When hit with ransomware, organizations must decide whether to pay or not. Such decisions may seem easy in the abstract, but in practice they require rigorous due diligence. Some governments are considering whether to require due diligence prior to payment. This talk will explore due diligence during a ransomware attack and how such analysis could benefit both organizations and society.