The official advice from law enforcement and cyber agencies is consistent: don't pay ransomware operators. Payment funds further attacks, doesn't guarantee recovery, and exposes the organisation to additional risks including sanctions exposure.
The practical reality for a business owner staring at an encrypted production environment, with customers calling, payroll due, and a backup that wasn't quite as resilient as the dashboard suggested, is different. Decisions get made under conditions that don't favour calm policy adherence.
The only durable answer is to take the payment decision off the table before the incident. That means immutable, segmented backups proven to restore. It means an incident-response runbook written when no one is panicking. It means a relationship with a forensic provider you don't have to find on the day. And, for organisations over the $3M turnover threshold, it means knowing the ASD 72-hour reporting obligation cold.
The goal is never to have the conversation about whether to pay. The investment is in not needing to.