It is 7:42 on a Tuesday morning. Your office manager calls. Nobody can open a single file. Every spreadsheet, invoice, and shared folder shows the same wallpaper now: a black screen with a countdown timer, a Bitcoin wallet address, and a six-figure number written in red. The voice on the other end of the line asks the only question that feels real in that moment. “Do we just pay it and move on?”
That question lands on small business owners more often than the headlines suggest, and it almost always lands during the worst hour of the worst day. The honest answer is more nuanced than “always pay” or “never pay.” The path you can take is mostly decided by what you put in place months before the screen ever went black, which is why this question deserves a clear answer well before it shows up.
This is a practical look at what really happens when ransomware locks a small business, what the payment decision actually trades off, and the few things you can do now that change which side of that decision you get to stand on.
What Happens When Ransomware Locks Your Business Files?
Modern ransomware is not just a popup demanding money. By the time the wallpaper changes on the office computers, two things have usually already happened. First, the attackers spent days or weeks moving quietly through your network, mapping which servers hold what, finding backup systems, and harvesting credentials. Second, before they triggered the encryption, they copied a meaningful slice of your data out to their own systems.
That second step changes the entire conversation. Even if you restore every file from a clean backup, the attackers still have the data. The threat becomes layered: pay us to unlock the files we encrypted, and pay us again or we publish the customer list, the payroll spreadsheet, the email archive, and the contracts to a leak site that anyone can read. This is called double extortion, and it is now the default for any attacker worth taking seriously.
How The Extortion Conversation Usually Plays Out
Within a few hours of the wallpaper change, your office manager will find a contact channel buried in the ransom note. Sometimes it is a Tor browser address. Sometimes it is a chat link. The attackers will be patient and professional. They will offer to decrypt a single file as proof they can deliver. They will share a price list. They will quote a deadline before the price doubles or the leak begins. Some groups have customer support. Some have negotiators. You are not the first business they have done this to today.
The professional tone is the point. It is designed to make the decision feel transactional, like ordering a part to fix a broken machine. The smaller the business, the more pressure that tone creates, because there is no incident response team, no general counsel, and no playbook on the wall. There is a panicked owner and an MSP who needs to be on the phone within minutes. The preparation that matters is the preparation that took place before any of this. The same preparation that drives effective ransomware detection and the response steps that follow it is what shapes how much leverage you actually have once the note arrives.
Should A Small Business Actually Pay The Ransom?
The honest answer is that paying is sometimes the only option a business has, and yet most experts who have watched hundreds of these incidents will tell you to avoid it whenever possible. The trade-off is rarely as clean as the attackers want it to look. Three realities make the math harder than the ransom note suggests.
Paying Does Not Always Return Your Data
Industry surveys of businesses that paid show that fewer than half got every file back cleanly. Some received decryption keys that worked on most files but corrupted others. Some received tools so slow that the recovery took weeks. Some received nothing at all. The decryption process itself can introduce new failures. You are trusting a criminal group to ship working software, on time, with no surprises. They are operating a business too, but it is not your business, and their incentives end the minute the wallet is funded.
Paying Often Marks You As A Future Target
The same surveys show that a meaningful share of businesses that paid were attacked again, sometimes by the same group, sometimes by a different one using the same purchased information. A business that paid once is now on a list of businesses that paid. The original attackers may sell that list. They may quietly leave a foothold in your network for the next campaign. Paying solves the immediate problem at the cost of becoming a more attractive target for the next twelve months.
Paying Can Be A Legal Problem On Its Own
The US Treasury has flagged that paying a ransom to a sanctioned group, or to a group based in a sanctioned country, can violate federal sanctions law even when the payment was made under duress. Some ransomware operators are tied to entities under sanction. Your insurance carrier and your bank will both look hard at where the payment is going before they let it leave. This is part of why a properly written cyber insurance policy with a working breach-coach hotline matters so much. The carrier brings the experts who can vet the recipient before the wire goes out and document the steps you took to comply with sanctions screening.
When Paying Is Still A Defensible Choice
None of this means paying is always wrong. A business with no working backups, no offline copy of critical data, and customers waiting on a service that cannot wait, faces a different calculus than a business with a tested restore process. Healthcare providers with patient safety on the line, professional services firms with statutory client obligations, and businesses that cannot afford a week of downtime sometimes pay because the alternative is worse. The choice is real. The point is to make the choice with eyes open, with counsel and insurance on the call, not in the first hour while the wallpaper is still fresh on the screen.
What Backups Actually Make Saying No Possible?
Every small business that walked away from a ransomware demand without paying had the same thing in common: working backups they had tested recently, stored somewhere the attacker could not reach. Without that, the conversation with the attacker is the only conversation you get to have. With that, the conversation shifts from “should we pay” to “how fast can we rebuild.” The shift sounds small. It is everything.
Three Copies, Two Media, One Off-Site
The starting point is the 3-2-1 rule that every backup vendor has been quoting for twenty years. Three copies of your important data. On at least two different storage media. With at least one copy stored off-site. The reason the rule has survived is that it survives the failure modes attackers exploit. Encrypting your primary server does not touch the cloud copy. Wiping the on-site backup appliance does not touch the immutable cloud snapshot. The attacker needs to compromise all three to take away your option to rebuild.
Why Immutable Backups Matter Now
Attackers have learned to go after backups first, because they know a business without backups will pay. The defense is an immutable backup, a copy that cannot be altered or deleted, even by an administrator, for a set window of time. Object lock in cloud storage is one way to achieve this. Air-gapped offline copies are another. The detail that matters: the credentials used by your day-to-day systems should not be the credentials that can wipe the backup. If a domain admin account can erase the backup repository, the backup is not real protection. It is a checkbox.
