So in economic terms, companies should factor the risk of not getting the encryption keys from the criminals into their cost calculations. (That's because paying $1000 to recover your data is a better deal than paying $1000 for a 65 percent to 70 percent chance of recovering your data.)
Another complicating factor is that it is possible that paying a ransom marks you out as a "ransom payer" who will be targeted again by the same or other criminals. It's not clear if this actually happens in practice, but it is worth bearing in mind that paying a ransom may have an additional uncertain future cost.
For most companies, then, deciding whether to pay the ransom demanded by criminals to decrypt data should be an economic one: will it cost less, all things considered, to pay the ransom or not to pay the ransom? Deciding not to pay on principle may sound admirable, but it may not in the best interests of the business or its shareholders.
Sign up for CIO Asia eNewsletters.