RANSOMRESTORE
Back

They Paid the Ransom. Then They Wished They Hadn't

We didn't get the first call. The firm called us after. By Wednesday morning, 1,800 files were encrypted. Without a dedicated IT security team, the managing partner felt cornered. They decided to pay — USD 12,500. Then the decryptor crashed on their server. Twice.

5 min read

What They Got Back

The decryptor worked, mostly.

Mostly.

After decryption, they found:

  • The decryptor crashed on their server. Twice. The tool was poorly coded — built by criminals, not engineers. When it ran on the firm's older small-business server, it crashed during processing. Each crash permanently corrupted the files it was handling at that exact moment.
  • 8% of files were partially corrupted — recoverable in some cases, permanently lost in others
  • Three case files from a 2019-2020 matter were completely unrecoverable — the crash had destroyed the file headers during decryption
  • Several files had silent corruption — they opened normally but contained data errors that weren't obvious until someone tried to use the documents

The partner told us: "We thought paying meant we'd get everything back. It didn't. And now we know the attackers have a copy of everything."

What They Called Us About

Three weeks after the incident, they contacted us for two reasons:

Reason 1: They wanted a security assessment before anything happened again. The experience had shifted their posture significantly.

Reason 2: They had three ongoing cases where documents appeared damaged after decryption — they wanted to know if forensic recovery could extract anything from the corrupted files.

We recovered usable data from two of the three damaged case files.

The Numbers

Item Amount
Ransom paid (the "quick fix") ~USD 12,500
Forensic recovery (fixing the decryptor's mess) USD 4,500
Basic security setup (post-incident) USD 3,000
Total incident cost ~USD 20,000
Files permanently lost ~150 critical files
Files partially corrupted ~90 files

The real comparison: If they had called us first — before paying — the total recovery cost would likely have been under USD 8,000. And they wouldn't have funded a criminal operation.

For a firm of this size, USD 20,000 isn't catastrophic. But USD 12,500 of it was completely wasted — and it made them a confirmed payer in the attacker's network.

What Paying Actually Costs

Whether you're a 10-person practice or a 200-employee firm, the math of paying vs. not paying follows the same logic. The ransom amount changes. The risks don't.

Will you even get a working decryptor? There's a 20-30% chance you don't. Attackers are criminals. Some take the money and disappear. You have no contract, no support line, no refund policy.

Does a decryptor guarantee clean data? No. This firm lost 150 files after paying — destroyed by the decryptor crashing on their server. The tool was never designed for reliability. It was designed to convince the next victim to pay.

What about your data after paying? The attackers still have a copy. What was in those files? Client details. Financial records. Contract terms. For a small firm, the data exfiltration can be more damaging than the encryption itself — especially when privacy regulations apply.

Are you safe after paying? No. You've confirmed to a criminal organization that you're a payer. Repeat attacks on known payers are documented. You're not closing a chapter — you're opening one.

What They Fixed After

Three changes, hard-won:

  1. No ransom, ever. The firm's policy is now explicit. Paying funds criminal activity and makes you a repeat target.

  2. Immutable backups. They implemented a backup system where even if someone gains access to their network, the backups cannot be overwritten or encrypted for 30 days.

  3. Email attachment controls. The spoofed government email that started everything had a .exe inside a .zip. Their email filter now handles these attachment types differently for external senders.

The firm's managing partner told us something worth repeating:

"We thought we were making the practical choice. Pay the ransom, get back to work. What we didn't understand was that paying is the beginning of the problem, not the end."

For the full prevention checklist, see our 9 ways to prevent ransomware.

If your firm is weighing options right now:

Before you pay anything, talk to us. Every ransomware incident is unique. Our approach combines forensic data carving, shadow copy reconstruction, and deep variant analysis to exhaust every technical avenue for recovery. We help you understand your real options before you commit to anything. Free assessment, no commitment.

In most emergency cases, we respond within 3 hours.

RANSOMRESTORE

Remote ransomware recovery, digital forensics, and incident response.

Services

  • Emergency Breach Response
  • Ransomware Response & Recovery
  • Penetration Testing

Emergency Contact

Terms of Service|Privacy Policy
© 2026 Lyncore Intelligent Technology Limited (Operating as Ransomrestore). All rights reserved.