If the culprit actually provides the decryption key, then paying the ransom may alleviate the immediate pressure on the organization. Some attackers may release the system after receiving payment because doing otherwise would reduce the likelihood that other victims will pay. If paying the ransom is legitimately being debated, then perform a quick Internet search on the type of ransomware holding your system. Whether or not criminals who use that ransomware are likely to release data after receiving payment is likely to show up online.

Some attackers recognize this dichotomy of trust. They recognize that if files are never unlocked then no victim will ever pay a ransom. As a result,variants such as CTBLocker (Trojan.Cryptolocker.G) have an option to decrypt a few random files as a gesture of good faith. If you pay the ransom once, then the threat actor’s logical response after releasing the system would be to strengthen their foothold in hopes that you will pay the ransom again.