Pay the ransom or restore: the emergency decision when your servers are encrypted

The message appears on your screen. Your servers are encrypted. Production is at a standstill. Every passing second is a second lost. Your mind races, management pressure mounts, and one single question keeps looping: pay or restore? The first instinct is to turn to backups, the famous business continuity plan. But modern cybercriminals know this and have adapted their strategies.

You have always been told never to pay the ransom. It is a basic principle of cybersecurity to avoid financing organized crime. Yet, faced with a total shutdown of operations and the threat of seeing your customer data published, the reality on the ground is much more complex. The reality in Canada is no longer a simple binary choice. It is a complex crisis trade-off, where the threat of publishing your data—even if you have functional backups—and the legal obligations of PIPEDA or Quebec’s Law 25 completely redefine the rules of the game.

This article is not a theoretical dissertation. It is your emergency procedure. We will review, point by point, the critical actions and decisions to be made calmly, not out of panic, but out of strategy. From forensic isolation of systems to crisis communication and the real analysis of your options, this guide will give you the keys to navigate the decisive first hours.

To guide you through this crisis situation, this article is structured to answer the most urgent questions you are asking right now. Each section addresses a critical point in your decision-making process.

Why do hackers threaten to publish your data even if you have backups?

The answer is simple and brutal: because your recovery plan no longer worries them. We have entered the era of double extortion. Previously, a ransomware attack was limited to encrypting your files. If you had healthy backups, you could ignore the ransom demand, restore your systems, and resume activities. Today, this approach has become naive and dangerous.

Before even encrypting anything, attackers spend days, or even weeks, inside your network. During this phase, they discreetly exfiltrate your most sensitive data: customer information, trade secrets, financial data, employee files. Encryption is only the final act that reveals their presence. The threat is therefore no longer just “pay to get your files back,” but “pay, or we publish everything on the Dark Web.” According to the National Cyber Threat Assessment 2023-2024, most ransomware attacks are now double extortion attacks, meaning data theft has become the norm in Canada. The threat of publication completely changes the crisis trade-off.

As this diagram shows, the crisis has two facets. On one side, the operational lockout of your servers. On the other, the imminent leak of your confidential information. Your backups can only counter the first threat. They are completely powerless against the second, which jeopardizes your reputation, customer trust, and legal liability. It is this psychological and legal lever that hackers now exploit.

How to emergency disconnect your systems without corrupting evidence for the police?

The immediate instinct when facing a fire is to cut the power. In cybersecurity, this is a potentially catastrophic mistake. Brutally shutting down an infected machine is equivalent to erasing the intruder’s tracks. The Random Access Memory (RAM), which contains crucial information about ongoing malicious processes, active network connections, and temporary encryption keys, is volatile. A sudden shutdown clears it instantly, destroying essential evidence for the forensic integrity of the investigation that the RCMP or your local police will conduct.

The correct procedure is network isolation. The objective is to contain the infection to prevent it from spreading to other systems, while keeping the machine “alive” for future analysis. There are several methods, each with its advantages and disadvantages in terms of evidence preservation, as detailed in this table.

The simplest and often most effective first emergency method is to physically unplug the network cable from the compromised server or workstation. This instantly cuts all external communication without destroying volatile data. The priority is to stop the bleeding before thinking about surgery.

3-2-1 Backup: Is it still the golden rule in the cloud era?

The 3-2-1 rule (three copies of your data, on two different media, one of which is off-site) remains the foundation of a robust backup strategy. However, the cloud era has introduced new complexities, especially for Canadian businesses. “Off-site” is now often a cloud provider, which raises a critical question: where is this “site” legally located?

For a Canadian company, hosting backups on servers located in the United States, even via a trusted provider, exposes that data to the U.S. CLOUD Act. This law allows U.S. authorities to demand access to data stored by U.S. companies, regardless of where the servers are located. To comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and protect sensitive data, it is imperative to prioritize cloud regions located in Canada, such as AWS’s `ca-central-1` region.

