Updated May 2026.
Through 2017–2019, paying a ransomware demand was a tactical question: do we have backups, and how long will restore take? By 2020 the calculus had changed permanently. Operators began stealing data before they encrypted, then threatening publication on a public leak site if the victim refused to pay. By mid-2026 this double extortion model, encryption plus data publication, is the default playbook for almost every named ransomware operator we track on the Ransomtracker dashboard.
This explainer is for executives, board members, in-house counsel, and the non-technical decision-makers whose first detailed conversation about ransomware tends to happen during the incident itself. The goal is to give you the model in advance, what the attackers are actually doing, why the old “we have backups, we’re fine” answer is no longer sufficient, and what the policy choices look like before you’re under timer pressure.
The mechanics, in one paragraph
An attacker buys or compromises access to your network. They spend somewhere between hours and weeks moving laterally, mapping your environment, identifying what’s valuable, and quietly exfiltrating files to attacker-controlled storage. They prioritise data that is sensitive (HR records, customer PII, intellectual property), regulated (health, financial), or commercially damaging (acquisition documents, internal investigations). Once they have what they want, they deploy file-encrypting malware and demand a ransom for two things: the decryption key, and a promise not to publish the stolen data.
Why backups stopped being sufficient
Robust backups solve the encryption problem. They do not solve the publication problem. If the attackers exfiltrated 800 GB of HR records during reconnaissance, restoring from a clean backup gets your operations back online but does nothing about the data already in their possession.
This shifts the calculus from a technical recovery question to a governance question. Now the executive team has to weigh:
- Regulatory exposure, under GDPR, HIPAA, the SEC’s four-day cyber-disclosure rule, and the EU’s NIS2 directive, “data was exfiltrated and may be published” is a reportable event whether or not you pay.
- Reputational damage, leak-site exposure of sensitive data damages trust with customers, suppliers, and employees regardless of recovery posture.
- Litigation risk, class actions in the US, ICO complaints in the UK, and supervisory-authority inquiries in the EU now follow most major incidents.
- Insurance coverage, most cyber-insurance policies have explicit terms around data publication, ransom payment, and OFAC compliance.
The five phases, in plain English
The leak site as enforcement mechanism
The leak site is the operational backbone of double extortion. After encryption, the operator publishes your organisation’s name on a public Tor-hidden site with a countdown timer. The site shows a sample of stolen data, usually one or two files, to demonstrate authenticity, and threatens publication of the full set if the ransom isn’t paid by the deadline.
The mechanic is deliberately public. It pressures the victim by signalling the timeline to customers, regulators, and journalists. It deters non-payment by demonstrating credible follow-through: the leak sites we monitor on the Ransomtracker dashboard typically follow through on publication when ransoms are unpaid. Browse our Threat Groups archive for editorial coverage of the named operators behind these sites.
Three things change in the boardroom conversation
One. The first 72 hours stop being purely technical. Legal and communications enter the room within hours, not days, because regulatory clocks are running and reporters may be working from leak-site listings before you’ve finished triage.
Two. Pay-or-don’t-pay is no longer the only commercial decision. Engagement with the operator, even before any payment commitment, establishes communication channels, gives breathing room on the timer, and sometimes surfaces evidence the operator has weaker-than-claimed exfiltration. Specialist negotiation firms exist for exactly this work.
Three. Pre-incident decisions matter more than post-incident heroics. The most consequential governance question for 2026 boards is “would we pay?”, and the answer needs to be on file before you have a counterparty. Insurance terms, OFAC posture, jurisdictional sanctions exposure, and stakeholder communication plans all need to be reviewed annually.
The OFAC question
The US Treasury’s Office of Foreign Assets Control has issued advisories warning that paying ransoms to sanctioned entities, which includes many Russian-affiliated ransomware operations, can itself violate US sanctions law. The 2020 advisory was updated in 2021 and again referenced in subsequent guidance. UK and EU equivalents have followed.
The practical effect: a payment decision now requires sanctions screening of the operator and the wallet, a contemporaneous record of the diligence performed, and ideally engagement with the FBI or relevant national CERT before the payment moves. Cyber-insurance policies routinely require this engagement as a coverage condition.
Five questions every board should be able to answer in May 2026
- What’s our exposure to data publication? Specifically, what data exists in our environment whose publication would be a regulatory event, a reputational event, or a contractual breach?
- What’s our pay/don’t-pay default? Who decides, on what authority, and against what criteria? Document this before the incident, not during.
- Who do we call? Cyber-insurance broker, outside counsel, IR firm, FBI / NCA / national CERT, phone numbers, after-hours escalation, retainer status.
- What’s our regulatory disclosure timeline? SEC four-day rule (US listed), NIS2 24/72-hour reporting (EU), GDPR 72-hour rule (EU/UK), state-level breach laws (US). This needs to be a checklist, not a memory.
- What’s our communications posture? Internal comms (employees), external (customers, suppliers, media), and the leak-site question, do we acknowledge if our name appears on a leak site, or maintain “no comment” through the negotiation?
What good preparation actually looks like
The pattern that consistently differentiates well-prepared organisations from poorly-prepared ones isn’t budget. It’s tabletop exercises. Boards that have walked through a simulated double-extortion incident, three or four hours, scenario-driven, with legal, communications, and IT in the same room, make better decisions in real incidents. The exercises don’t need to be expensive; the value is in the conversations they force, not the technology being tested.
The technical side of the same exercise pays equal dividends. CISA publishes scenario kits and an annually-updated #StopRansomware Guide that’s better than most paid alternatives. Couple that with phishing-resistant MFA on every administrative account (see our password-manager picks), endpoint protection with credential-store telemetry (our antivirus reviews), and a regularly-tested offline backup strategy.
A note on leak-site monitoring
It is now standard practice for boards to receive a periodic exposure briefing, has our company name, domain, or sector appeared on any operator’s leak site? Our Ransomtracker dashboard aggregates leak-site listings across the operators we cover and lets you search by operator. If your name appears, the time between listing and publication is usually 7–14 days; that’s the window you have to engage.
Further reading
- CISA StopRansomware, the most useful US government resource for executives.
- UK NCSC ransomware guidance, equivalent for UK boards.
- ENISA ransomware threat landscape, EU-level analysis.
- Our plain-English ransomware explainer for the technical primer behind this executive view.
The single most important shift to internalise: ransomware in 2026 is a governance problem first and a technology problem second. Boards that engage with it on those terms, well before an incident, make better decisions when one happens.