Alternatives to paying ransom
If you choose not to pay, or if paying simply is not an option, there are still ways to recover. Preparation and layered defense make all the difference.
Offline or segmented backups are the best starting point. When your backups are separated from your main network or stored offline, you can restore critical data without relying on a criminal’s decryption key. It is a simple but powerful safeguard that can prevent feeding into the ransomware cycle. While this is a good alternative to paying, you are risking the threat actor leaking privileged information like personally identifiable information (PII) thus leading to further legal consequences.
Cloud recovery solutions can also help restore systems and data quickly, especially if on-premise backups are affected. Having a tested cloud recovery plan can mean the difference between a few hours of downtime and several weeks of disruption.
Beyond recovery, an incident response plan with tested playbooks is essential. It ensures your team knows exactly what to do, who to contact, and how to contain the damage quickly when ransomware hits.
Cyber insurance can also help offset some financial losses, but it is not a catch-all. Policies vary widely, and not all cover ransom payments or related expenses, so it is important to understand the details before you need them.
How do ransom payments work?
When a ransomware attack occurs, victims are typically greeted with a pop up directly on their computer containing a ransom note from the attackers. The note often explains that the victims have been attacked and their systems are now encrypted, sometimes even double encrypted, and that access to their files and data has been compromised. It usually includes instructions on how to contact the attackers, how to make the payment, and how long the victim has to respond or pay the ransom before the demand increases or the data is leaked.
Sometimes threat groups even have a countdown on their data leak sites showing how long a victim has left to pay before the information is leaked. Most communication with the threat actors is routed through channels like telegram, privacy focused email providers like proton mail, tuta, and Guerrilla Mail, payments are commonly made through bitcoin or Monero. Certain groups offer instant messaging options on their data leak sites in place of email or telegram communications.
Real world cases
Across industries, organizations have faced ransomware attacks that disrupted operations, exposed sensitive data, and caused significant financial and reputational fallout.
In one incident, a global healthcare organization refused to pay after criminals stole sensitive medical and claims data belonging to millions of patients. The attackers later published portions of the data on the dark web, including diagnostic codes and personal information, after the organization publicly stated it would not meet ransom demands. The case became one of the most high-profile examples of double extortion, where attackers combine encryption with the threat of public exposure, showing how reputational and regulatory damage can persist even when ransoms go unpaid.
A northern European therapy provider experienced one of the earliest examples of email extortion, when attackers stole private therapy records from more than 30,000 to 40,000 patients and then contacted individuals directly. Each victim received an email demanding a small Bitcoin payment—typically around €200 within 24 hours or €500 within 48 hours—in exchange for keeping their personal therapy notes, home address, and identification details from being published online. The messages referenced each person’s unique ID number to prove the data was real, creating panic among patients and outrage across the country. The attack demonstrated a deeply personal and invasive shift in extortion tactics, one that blurred the line between organizational and individual targeting and marked a turning point in how threat actors weaponize stolen personal information.
In the United States, a ransomware attack on a major healthcare payments processor disrupted hospital billing nationwide, with recovery and remediation costs exceeding $20 billion across the healthcare sector. The ripple effect showed how ransomware targeting a single node in the supply chain can paralyze an entire ecosystem.
In another case, a city government refused to pay after attackers encrypted municipal data and disrupted online services. Recovery took several weeks and cost an estimated $18 million in losses, but the organization used the incident as a turning point to strengthen its defenses, implement segmented backups, and improve its overall response capabilities.
Financial analysts have also seen ransomware incidents ripple into credit markets. One major hospital system’s credit rating was downgraded following a cyberattack that interrupted reimbursements and weakened cash flow, underscoring that ransomware has become a financial-risk event, not just a security issue.
Understanding the attacker
To make informed decisions, organizations need to understand who they’re dealing with and how these groups operate. When it comes to ransomware, knowledge is power. Not all threat actors operate the same way, and understanding who you are dealing with can shape your entire response strategy.
Bitsight Threat Intelligence profiles ransomware groups in depth, tracking their tactics, techniques, and procedures (TTPs), their reliability, and their payment histories. These insights help organizations make better, faster decisions during an attack instead of reacting blindly.
Bitsight’s new TTP feature takes this a step further by providing real-time visibility into the behaviors and attack patterns of specific ransomware groups. Security teams can see how a threat actor typically gains access, moves through networks, and deploys their payloads. By mapping this activity to frameworks like MITRE ATT&CK, organizations can better understand where they are most vulnerable and proactively strengthen defenses before an incident occurs.
Knowing whether an attacker typically provides working decryption keys, or if they operate as part of a ransomware-as-a-service (RaaS) model, can inform how you respond. Some groups are known to deliver on their promises (as strange as that sounds), while others vanish after payment. The reality is, threat actors aren’t exactly known for their honesty, even when they do decrypt data, there’s no guarantee they will delete the data they’ve stolen or refrain from selling it later. Understanding those patterns helps you evaluate your true risk before taking action.
Conclusion: Making an informed decision
Ransomware isn’t just an IT issue anymore; it’s a systemic business and operational risk that reaches from the server room to the boardroom. While bans and moral arguments dominate headlines, the real opportunity lies in prevention, visibility, and intelligence. Paying might buy time, but it doesn’t solve the root problem. Refusing to pay can be painful in the short term, but it pushes organizations to build long-term strength.
Symbolic gestures may set the tone, but measurable, intelligence-driven action is what will truly shift the balance of power away from cybercriminals. Organizations that invest in resilience, through visibility into attacker TTPs, actionable threat intelligence, and strong governance, will be best positioned to respond decisively and recover stronger.
To learn more about how Bitsight’s new MITRE ATT&CK TTP visibility helps organizations identify and understand ransomware actors before an attack, visit the Bitsight Threat Intelligence platform or connect with our team to see it in action.