Tested Backups Are The Only Backups
A backup that has never been restored is not a backup. It is a hope. Every small business should run a real restore drill at least once a quarter. Pick a server. Pick a folder of business-critical data. Restore it to a clean machine. Time how long it takes. Open the files. Confirm they work. The drill catches the silent failures that turn a confident “we have backups” into a hollow one when the wallpaper goes black. The architecture choice between on-site appliance, cloud-only, and a hybrid setup directly affects how quickly you regain access to your business data after an attack, which is why the choice deserves real attention before something forces it.
What Should You Do First If You Are Locked Out?
The first hour after a ransomware event sets the ceiling on what your recovery can look like. Small decisions made in those first sixty minutes either preserve the evidence you will need, contain the damage, and give your responders a fighting chance, or they quietly close off options you cannot get back. The instinct is to panic, unplug everything, and start over. That is the wrong instinct.
Isolate, Do Not Power Off
Disconnect affected machines from the network. Pull the ethernet cable, turn off the Wi-Fi, disable the switch port. Do not power them off. A running infected machine holds memory artifacts that incident response specialists can use to identify the ransomware variant, trace how the attackers got in, and potentially recover encryption keys. Powering off wipes that memory and erases evidence that may matter for your insurance claim, your forensic investigation, and any decryption attempt that does not involve paying.
Call The Right People In The Right Order
The order matters. Call your managed IT provider first. They know your environment and can start the containment work while you start the next calls. Call your cyber insurance carrier next. Most policies require notification within a tight window, often twenty-four hours, and they provide a breach coach and forensic team at no extra cost when you use them through the policy. Call your attorney. Then call law enforcement. The FBI’s Internet Crime Complaint Center accepts ransomware reports and may have intelligence that helps your response. None of these calls should be made by a frantic office manager from the hallway. They should be made by someone working from the incident response plan you wrote and tested before any of this happened.
Hold The Communications Line
Do not post about the incident publicly. Do not email customers with a half-formed update. Do not let staff speculate on social media. Premature or inaccurate communications create legal exposure that can dwarf the ransomware itself. Designate one person, usually your attorney or your insurance breach coach, to draft any external statement. Internal communication can be done in a different channel that the attackers do not have access to: a personal phone group, a different email system, an in-person huddle. Assume the attackers can read your email until you have confirmation otherwise.
Frequently Asked Questions
If we pay the ransom, will the attackers actually give us our files back?
Sometimes, and not always cleanly. Industry surveys consistently show that businesses that pay recover most of their data, but rarely all of it. Decryption tools shipped by attackers can be slow, can corrupt files, and can fail on certain database formats. Some groups deliver promptly to protect their reputation. Others vanish after the wallet is funded. The honest expectation is partial recovery on a long timeline, not the clean reversal the ransom note implies.
Does paying the ransom protect our stolen data from being leaked?
It does not, despite the promises in the note. Attackers retain copies of the data and often sell or share it later regardless of payment. There is no mechanism for verifying that exfiltrated files were actually deleted, no third-party auditor, no recourse if they reappear in six months. Treat any exfiltrated data as already public for planning purposes, and let that drive your customer notification, regulator notification, and credit monitoring decisions.
Will our cyber insurance cover the ransom payment?
Many policies do cover the ransom itself, often through a separate sublimit, but every carrier now requires you to use their approved breach coach and forensic team to qualify for coverage. Calling the carrier first, not the attackers first, is the move that protects the coverage. Some carriers also exclude payments to sanctioned groups, which is one more reason vetting the recipient through the carrier’s team matters before any wire is sent.
Should we notify customers if their data was exposed?
Most states require notification within a defined window when personal data is involved, and the federal regulators that govern healthcare, financial services, and education layer their own requirements on top. Your attorney and your breach coach will map out exactly which laws apply to your business and your customers. The cost of a delayed or incomplete notification, in fines and in trust, is almost always larger than the cost of doing it correctly the first time.
How long does a small business usually take to recover from a ransomware attack?
The technical recovery typically takes one to three weeks with healthy backups, longer without. The business recovery, including customer communications, regulatory filings, and rebuilding trust, takes months. The financial recovery, when measured against total cost including downtime, response, legal, and lost business, often runs into six figures even for a small organization. The number that surprises owners is not the ransom amount; it is the recovery cost that arrives whether you pay or not.
Can we negotiate the ransom amount down?
Sometimes, and never on your own. Professional ransomware negotiators, usually engaged through your cyber insurance breach coach, will often reduce the demand significantly. The negotiation also buys time for the forensic team to assess whether decryption is possible without paying, whether backups are viable, and whether the attacker can be identified. Going it alone, with no professional negotiator on the line, usually ends with a worse price and worse intelligence about who you are actually dealing with.
Where Should You Start?
The hardest part of this topic is that the decision happens at the worst possible time, with the worst possible information, under the worst possible pressure. The only real defense is to make the question smaller before it ever arrives. Working backups in three places. A tested restore process. A short, current incident response plan. A cyber insurance policy with a breach coach you can call at 2 a.m. None of that is expensive compared to the cost of a ransom you cannot pay or a recovery you cannot run.
If you are not sure where your business stands today, the right next step is a backup and recovery setup tested against a realistic ransomware scenario. That is the work that turns the ransom note from an existential threat into a manageable interruption.