Even with a perfect backup strategy, the decision to restore is not automatic. Paying the ransom remains an option considered by many cornered companies. However, data shows it is a risky bet. A survey by the Canadian Centre for Cyber Security reveals that only 42% of Canadian companies that pay the ransom fully recover their data. Nearly 60% pay for nothing, or for a defective decryption key that corrupts part of the files. Paying guarantees neither the integrity of the recovered data nor that the attackers will not return.

The crisis trade-off lies here: risking payment for an incomplete solution while financing crime, or engaging in a longer but controlled restoration process while managing the threat of publication of already stolen data. The choice depends on the nature of the exfiltrated data and your tolerance for reputational risk.

The mistake of restoring an infected backup that restarts the virus 24 hours later

You have identified a healthy backup dating from before the encryption. The temptation is immense: wipe the infected servers and launch the restoration to restart production as quickly as possible. This is one of the most devastating mistakes in crisis management. Attackers are patient. Often, the ransomware is only the final payload of an infection that started much earlier. The real backdoor may have been dormant in your systems for months, and therefore, in your backups.

Restoring a backup without analyzing it is like reintroducing patient zero into a freshly disinfected hospital. The ransomware will trigger again 24 or 48 hours later, taking you back to square one, but with shattered credibility and rock-bottom team morale. The phenomenon is exploding, with a 100% increase in ransomware activity in Canada, the United States, and the United Kingdom in the second quarter of 2024, making these reinfection scenarios increasingly common.

The only viable procedure is restoration in a “cleanroom”. This involves creating a completely isolated and sterile network environment, disconnected from everything else, to restore your backup there. It is in this secure sandbox that you will conduct a full forensic analysis to detect any trace of malware or suspicious activity before validating the reintroduction of data into production. The procedure is rigorous:

1. Create a totally isolated (air-gapped) network environment.
2. Restore the candidate backup in this test environment.
3. Scan all restored data with multiple up-to-date detection tools.
4. Actively monitor the environment for 24 to 48 hours to observe any abnormal behavior (unknown processes, network communication attempts, etc.).
5. Validate the integrity and cleanliness of the data before planning its reintroduction into the production environment, which should itself be rebuilt from scratch.

When to notify your clients: the legal timing for announcing a data leak

The question is not “if” you must notify, but “when” and “how.” In Canada, communication management following a data leak is strictly regulated by law, and failure to meet deadlines can lead to heavy sanctions. Pressure comes not only from hackers but also from the regulator. You are caught in a legal vise that demands accelerated compliance.

Two main laws govern your obligations. At the federal level, PIPEDA applies. In Quebec, Law 25 (formerly Bill 64) imposes even stricter requirements. The trigger for notification is not the attack itself, but the determination that a “risk of harm” exists. This threshold is subtle but crucial, and it is up to you to evaluate it urgently. As shown in a summary by the Canadian Centre for Cyber Security, obligations vary and must be understood precisely.

“As soon as feasible” or “without delay” means you cannot wait until you have all the answers. As soon as your initial assessment concludes that a risk of serious harm exists (for example, if social insurance numbers, financial information, or medical records have been stolen), the legal clock starts. You must notify the relevant authority and the affected individuals. Delaying this notification in hopes of resolving the crisis in silence is an illegal and dangerous strategy that exposes you to significant fines and an irreparable loss of trust from your clients.

Cyber insurance: what does it really cover in case of a prolonged service outage?

Many managers view their cyber insurance policy as an ultimate safety net. In the event of a crisis, they think they can simply call their insurer to cover the ransom payment and business interruption losses. The reality is much more nuanced. Cyber insurance is a powerful tool, but it is vital to understand precisely what it covers and, more importantly, what it excludes.

