[rjmunro]

The problem with paying it is that even if it works, and all the machines decrypt in a timely fashion, you have no idea if the attackers have left anything else in the network that they could use to enter again.

You might not even find out the original entry point, and stop others following. Also it will be expensive.

[zelon88]

You still may never find the entry point if you don't recover the machines. Saudi Aramco and Maersk fell victim to similar ransomware attacks and practically had to start from scratch buying storage devices straight from manufacturers to get back online. NotPetya was so destructive it didn't leave behind much in the way of meaningful evidence. If you don't recover the encrypted data you probably won't recover evidence that points to patient zero anyway.

[zerkten]

Episodes 53 and 54 of https://darknetdiaries.com/episode/ are a good listen on this subject.

[eli]

A bigger problem is that you've now painted a huge target on your back as a company that is known to have security problems and pay ransoms.