Why paying the ransom is a bad idea:
1. There is no guarantee that you will be provided the decryption key or that all the data can be recovered. According to Sophos most victims are unable to recover some or all of their data: 92% of those who paid ransom lost some data, 50% lost at least a third, and 4% lost it all.
2. The post ransom recovery period can take a week, for a small business or 3 months for an enterprise leaving a large window of opportunity for bad actors to sell their access method to another bad actor. The fact that your organization paid, makes your organization a prime target for other bad actors.
3. Third, the ransomware payment funds additional attack efforts.
The decision to pay or not reminds me of a new neighbor that had moved here from a city in California. Their city cat had gone missing within two weeks so they posted lost cat signs. We have a lot of open space bordering our back yards, which is very scenic but also harbors a lot of wildlife. After a month I noticed they had a new cat, which soon went missing too. Process repeated. After a fourth cat went missing he was commenting how well the the people at the animal shelter knew him and the types of cats he like. He felt good about saving cats. So of course I upset him when I asked him whether he was really saving cats or just feeding the coyotes?