Published 11 Sep 2025

Ransomware’s Faustian Bargain in OT: Pay Now or Pay Later

Critical infrastructure operators face a Faustian bargain when ransomware strikes.

Paying hackers to restore operations may appear the easiest route, but every ransom strengthens the criminal business model, ensuring more attacks in the future.

Refusing to pay avoids fueling the cycle, but often at a far greater operational cost. 

When companies pay: JBS Foods transferred $11 million to its attackers in 2021 after ransomware froze beef plants across the U.S. Colonial Pipeline paid $4.4 million the same year to restore its billing and scheduling systems after a five-day shutdown left the East Coast scrambling for fuel. In both cases, executives judged that paying was less costly than prolonging the disruption.

When companies refuse: Maersk took the opposite path in 2017. The NotPetya attack crippled its global shipping operations, and instead of paying the ransom, Maersk chose to rebuild its IT and OT infrastructure from scratch. The result was an estimated $300 million loss, plus weeks of cascading supply chain disruption.

Why this matters for OT: Whether companies pay or not, the financial toll is measured in millions. And for operators of critical infrastructure, the real danger is when ransomware crosses from corporate networks into physical processes – where downtime can trigger equipment damage, safety incidents, and regulatory penalties.

The process-oriented difference: Traditional defenses (firewalls, EDR, patching) focus on keeping malware out. But once ransomware gets in, process-layer visibility is what prevents an IT event from becoming an OT disaster.

  • It doesn’t stop ransomware itself.
  • It confines ransomware effects to IT systems, preventing spread into industrial processes.
  • It buys operators time to recover without risking catastrophic process failures.

The bottom line: Paying ransoms may buy time, refusing may cost even more, but neither path addresses the underlying risk. Only process-layer defenses keep ransomware from cascading into billion-dollar failures in critical infrastructure.


Copy Copy link X Facebook LinkedIn
Protecting the Process Layer of Critical Infrastructure with an unhackable source of truth
Our blog

Lastest blog posts

Tools and strategies to keep your infrastructure safe.

View all posts

SEC Item 106: Integrating Operational Technology into the Financial Risk Framework

25 June 2026

Adopted in 2023, SEC Item 106 is a mandatory disclosure requirement within Regulation S-K that expands cybersecurity risk disclosure to include risks...

NIST SP 1800-41: A Shift to Industrial Cyber Resilience

25 June 2026

The National Institute of Standards and Technology (NIST) has released the Initial Public Draft of Special Publication 1800-41, Responding to and Recovering...

A Process Oriented Upgrade to Obsolete Incident Response Plabyooks

18 June 2026

In Operational Technology (OT) environments, Incident Response (IR) timelines are measured against operational uncertainty. The longer it takes to determine whether cyber...