An interview with the CEO of Coveware, which negotiates payments on behalf of ransomware victims.
Much of this interview suggests that victims with good backups may choose to not pay. But victims also need to deal with fallout from stolen data being published in publicly accessible websites to exert pressure on the victim to pay. The vast majority of victims do not have the US government seizing servers on their behalf, so "we have great backups, but unless we want all of our dirty laundry published on the internet, we still have to pay" is a very real scenario organizations should consider.
The highest ROI in ransomware prevention comes from securing Active Directory. Get an external expert who know what they're doing to enumerate your AD attack paths and help you get rid of them. This should make it hard enough for the attackers to escalate privileges, hopefully giving your detective controls a chance of detecting their presence and containing the threat before data is stolen and ransomware is deployed.
Thank you for providing some facts, as opposed to the nonsense like "50% of ransoms paid, the victims still can't decrypt".
I would just add that the attack vectors are more and more outright network intrusions for the purposes of ransomware, as opposed to someone clicking on something.
The role of insiders can also not be ruled out.