When a business discovers it has been breached, minutes can matter more than money. Inside a growing corner of cybersecurity industry, teams race to contain attacks, advise executives and, where possible, steer companies away from paying criminals—while navigating the ethical and strategic dilemmas of modern ransomware.
The Calculus of Paying or Not Paying
For companies struck by ransomware, the decision to pay is rarely abstract. As Ted Cowell, director of the cyber business arm at the risk consultancy S-RM, puts it, businesses sometimes conclude that paying is rational for their circumstances. Ultimately, he says, it is “always their decision.”
Yet the broader corporate stance on ransoms has shifted. As awareness grows that payments fuel organised crime, more companies are choosing not to pay. In parallel, restoration and recovery services—focused on getting systems running again—have become a larger part of the cybersecurity response market. The priority, Cowell says, is often speed: restoring operations quickly, even if forensic analysis of how attackers entered the system becomes secondary.
S-RM positions its role as advisory rather than directive. Its teams, Cowell says, aim to guide clients toward “no payment” decisions wherever possible, helping executives structure their thinking during a crisis they are unlikely to have faced before. The choice, he emphasises, remains with the business.
A Changing Role for the State
Alongside shifts in corporate behaviour, the UK government’s cyber-intelligence posture has evolved. Over the past four or five years, Cowell says, the National Cyber Security Centre (NCSC) has transformed from a largely reactive body into a more proactive one. It now reaches out to potential victims, warning them when intelligence suggests they may be targeted.
Previously, Cowell recalls, government agencies were more often “information takers,” requesting details from private firms such as S-RM, with client consent. Today, they play a more robust coordinating role, bringing organisations together to facilitate information sharing. The impact of that approach, he notes, became visible during recent attacks linked to the hacking group known as Scattered Spider.
Inside the Ransomware Economy
Years of incident response have given firms like S-RM a detailed picture of how ransomware groups behave. Established groups, Cowell explains, tend to have “brands to uphold” and will usually honour settlements—by deleting stolen data or providing decryption keys—once terms are agreed.
The more established the group, the more predictable its negotiating patterns. S-RM tracks reputations, behaviours and reliability, while also monitoring sanctions risks. Those concerns, however, rarely apply cleanly. Sanctioning state-linked hacking groups, Cowell says, can resemble a game of “whack-a-mole”: once listed, actors often disband and re-emerge under new names. For victim companies, the risk that ransom money could indirectly reach hostile states adds another layer of complexity.
Despite public criticism of firms that assist in ransom negotiations, “extortion support” remains a core service. Specialists may sit in the room during talks or conduct negotiations themselves. Cowell says the firm is careful to avoid facilitating organised crime, while acknowledging the tension inherent in the work.
The First Minutes After a Breach
Speed is central to S-RM’s approach. The firm says it can respond to clients within an average of six minutes—crucial, Cowell argues, because the earliest hours of an intrusion often determine its outcome. What begins as a network breach can escalate into full-scale ransomware if attackers are given time to identify valuable systems and data.
Cowell describes a critical early phase as “reconnaissance,” during which criminals assess what to steal or encrypt. Intervening at this stage can prevent the most damaging outcomes, such as data exfiltration or system-wide encryption. Teams focus on “stopping the bleeding” by cutting off attackers’ access, sometimes halting malware before it detonates across networks.
