Additionally, many companies that pay ransoms see decreased board-level support for cyber security initiatives. Executives might believe that paying attackers is an acceptable contingency plan, reducing their willingness to fund critical improvements to IT security infrastructure. Furthermore, the incident may demoralise internal IT teams, who feel their efforts to protect the business were undermined by paying the attackers. This can lead to reduced morale, turnover and a weakened cyber security posture in the long run.
Key Takeaway
Paying a ransom (or even deciding to have a strategy to pay if it were to happen) invariably instils complacency amongst executive leadership. This in turn leads to funding for cyber security initiatives drying up and resources being reallocated elsewhere. This leaves the organisation even more vulnerable to future attacks.
⚖️ Legal Considerations in the UK
While paying ransoms is not explicitly illegal, paying sanctioned groups can breach financial sanctions laws. For small and medium-sized businesses (SMBs) in particular, this risk is compounded by limited in-house legal and compliance expertise, making it harder to navigate the regulations around ransomware payments.
The government is considering legislation to ban ransomware payments by public bodies and enforce mandatory reporting (theguardian.com). Always seek legal advice before making a payment to ensure compliance with sanctions and AML regulations. Paying a ransomware group can also inadvertently breach anti-money laundering (AML) legislation, as payments made to sanctioned groups or suspicious entities may be viewed as facilitating money laundering or even terrorist financing.
For SMBs, this is particularly challenging as they may not have the same level of in-house compliance expertise or resources as larger corporations. SMBs should therefore consult with legal and financial professionals to understand the AML obligations and reporting requirements involved in making such payments.
Case Study – Synnovis (2024)
A ransomware attack on NHS pathology provider Synnovis caused widespread cancellations of NHS services. While the company’s ransom decision was not made public, the event sparked debate on payment ethics and regulatory oversight (cm-alliance.com).
💷 Are Ransomware Payments Tax Deductible?
Paying ransomware demands may seem like a quick financial fix, but UK businesses should be aware of significant tax implications:
- Non-deductibility: According to BIM43180, ransom payments are considered blackmail or extortion payments and are not deductible as a business expense. This means organisations cannot reduce their taxable income by the amount paid, potentially leaving them with higher tax liabilities.
- Accounting complexities: Paying a ransom can create complicated accounting challenges, particularly if the payment conflicts with anti-money laundering (AML) regulations, sanctions compliance, or reporting requirements.
- Regulatory scrutiny: Making such payments might draw increased scrutiny from HMRC and other regulatory bodies, who may view them as enabling further criminal activity.
Key Takeaway
Companies should always seek tailored advice from tax experts and legal counsel to understand both the immediate and long-term financial, regulatory and reputational risks associated with ransomware payments. (gov.uk)
💸 How Ransomware Payments Are Made
Payments are typically demanded in cryptocurrencies, primarily Bitcoin or Monero, facilitated via digital wallets and exchanges. Here’s a breakdown of the common methods:
- Cryptocurrency payments, using Bitcoin or Monero, enable anonymity. Attackers provide wallet addresses for payments via secure portals.
- Cryptocurrency tumblers or mixers: Some attackers request payments via tumblers that mix coins with others to hide the trail.
- Pre-paid cards or gift cards: Although less common, some criminals request vouchers to cash out anonymously.
- Proxy payments via brokers: Sometimes criminals direct victims to pay through intermediaries to further obscure the funds.
- Direct bank transfers: Rarely, but some gangs have used direct international bank transfers to receive funds.
This variety of methods makes detection and law enforcement efforts challenging. Each carries compliance risks around anti-money laundering, sanctions and anti-terrorism financing. Consulting legal and financial experts is essential before making payments.
🤝 Negotiating with Ransomware Attackers
Professional negotiators can help reduce demands, but the negotiation process is complex and multi-faceted. Here’s a breakdown of how negotiations with ransomware attackers typically work:
• Contact Initiation: Negotiations often start via the communication channel set by attackers (often encrypted chat on the dark web or a secure portal). Victims, sometimes advised by specialists, introduce themselves and clarify their situation.
• Verification: The attacker typically proves they have the data (e.g. by decrypting a small sample file) to demonstrate credibility and apply pressure.
• Demand Presentation: The attacker presents a ransom demand, often with an initial threat (e.g. public data leak or destruction).
• Counter-Offer & Negotiation: Victims (via negotiators) attempt to reduce the demand or obtain better payment terms or decryption support. However, attackers often remain uncooperative or manipulative.
• Payment Arrangements: If payment is decided, cryptocurrency payments are arranged via digital wallets. Additional risks: the attacker may disappear, provide faulty de-cryptors, or demand further payments.
Law enforcement involvement is recommended at every stage. Attackers are rarely trustworthy, and even after a successful negotiation and payment, they may not fully restore systems.
🛡️ How to Reduce Ransomware Risk In Weeks, Not Months
Projects are your enemy when it comes to ransomware. Risk can be reduced very quickly (over weeks, not months) but not following strictly conventional approaches.
There are two things to keep in mind. Firstly, generally there is a significant (and perplexing) over-reliance on Protection and Detection capabilities and no where near enough investment in Response and Recovery capabilities. In a world where a successful attack is somewhat inevitable, this investment strategy does not represent a strong business case.
Secondly, ransomware for yourselves is a significant and imminent threat – attackers will already be probing you for vulnerabilities. As such, this is an area which cannot wait for large transformation funding to be allocated. The below is a new and unique approach Jonny Pelter (CyPro Partner) developed as CISO at Thames Water which CyPro has refined further which is incredibly effective at driving risk down in a very short period.
1. Attack Surface Reduction
- Identity Attack Surface Reduction: Remove risky or unused accounts to shrink attack opportunities.
- IT Asset Attack Surface Reduction: Decommission unnecessary connections and systems to reduce vulnerabilities.
2. Rapid Ransomware Remediation (RRR)
Once you have significantly reduced the opportunities for an attack, you want to ‘harden’ what is remaining. This exercise runs a series of five to seven two-week sprints, hardening IT assets against ransomware specific vulnerabilities and common attack vectors (like the browser, end-user estate, domain controllers, email gateway, etc.). It requires strong exec backing but is highly effective.
Key Takeaway
Investing in proactive risk management and response can significantly reduce the chances of successful attacks and provide a foundation for resilience.
🧠 Conclusion – Making an Informed Decision
Deciding whether to pay a ransom demand is one of the toughest decisions a business leader can face. While it might seem like a quick fix, the hidden risks and potential legal liabilities can create even bigger problems down the line. By prioritising prevention, resilience and rapid remediation, businesses can protect themselves more effectively and avoid being held to ransom.
Concerned about ransomware threats? Contact CyPro today for expert guidance on prevention, risk reduction, and rapid remediation strategies to safeguard your organisation.
