In the event of a ransomware attack, how likely is your company to pay a ransom if it meant avoiding the leak of company data or significant business disruption?

I agree with Roberto.   At first, we could be in denial and as long as nothing happened, we could say that we will never pay for this.

All of the sudden, the day you got hit, after exploring all options, you might end up with only 1 option:to pay.   

On our side, this is part of our DR and business continuity plan.   And of course, whether the organization would agree to pay or not, is not disclosed to everyone since it's very sensitive.   

However, it's a good example of 'Hope for the best, Plan for the worst'.

I saw this scenario in a couple of companies, and usually pay is not an option. but as we said before if data has been stolen, the hard decision making process comes in.

Pay not give for sure a solution either. Check backup process and test those process are critical. I saw entires datacenters colapsed, and many with good backup process and software fail. Ransomware is and will be a problem that is not near to end, we need to continue improving process but also educate users.

The challenge is less about restoration and more about extortion from exfiltration... If data has been stolen, the hard decision making process comes in.

This is when an organization will really be put to the test, depending on what customer / corporate data they hold, the sensitivity of it, and the risk to brand / recognition or legal ramifications.

Never an easy decision making process, but having a solid incident response plan and playbooks and your executive team prepped (simulated crisis) is the way to go.

Ransomware is simply an attack against a firm's backup capabilities.

Those that have a good backup/restore capability in place can recovery rather easily.

Those that don’t – have to pay the ransom.

 
https://engineering.tapad.com/ransomware-why-its-so-easy-and-makes-so-much-economic-sense-e6bdc6fe29d9