In general, a good policy will cover direct costs: forensic expert fees to investigate the incident, customer notification costs, credit monitoring services for victims, and often, the ransom payment itself (after approval). It can also cover business interruption, meaning lost earnings while your services are offline. However, these coverages come with significant deductibles, caps, and very specific exclusion clauses. For example, an attack resulting from a known and unpatched vulnerability could be grounds for exclusion.

The mistake is seeing insurance as a substitute for good cybersecurity hygiene. Insurers are increasingly demanding and will not hesitate to refuse compensation if you have not respected the basic security measures stipulated in your contract (multi-factor authentication, offline backups, etc.). Your first call should be to your response team, not your insurance broker.

When to plan integration: the first 3 days that determine retention

This title may seem strange in a crisis context. But the “retention” referred to here is the most precious of all: trust retention from your employees and customers. Once the technical threat is contained and restoration is underway, the following 72 hours are decisive for the survival of your reputation. Technical crisis management is a battle; trust management is the war.

Panic and silence are your worst enemies. A post-crisis integration and communication plan must be executed with the same rigor as your technical recovery plan. It takes place in three critical phases, one per day, to rebuild internal and external stability.

• Day 1: Technical post-mortem and internal transparency. The absolute priority is understanding how the attack occurred. Mobilize your teams to identify and fix the exploited vulnerability. At the same time, communicate clearly and honestly with your employees. They are your first line of defense, and their concerns must be addressed.
• Day 2: Process updates. Lessons learned from the incident must be immediately integrated into your Incident Response Plan (IRP). What failed? Which processes need strengthening? This is the time to turn the crisis into an opportunity for improvement.
• Day 3: External communication and trust reintegration. This is the day for controlled and transparent communication with your customers and partners. Explain the facts, the steps taken to secure their data, and the measures you are following to strengthen your security. Honesty, even when difficult, is the only path to maintaining long-term trust.

This structured plan allows you to move from reactivity to proactivity, showing that you have control over the situation beyond purely technical aspects. Paying a ransom and then mismanaging communication is the worst of both worlds. As Mickey Bresman, CEO of Semperis, says:

Every ransom paid is a down payment on the next attack.

– Mickey Bresman, CEO of Semperis

How to know if your Social Insurance Number (SIN) is circulating on the Dark Web?

A ransomware crisis has two types of victims: the company and the individuals whose data was stolen. As a manager, you have a responsibility toward your employees and clients. If personal information, particularly the Social Insurance Number (SIN), has been exfiltrated, you must arm them to protect themselves against identity theft. The SIN is the primary key to a Canadian citizen’s administrative and financial identity.

It is difficult for an individual to actively monitor the Dark Web. Specialized services exist, but the first line of defense is responsiveness. If you have the slightest suspicion that a SIN has been compromised in the leak, action must be taken immediately. The Government of Canada, via the Canadian Anti-Fraud Centre, provides a clear procedure to follow.

Here are the critical actions to recommend to anyone potentially affected:

1. Contact Service Canada: This is the agency that manages SINs. They can provide advice and add flags to the file.
2. Place a fraud alert: Contact the two main credit reporting agencies in Canada, Equifax Canada and TransUnion Canada, to place an alert on your file. This will require creditors to take extra steps to verify identity before granting new credit.
3. Report the fraud: It is imperative to file an official report with the Canadian Anti-Fraud Centre (CAFC) and your local police service.
4. Notify financial institutions: Banks and credit card issuers must be informed to monitor for suspicious activity.
5. Demand credit monitoring: The company responsible for the leak (meaning yours) has a moral and often legal obligation to provide and pay for a credit monitoring service for victims for at least one year.

As an organization, anticipating this step and providing a clear guide and resources to your employees and customers is a crucial gesture to begin restoring trust. It shows that you take your responsibility seriously, beyond your own operational losses.

Your next step is to solidify your incident response plan. Evaluate your backup, isolation, and communication procedures now to be ready before a crisis occurs.