Go back

Why Ransomware Victims Still Pay — and How to Avoid the Ransom Altogether  

Brad LaPorte
Brad LaPorte
09 Sep 2025
5 min read
Preemptive Security

For years, ransomware has thrived on its business model: encrypt or steal critical data, then extort organizations into paying for recovery or silence. But the tide is shifting. 

Governments are increasingly moving to ban or regulate payments. The UK recently announced plans to prohibit public sector bodies from paying ransoms. Ohio passed a law requiring local governments to formally approve ransomware payments before they can be made. In the U.S., several proposals would mandate disclosure of ransom payments to regulators. Globally, regulators are exploring whether payment bans could weaken ransomware’s profitability and dismantle its incentive structure. 

Despite these moves, ransomware remains central to the cybercrime economy. According to the 2025 Verizon DBIR, ransomware was present in 44% of all breaches, a 37% year-over-year increase. While the median ransom payment fell to $115,000, attackers are still making billions annually off victims who feel they have no choice. 

Why Do Companies Still Pay? 

Even as regulators warn against it, many organizations still pay—and some do so quickly. Research from Coveware shows ransomware payments doubled in Q2 2025, largely driven by attackers prioritizing data exfiltration over encryption. Data theft adds another layer of pressure: even if you have backups, you risk sensitive information being auctioned or leaked. 

The 2025 DBIR highlights why the pressure is so effective: 

  • Business interruption remains the number one driver. Third-party involvement in breaches has doubled to 30%, and supply chain attacks are stretching downtime windows.
  • Sensitive secrets and credentials are being leaked in public repos and underground markets, giving attackers fast access to critical systems. 
  • Attackers increasingly target SMBs: ransomware was present in 88% of SMB breaches, compared to 39% for large enterprises. Smaller organizations are less resilient and more likely to pay quickly. 

In short: when the costs of downtime, reputational damage, and regulatory exposure outweigh the ransom ask, boards still authorize payments, even if the odds of full recovery are slim. 

What Do Attack Trends Mean for Ransomware Payments? 

Ransomware isn’t just persisting—it’s evolving: 

  • Attack sophistication is climbing. AI-driven malware campaigns, polymorphic ransomware strains, and living-off-the-land techniques are making attacks harder to detect
  • Exploitation of vulnerabilities now accounts for 20% of ransomware-related initial access—with zero-days on VPNs and edge devices spiking eightfold YoY. Median time to patch? 32 days, leaving plenty of opportunity for attackers to make their move. 
  • Fileless and destructive ransomware are increasingly bypassing traditional EDR/XDR and even recovery strategies. Recovery plans are often outpaced by the destructive nature of modern campaigns. 

The implication is clear: even as governments debate bans and disclosure laws, the attack surface is expanding, making prevention—not payout— the only sustainable strategy.   

hs-cta-img-a600f860-690c-4b09-ae15-aa0365a110f7

How Morphisec Helps Organizations Avoid the Ransom Altogether 

Paying the ransom doesn’t guarantee data recovery, nor does it prevent attackers from coming back. Organizations need a way to avoid the extortion cycle entirely. 

 That’s where Morphisec’s Preemptive Cyber Defense Platform comes in:  

  • Automated Moving Target Defense (AMTD): By morphing runtime memory and placing decoys, Morphisec blocks ransomware, fileless malware, and zero-day exploits before they can take hold—even on legacy or low-bandwidth systems that can’t support signature-based defenses. 
  • Exfiltration Prevention: Stops data theft in real time, preventing attackers from stealing sensitive data as leverage for extortion. 
  • Adaptive Exposure Management: Identifies and prioritizes vulnerabilities across your environment, allowing you to reduce risk without relying on patch cycles that take weeks to complete. 
  • Forensic Recovery: Ensures you can recover and investigate incidents—even if systems are compromised—so your team is never blind to what happened. 

 Morphisec customers avoid payouts because they stop ransomware campaigns before encryption or exfiltration occurs.  

No ransom, no negotiations, no downtime spiral. 

The Clock is Ticking on Ransomware 

Ransomware is accelerating, not slowing down. Attack volumes have nearly tripled since 2024, and attackers are refining their extortion playbooks faster than governments can regulate. With disclosure rules and potential bans on ransom payments looming, organizations that still rely on payouts as a fallback are running out of road. 

Waiting until after an attack is no longer viable.  

By the time you’re negotiating, the damage is already done; data stolen, trust eroded, operations disrupted. Recovery plans alone cannot keep pace with destructive, AI-driven ransomware strains. 

The only sustainable strategy is to eliminate the ransom option altogether. Morphisec enables exactly that—preemptively blocking ransomware at the point of entry, preventing exfiltration before it starts, and ensuring teams never have to make the impossible choice between paying criminals or facing collapse. 

With Morphisec, you don’t just respond faster—you stop ransomware cold and reclaim control from attackers. The time to act is now: schedule a demo to see Morphisec’s Preemptive Cyber Defense Platform in action. 

hs-cta-img-a5d9e888-01ef-4e83-9c65-fdccb3682891

About the author

Brad LaPorte

Chief Marketing Officer

Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.

Stay up-to-date

Get the latest resources, news, and threat research delivered to your inbox.