In 2021, the Harris Federation—one of the UK’s largest school groups—was hit by a crippling cyber attack. Russian ransomware group REvil demanded $4 million in cryptocurrency, doubling the figure to $8 million if payment wasn’t made within 10 days. The attackers encrypted the Federation’s systems and threatened to leak stolen data on the dark web.
The Harris Federation refused to pay.
“The money we have is for disadvantaged young people,” said Sir Dan Moynihan, the Federation’s CEO, speaking on BBC Radio 4’s Today Programme.
“Had we paid, we’d have opened the door for other school groups to be attacked.”
Their stance was clear. And it raises a larger ethical and strategic question that businesses, schools, hospitals, and local authorities must confront: should organisations ever pay a ransom?
This article was inspired by the recent cyber attacks across UK retail, specifically Marks & Spencer’s and the Cooperative, plus the Harris Federation (of Schools), as reported on BBC Radio 4’s Today Programme (01/05/2025). This interview will be unavailable after a month, but you can still read excerpts at “Inside the Breach: What M&S and the Harris Federation Reveal About UK Cyber Vulnerabilities“.
The Ransomware Dilemma
Ransomware attacks are designed to put victims in an impossible position. Systems are locked. Data is either stolen or encrypted—or both. Operations grind to a halt. And then comes the demand: pay, or face permanent loss or public exposure.
The temptation to pay can be immense, especially when:
-
Sensitive or regulated data is at stake
-
Customer services or critical systems are down
-
Public confidence or brand reputation is in jeopardy
But paying may not actually solve the problem—and often makes it worse.
Why Paying is a False Solution
❌ There’s No Guarantee of Recovery
Even if you pay, there’s no guarantee the attackers will return your data or restore access. Ransomware groups are not bound by contracts—they are criminals. Many victims never receive functional decryption tools or discover that the restored data is corrupted.
🎯 You Become a Repeat Target
Paying once may paint a target on your back. Ransomware groups often share lists of victims willing to pay, meaning you could face another attack—or even be extorted repeatedly.
💸 You Fund Organised Crime
Payments often go to groups linked to organised crime syndicates or even state-affiliated entities. In some cases, paying a ransom may violate sanctions or counterterrorism laws.
🔁 You Encourage Further Attacks
Every payment is a signal to the criminal economy that ransomware works. It fuels more attacks, more tools, and more victims. When one organisation pays, others may suffer as a result.
The Ethics of Refusal
The Harris Federation’s decision not to pay wasn’t just pragmatic—it was ethical. As Sir Dan Moynihan explained, the organisation exists to serve disadvantaged children. Diverting funds to criminals was not just unjustifiable—it would have compromised their core mission.
“It’s easy for me to say,” Moynihan acknowledged, “but I’d say: don’t pay. Don’t encourage the criminals.”
Their response—engaging cyber specialists, delaying negotiations with psychological tactics, and rebuilding systems over three months—was expensive, exhausting, and disruptive. But it was also principled. It set a precedent for how public institutions can stand their ground.
What Organisations Can Do Instead
The best response to ransomware is prevention, preparation, and resilience. Here’s what organisations should prioritise:
-
Offline Backups: Regular, verified backups stored offline can make recovery possible without engaging attackers.
-
Incident Response Planning: Clear, rehearsed protocols for what to do when systems go down.
-
Cyber Insurance: Useful—but not a substitute for operational preparedness. Insurance should support recovery, not encourage payout.
-
Legal and Ethical Guidance: Have a formal, board-level position on ransom payments, informed by legal and regulatory guidance.
-
Public Communication: Transparency builds trust. Concealing attacks—or payments—can damage your reputation more than disclosure.
Cyber Tzar supports clients in preparing for these scenarios—by identifying critical system dependencies, mapping risk posture, and stress-testing your organisation’s readiness to recover without paying.
The Bigger Picture
Paying a ransom might seem like the fastest way to restore operations—but in the long run, it often prolongs the crisis and deepens the damage. The real solution lies in resilience: backing up data, training staff, segmenting systems, and refusing to feed the business model of cybercrime.
As the Harris Federation demonstrated, you can say no—and survive. Cyber Tzar works with organisations who want to build that same confidence—grounded in insight, not instinct.
Final Word
In the face of ransomware, doing the right thing is rarely easy. But sometimes, the hardest decision—not paying—is the one that protects not just your own organisation, but others that follow.
Cyber Tzar helps organisations take the principled path with confidence—measuring risk exposure, securing critical systems, and preparing for what comes next.
👉 Make the right decision easier. Start building resilience now at www.cybertzar.com
