Law enforcement, governments, authorities and regulators all agree: you should never pay a ransom in the event of a ransomware attack. The message is clear, repeated for years, and it does not waver. Yet the reality on the ground tells a very different story. As I explained recently in the Journal Le Temps, many Swiss companies do pay, across every sector, from finance to education to healthcare. Even entities belonging to the Confederation, such as Ruag, ended up giving in when they found themselves with their backs against the wall.
This gap between official discourse and actual practice deserves better than a hasty moral judgement. It deserves a genuine reflection: under what conditions is it ethically acceptable to pay a ransom?
What a Ransom Really Funds
Let us start by facing the truth. By paying a ransom, you are directly supporting the cybercrime industry. Every payment subsidises these criminal organisations: it allows them to recruit more hackers, equip themselves with better tools, professionalise their operations and become more effective. It is an investment in their growth.
But there is a second, more insidious effect. By paying, we send a signal: our country, our industry, our sector are good “prospects”. Ransomware groups operate like businesses, with their own profitability analyses. Every ransom paid in Switzerland confirms that Swiss organisations pay, and therefore that targeting Switzerland is worth the effort.
This is precisely why one principle must guide every decision: you do not pay a ransom because it suits you or because it is more convenient. Paying can only be considered when the impact of not paying would be catastrophic or unacceptable.
Two Distinct Threats, Two Distinct Analyses
Modern ransomware capitalises on double extortion. To reason correctly, each threat must be examined individually.
First scenario: the data is encrypted, the backups destroyed
In this context, the company’s data has simply vanished. Impossible to work, impossible to honour contracts. Clients find themselves in difficult situations, and potentially an entire industrial chain that depends on us is disrupted. The main impact certainly affects our own company, but it goes well beyond and affects third parties who did nothing wrong.
When the only way to ensure the survival of the company, to preserve jobs and to honour its commitments is to recover its data quickly, paying the ransom becomes an option that cannot be dismissed out of hand.
Second scenario: the data has been exfiltrated
Here, the criminals threaten to publish internal information. The impact may seem less obvious at first glance, but it can be far more serious.
First there are production secrets and intellectual property, the disclosure of which would have a direct impact on the company’s competitiveness. Then there is personal employee data, subject to GDPR and the Swiss FADP, with the legal and human consequences that entails.
But the greatest risks concern the information we hold about our clients. Information about individuals’ personal wealth, which could then trigger kidnappings, burglaries or physical attacks. Mental health records, psychological assessments, intimate confessions. Strategic data belonging to a corporate client that would place them in an untenable position. Legal strategies in the middle of ongoing proceedings.
If this information becomes public, the impact is simply too great and too serious to ignore. In these cases, refusing to pay on principle amounts to making innocent third parties bear the consequences of our cyberattack.
The Questions We Forget to Ask
Paying a ransom raises questions beyond the simple binary decision of whether or not to pay.
What is the maximum amount we can afford to pay? It is worth knowing that in many cases, the ransom amount is relatively small compared to the full cost of the incident, including the technical, legal and reputational response, as well as lost revenue. The ransom may represent only a quarter of that total. This justifies nothing, but it does put the financial impact of the payment into perspective within the overall equation.
And above all: who are these criminals we are paying? Where does the money go, to which country, and how will it be used? Some groups operate on behalf of states. Iran and North Korea, for example, use ransomware proceeds to fund their military programmes. Paying a ransom sometimes means, unwittingly, contributing to the financing of weapons programmes. This geopolitical and sanctions-compliance dimension must absolutely be part of the analysis.
The Reality of a Victim in the Middle of a Crisis
Finally, this decision must be placed in its context. When you are the victim of ransomware, you experience a terrible crisis and a terrible anxiety. You have to manage the crisis cell, keep working to continue delivering services, reassure clients, employees, investors, regulators and authorities. You have to communicate properly, rebuild your infrastructure, all of this under immense stress and with a great deal of fear.
Paying the ransom is just one decision among many that must be made under these conditions. And let us be honest: many people will judge you, whatever decision you make. Those who pay will be accused of funding crime. Those who refuse will be accused of having sacrificed their clients or their employees.
What truly matters is that, on your side, you took the time to weigh the pros and cons, to assess the real impacts on your company and on third parties, to understand who you are paying and what it funds. It is this rigour in the analysis that will allow you to be confident that the decision taken, whatever it was, was the best possible one in the circumstances.
Never paying remains the right principle. But a principle is only useful if we understand when and why it can be ethically justified to depart from it.
Read our interview and the analysis by Anouch Seydtaghia on the Journal Le Temps website (in French).
