Doubling Down in Vegas: The High-Stakes Question of Whether to Pay
None
<p>Ransomware presents organizations with a terrible decision: Pay criminals to restore access to critical systems and data, or refuse to pay and attempt to rebuild from backup, all while operations are impaired or offline. <br><br>In late August 2025, the <a href="https://apnews.com/article/nevada-cyberattack-ransomware-8729e274ef1270d0c9a866ba487197de" target="_blank" rel="noopener">State of Nevada faced precisely this dilemma</a>. A ransomware attack that began months earlier—through a poisoned download of what appeared to be a legitimate system administration tool—resulted in widespread system outages, encrypted virtual machines, and deleted backups. The attackers left behind the usual ransom note and instructions.</p><p>Nevada’s answer, however, was clear: It would not pay. <br><br>Instead, the state executed a multi-week restoration and investigation effort, supported by cyber insurance and pre-negotiated vendor incident response contracts.<br><br>The state’s official After Action Report confirms that Nevada restored services across affected systems within 28 days, recovered approximately 90% of impacted data, and sustained continuity of payroll and critical public services without sending a ransom payment to criminal actors. This was not simply a financial choice—it was a legal, operational, ethical, and strategic one. And it underscores the broader question: should victims pay ransom?</p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><h3>The Legal Landscape: Payment is Not Per Se Illegal — Until it Is</h3><p>There is no federal law that universally prohibits paying ransomware attackers. However, the United States Treasury’s Office of Foreign Assets Control (“OFAC”) has repeatedly warned that paying ransom to individuals or groups on federal sanctions lists may violate U.S. sanctions law—even if the victim does not know who is on the other end of the transaction.<br><br>Under OFAC’s strict liability regime, intent is irrelevant. If the payment reaches a sanctioned actor, liability may attach. Mitigation factors include self-reporting and cooperation, which means that paying quietly and hoping the problem goes away is itself legally hazardous.<br><br>Financial Crimes Enforcement Network (FinCEN) guidance further warns that negotiators and payment facilitators may be deemed money services businesses, triggering Bank Secrecy Act obligations, including registration, KYC, and suspicious activity reporting.<br><br>For public agencies, additional considerations arise. Several states now prohibit public entities from paying ransom at all, including Florida, North Carolina, and Tennessee. Nevada, although not under a statutory prohibition, had an operational philosophy of nonpayment, reflected explicitly in its incident response planning.</p><h3>The Operational Reality: Paying May Not Work — and May Make Things Worse</h3><p>The central argument in favor of paying ransom is straightforward: Paying may be the fastest way to restore services, reduce disruption, and prevent data leaks. But this logic often fails in practice. Decryption keys provided by attackers do not always function reliably. When they do, decryption is often slow, incomplete, or dangerous to execute at scale. And the so-called “promise” not to release stolen data is unenforceable.<br><br>In Nevada’s case, attackers had prepared data for possible exfiltration, but forensic investigators found no confirmation that stolen data had been successfully transmitted or posted to a leak site. Monitoring continues. Moreover, attackers had deleted backup volumes, extending recovery time. Nevada’s ability to restore data depended on deep vendor coordination — particularly with Dell’s recovery teams — and the state’s existing cyber insurance arrangements. The decision not to pay was supported by readiness, not ideology.</p><h3>The Ethical and Strategic Dimension: Paying Fuels the Industry</h3><p><a href="https://securityboulevard.com/2024/11/the-persistent-threat-of-ransomware-and-how-businesses-can-protect-themselves/" target="_blank" rel="noopener">Ransomware is a business</a>. Paying ransom fuels that business. When victims pay, the criminal enterprise grows, attacks escalate, and more victims are targeted. That reality underlies not only OFAC’s position but also federal policy discouraging payment.<br><br>Nevada’s refusal to pay was therefore both tactical and structural. The state concluded that the long-term harm of rewarding attackers outweighed the short-term pressure to restore systems faster. The After Action Report further emphasizes that the nonpayment stance was possible only because of prior sustained investment in cybersecurity, training, and incident response rehearsal. Nonpayment is not an accident — it is a capability.</p><h3>The Core Lesson: If You Want to Be Able to Say “No,” You Must Prepare in Advance</h3><p>Organizations that intend to refuse ransom must build toward that decision ahead of time:<br><br>• Architect backup and recovery systems that cannot be destroyed by ransomware actors.<br>• Pre-negotiate vendor response contracts and ensure they are funded and executable “within hours,” not days.<br>• Exercise restoration of Active Directory and identity infrastructure under simulated stress.<br>• Align insurance coverage with extortion response procedures.<br>• Establish executive authority and legal counsel channels before the crisis begins.<br><br>Nevada apparently did these things. Many organizations do not.<br><br>Nevada’s ransomware response is a study in strategic refusal. The state made a principled and operationally grounded decision not to pay ransom, and then executed a disciplined recovery that restored services in under a month. The most meaningful lesson is not that Nevada “got lucky” — it is that Nevada prepared. In Ronald Reagan’s 1964–1965 General Electric Theater speaking circuit, he recounted being asked where he would want to be if nuclear war broke out. He replied: “Someplace where I could just turn my head real slow and say, ‘What was that?’”<br><br>If you are prepared for ransomware, then your response to a demand for ransom could be (if you are lucky) “What was that?” If not, you may have to be prepared to pay.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/doubling-down-in-vegas-the-high-stakes-question-of-whether-to-pay/" data-a2a-title="Doubling Down in Vegas: The High-Stakes Question of Whether to Pay"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fdoubling-down-in-vegas-the-high-stakes-question-of-whether-to-pay%2F&linkname=Doubling%20Down%20in%20Vegas%3A%20The%20High-Stakes%20Question%20of%20Whether%20to%20Pay" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fdoubling-down-in-vegas-the-high-stakes-question-of-whether-to-pay%2F&linkname=Doubling%20Down%20in%20Vegas%3A%20The%20High-Stakes%20Question%20of%20Whether%20to%20Pay" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fdoubling-down-in-vegas-the-high-stakes-question-of-whether-to-pay%2F&linkname=Doubling%20Down%20in%20Vegas%3A%20The%20High-Stakes%20Question%20of%20Whether%20to%20Pay" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fdoubling-down-in-vegas-the-high-stakes-question-of-whether-to-pay%2F&linkname=Doubling%20Down%20in%20Vegas%3A%20The%20High-Stakes%20Question%20of%20Whether%20to%20Pay" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fdoubling-down-in-vegas-the-high-stakes-question-of-whether-to-pay%2F&linkname=Doubling%20Down%20in%20Vegas%3A%20The%20High-Stakes%20Question%20of%20Whether%20to%20Pay" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>