The problem with paying it is that even if it works, and all the machines decrypt in a timely fashion, you have no idea if the attackers have left anything else in the network that they could use to enter again.
You might not even find out the original entry point, and stop others following. Also it will be expensive.
You still may never find the entry point if you don't recover the machines. Saudi Aramco and Maersk fell victim to similar ransomware attacks and practically had to start from scratch buying storage devices straight from manufacturers to get back online. NotPetya was so destructive it didn't leave behind much in the way of meaningful evidence. If you don't recover the encrypted data you probably won't recover evidence that points to patient zero anyway.
You might not even find out the original entry point, and stop others following. Also it will be expensive.