Ransomware’s Faustian Bargain in OT: Pay Now or Pay Later
11 - Sep 2025
RESOURCES
Critical infrastructure operators face a Faustian bargain when ransomware strikes.
Paying hackers to restore operations may appear the easiest route, but every ransom strengthens the criminal business model, ensuring more attacks in the future.
Refusing to pay avoids fueling the cycle, but often at a far greater operational cost.
When companies pay: JBS Foods transferred $11 million to its attackers in 2021 after ransomware froze beef plants across the U.S. Colonial Pipeline paid $4.4 million the same year to restore its billing and scheduling systems after a five-day shutdown left the East Coast scrambling for fuel. In both cases, executives judged that paying was less costly than prolonging the disruption.
When companies refuse: Maersk took the opposite path in 2017. The NotPetya attack crippled its global shipping operations, and instead of paying the ransom, Maersk chose to rebuild its IT and OT infrastructure from scratch. The result was an estimated $300 million loss, plus weeks of cascading supply chain disruption.
Why this matters for OT: Whether companies pay or not, the financial toll is measured in millions. And for operators of critical infrastructure, the real danger is when ransomware crosses from corporate networks into physical processes – where downtime can trigger equipment damage, safety incidents, and regulatory penalties.
The process-oriented difference: Traditional defenses (firewalls, EDR, patching) focus on keeping malware out. But once ransomware gets in, process-layer visibility is what prevents an IT event from becoming an OT disaster.
The bottom line: Paying ransoms may buy time, refusing may cost even more, but neither path addresses the underlying risk. Only process-layer defenses keep ransomware from cascading into billion-dollar failures in critical infrastructure.
