Why it matters: In most cases, law enforcement agencies advise companies not to pay ransomware demands – doing so doesn't guarantee that the blackmailers will honor their promises, and it could lead to even more extortion attempts. One executive went one better: not only did he refuse to pay, but he also donated the ransom money toward cybercrime research.

Mariano Albera, the CTO of Checkout.com, wrote that the global payment service provider became the victim of a ransomware attack last week.

The incident began when the hacker group ShinyHunters contacted the company, claiming it had obtained solen data connected to the firm and demanding a ransom.

Checkout.com launched an investigation and found that the attackers had obtained the data by accessing a legacy third-party cloud file storage system that was not decommissioned properly. It had been used for internal operational documents and merchant onboarding materials in 2020 and prior years.

Albera stressed that the incident affected less than 25% of Checkout.com's current merchant customers. He added that the breach has not impacted its live payment processing platform, and the hackers have not accessed merchant funds or card numbers.

The CTO apologized for the incident and said that the process to identify those impacted had begun. But Albera stressed that Checkout.com has no intention of paying the ransom.

Instead of handing over the money, the company will instead be donating the ransom amount, which wasn't revealed, to Carnegie Mellon University and the University of Oxford Cyber Security Center to support their research into fighting cybercrime.

"Security, transparency and trust are the foundation of our industry," he wrote. "We will own our mistakes, protect our merchants, and invest in the fight against the criminal actors who threaten our digital economy."

The question of whether to pay a ransomware attacker has long been debated. In June, Australia became the first country to require certain organizations to disclose when and how much they paid to cybercriminals after a data breach.

There have been calls for governments to ban companies from paying hackers' ransom payments outright. The UK this year proposed such a ban among public-sector organizations.

In October, a coalition of 40-48 countries in the International Counter Ransomware Initiative pledged not to pay ransomware ransoms, which is different from legally banning the payments. Some jurisdictions have laws that prohibit payments if the attackers are a sanctioned entity or they violate anti-money laundering or terror financing laws.

A May study found that over 70 percent of 1,000 ransomware-hit companies opted to pay the ransom. But only 60 percent of victims who paid received functional decryption keys and successfully recovered their data. In 40 percent of cases, the provided keys were corrupted or ineffective.