Today's hackers often want money to give you back your files (after they've stolen them or encrypted them in a "ransomware" attack) or to cease a DDoS attack (a distributed denial-of-service attack where an army of bots try to connect to your site at once, rendering it inaccessible to regular punters).
NortonLifeLock security expert Mark Gorrie saw the recent DDoS attack on the NZX as a "profit-driven" attack. (The exchange would not comment on whether a ransom had been demanded).
Crown agency Cert NZ has clear advice. "Don't pay." Its deputy director Declan Ingram says paying up will only encourage another attack on you or another organisation. It's also no guarantee you get your files back or that a DDoS attack will stop if you do stump up - and you'll likely be giving money to an organised crime outfit that's also involved in the likes of drugs and human trafficking.
Nevertheless, Kordia chief information security officer Hilary Walton says research indicates around 20 per cent of victims do pay. There are indications that fitness-tracker and avionics maker Garmin recently paid $14m to rid itself of an attack.
And the University of Auckland recently disclosed that it had alumni and donor data stored with Blackbaud, a listed US company that publicly disclosed it had paid a ransom after its systems were compromised earlier this year. Otago University also had data with Blackbaud. Both NZ universities said they were not party to the decision to pay off the hackers.
If an organisation doesn't pay up, the latest tactic is blackmail - or slowly leaking small batches of sensitive files on to the public internet to encourage a victim to pay up.
Fisher & Paykel Appliances suffered that fate earlier this year as it had highly-detailed budgets and planning documents posted online.
But the whiteware maker gritted its teeth and did not pay.
It was a tough outcome, but Cert's Ingram says even if you do pay, and your files are returned, your attacker could keep copies and use them to blackmail you in the future.
Yet Wellington lawyer and IT specialist Michael Wigley says he can understand why some organisations pay up. It some cases it can be a pragmatic decision. In others, an argument can be made that a company's duty-of-care extends to retrieving lost client data.
Herald columnist Juha Saarinen says the government should make it illegal to pay a ransom.
What does the current law say?
"The Crimes Act was written in an age when a ransom was only demanded for a person, not data," says Auckland University Law Faculty professor Bill Hodge.
"But my reading is that it would not be illegal to succumb to a hacker's demands and pay a ransom
"It would be almost impossible for police to mount a prosecution."