We're talking ransomware here, not people. The latter, it's a different situation.
If my own business was hit with encryptionware, then the backup strategy is there to get us out. If somehow the backup strategy is hit, c'est la vie, go back to an early enough point to and carry on. Somewhat annoying, some rework, but largely, not a big deal.
If it was a straight up ransom for the release of data, there is very little around that is really that confidential. Customer data, names addresses etc being the most obvious things requiring a degree of protection in your average business. Maybe some IP or technical documentation (and what is that doing in a low security system if it's that valuable?)
As there is no guarantee that even if you cough up they won't release or resell the data and/or demand more, the policy is don't pay, and with good reason. One can debate the merits of "good criminal/bad criminal". If they've already stole your golden goose you can pay what you like - but you have still lost it.
If your data IS that confidential to warrant actual protection. MOD stuff, etc. you should damn well be paying for knowledgable security in the first place. E.g. theft of data from the F35 programme, cough, cough.