Subscribe to the Non-Human & AI Identity Journal

What fails when organisations cannot pay ransomware demands?

The biggest failure is not financial, it is operational. If payment is off the table, organisations that have not tested clean recovery, isolated backups, and limited attacker persistence may be unable to restore critical services quickly enough to avoid prolonged disruption. The issue is whether recovery remains trustworthy after compromise.

Why This Matters for Security Teams

When ransom payment is not an option, the question shifts from negotiation to resilience. That exposes the real dependency chain: identity controls, backup integrity, network segmentation, and recovery runbooks. ransomware operators do not need to win every system if they can break confidence in restoration, as seen in incidents such as MGM Resorts Breach 2023 — Scattered Spider and the Co-op Group DragonForce Breach — Scattered Spider. ENISA’s threat reporting also shows how quickly ransomware activity now blends credential theft, lateral movement, and extortion.

The organisations most at risk are the ones that assume backups alone equal recovery. If attacker persistence still exists in identity systems, hypervisors, SaaS tenants, or secrets stores, restore operations can simply reintroduce compromise. In practice, many security teams discover they cannot pay and cannot safely restore only after production has already been encrypted, exfiltrated, or both.

How It Works in Practice

Refusing payment only helps if recovery can outrun the attacker’s disruption. That means restoration must be clean, isolated, and repeatable. The first priority is to confirm what still remains trustworthy: offline or immutable backups, golden images, privileged access paths, and the integrity of identity providers. If an attacker still holds admin tokens, persistent service credentials, or remote management access, restoring data without first evicting the intruder can recreate the incident.

Practitioners should treat recovery as an identity and secrets problem as much as a storage problem. That includes rotating all exposed secrets, rebuilding privileged access, validating directory trust, and using separate recovery accounts that are not tied to compromised SSO paths. The patterns discussed in Cisco Active Directory credentials breach and the Codefinger AWS S3 ransomware attack show why compromised credentials can turn a restore exercise into a second breach.

  • Use immutable or offline backups with documented restore testing, not just backup success reports.
  • Isolate recovery infrastructure from production identity, endpoints, and VPN access.
  • Rotate privileged credentials, API keys, and service tokens before reconnecting systems.
  • Verify directory integrity, conditional access, and admin group membership before re-entry.
  • Prioritise business-critical services in a staged restore order with business sign-off.

The practical goal is to prove that critical services can be restored without reintroducing attacker control. These controls tend to break down when backup systems share the same identity plane, management network, or secrets store as production because compromise spreads back into the restore path.

Common Variations and Edge Cases

Tighter recovery controls often increase operational overhead, requiring organisations to balance fast restoration against the cost of maintaining truly separate recovery paths. Current guidance suggests that no universal standard exists for how much isolation is enough, but the minimum bar is clear: recovery access must not depend on the same trust relationships that were already abused.

Some environments face harder edge cases. SaaS-heavy organisations may not control enough of the platform to rebuild from first principles. OT and healthcare environments may have legacy systems that cannot be cleanly reimaged without downtime. In those cases, best practice is evolving toward segmented restoration zones, scripted credential resets, and pre-approved decision trees for partial service return. The NHIMG analysis in The State of Secrets in AppSec is relevant here because leaked secrets often become the persistence layer that outlives the initial intrusion.

The hardest failure mode is business pressure to “just bring it back” before trust is rebuilt. That shortcut often restores compromised identity, exposed secrets, or malicious persistence along with the data.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Ransomware recovery fails when secrets and service identities are not rotated.
OWASP Agentic AI Top 10 Autonomous responders and recovery agents need constrained tool access during incident recovery.
CSA MAESTRO Recovery environments need segregation from compromised production trust paths.
NIST CSF 2.0 RC.RP-1 Restoration planning is central when payment is impossible and recovery must be orderly.
NIST Zero Trust (SP 800-207) PR.AC-1 Zero Trust reduces reliance on inherited trust after attacker persistence.

Rotate compromised non-human credentials before restoring services or reconnecting workloads.