Cost of a Ransomware Attack: 2025 Data

Ransomware breaches cost $5.08M on average — 14% more than the $4.44M all-breach average.

Avg Breach Cost

$5.08M

IBM 2025

Median Demand

$1.32M

Initial ransom demand

Refuse to Pay

64%

Up from 59% in 2023

Recovery Cost

$1.53M

Excluding ransom payment

Anatomy of Ransomware Costs

Ransomware cost extends far beyond the ransom payment itself. In fact, the ransom payment typically represents only 12% of total incident cost. Business interruption and downtime is the largest single cost component at 40%, reflecting the operational paralysis that occurs when systems are encrypted and inaccessible. Understanding this breakdown is critical for organizations evaluating whether to pay — even if you pay the ransom, you still face 88% of the total cost in recovery, forensics, legal, and business interruption expenses.

Business interruption / downtime (40%)$1M - $5M
Forensic investigation (12%)$100K - $500K
Data recovery & restoration (15%)$100K - $2M
Legal & regulatory response (13%)$200K - $1M
Customer notification (8%)$50K - $500K
Ransom payment (if paid) (12%)$115K - $75M

Source: IBM Cost of a Data Breach Report 2025, Sophos State of Ransomware 2025

Pay vs Don't Pay: The Economics

The decision to pay a ransom demand is one of the most consequential choices an organization faces during a ransomware incident. In 2025, 64% of organizations refused to pay, up from 59% in 2023 and 54% in 2021 — a clear trend toward non-payment. This shift is driven by multiple factors: improved backup capabilities enabling recovery without decryptors, growing awareness that payment does not guarantee data recovery, increased regulatory and legal risks associated with payment, and the moral hazard argument that payment funds further criminal activity.

Paying the Ransom

  • Median payment: $115K-$1M depending on organization size
  • Only 65% of data recovered on average after payment
  • 80% of payers are attacked again within 12 months
  • OFAC sanctions risk: paying sanctioned groups carries legal liability
  • Insurance may not cover payment if unauthorized
  • Funds criminal enterprise, encouraging future attacks
  • No guarantee attackers delete exfiltrated data (double extortion)

Not Paying

  • Mean recovery cost (excluding ransom): $1.53M
  • Recovery from backups: 1-4 weeks for most organizations
  • No legal risk from sanctioned entity payment
  • Stronger insurance position for future claims
  • Does not incentivize future attacks on your organization
  • Demonstrates resilience to stakeholders and regulators
  • May still face data leak threat (exfiltrated data)

The critical nuance: The pay-vs-don't-pay decision depends heavily on context. Organizations with recent, tested backups can recover without paying in most cases. Those without adequate backups may face existential business continuity threats. Healthcare organizations, where system downtime directly impacts patient care, face different calculus than those with non-critical IT systems. Legal counsel experienced in ransomware incidents should be engaged immediately, as should law enforcement (FBI, CISA) who may already have decryption keys available from previous investigations of the same threat actor.

Largest Ransomware Payments Ever

While 64% of organizations refuse to pay, those that do pay face staggering demands. The largest confirmed ransom payment in history is $75 million, paid by an unnamed Fortune 50 company to the Dark Angels ransomware group in 2024. This payment dwarfs all previous known ransoms and illustrates the escalating financial scale of ransomware operations. Below are the largest known payments, though many payments remain undisclosed due to legal and reputational concerns.

CompanyPaymentYearOutcome
Dark Angels victim (Fortune 50)$75M2024Largest known single ransom payment ever
CNA Financial$40M2021Paid Phoenix CryptoLocker group. Full systems restored.
Change Healthcare$22M2024Paid ALPHV/BlackCat. Data still leaked by affiliate.
JBS Foods$11M2021Paid REvil. Operations restored within days.
Colonial Pipeline$4.4M2021Paid DarkSide. FBI recovered $2.3M. 6-day shutdown.
Caesars Entertainment$15M2023Paid Scattered Spider. Avoided extended outage.
CWT Global$4.5M2020Negotiated down from $10M. Ragnar Locker group.

Source: Company disclosures, SEC filings, FBI/CISA advisories, threat intelligence reports

Which Industries Pay Most

Ransomware operators deliberately target industries where downtime creates the most pressure to pay quickly. Healthcare is the most frequently targeted sector because system unavailability directly impacts patient care, creating life-safety urgency that overrides cost-benefit calculations. Change Healthcare's $22 million payment to ALPHV/BlackCat in 2024 was driven by the cascading impact on pharmacies, hospitals, and patients unable to process claims or receive medication.

Critical infrastructure (energy, utilities, transportation) faces similar pressure because system disruption affects public safety and essential services. Colonial Pipeline's $4.4 million payment to DarkSide was motivated by the fuel supply crisis affecting the entire US East Coast. Manufacturing is increasingly targeted because production line downtime costs $300,000-$1M per hour — making even multi-million dollar ransom payments economically rational compared to extended downtime.

Education has emerged as a growing target because schools and universities have limited security budgets, hold sensitive data (student records, financial aid information), and face extreme pressure during academic terms when system availability is critical. Lincoln College, a 157-year-old institution, permanently closed in 2022 after a ransomware attack compounded existing financial challenges. Financial services, while heavily targeted, has the strongest security posture and the highest non-payment rate, reflecting both regulatory guidance against payment and mature backup and recovery capabilities.

Small and medium businesses (SMBs) face disproportionate ransomware impact. While individual ransom demands are lower ($10K-$500K range), the cost relative to revenue is catastrophic. With average annual revenues of $5-50 million, a $200K ransom plus $1M in recovery costs can represent 5-25% of annual revenue — a business-ending event for many organizations. Ransomware groups increasingly target SMBs specifically because they are more likely to pay and less likely to have robust backup and recovery capabilities.

Ransomware Incident Cost Timeline

Day 0

Systems encrypted. Operations halt.

Revenue loss begins immediately

Day 1-3

IR engagement, forensic triage, ransom negotiation begins

$50K-$200K (IR firm retainer + forensics)

Week 1

Scope assessment, notification obligations identified, backup evaluation

$200K-$500K (legal, forensics, executive time)

Week 2-4

System rebuild or restoration from backups, if paying: decryptor deployment

$500K-$2M (IT rebuild, business interruption)

Month 2-3

Customer notification, regulatory filings, credit monitoring setup

$100K-$500K (notification + monitoring)

Month 3-12

Security hardening, legal proceedings, insurance claims

$200K-$1M (legal, security upgrades)

Year 1-3

Litigation, regulatory fines, ongoing compliance requirements

$500K-$10M+ (settlements, fines, increased premiums)

Source: Composite timeline based on IBM, Sophos, and Coveware incident data. Last verified: April 2026.

Calculate Ransomware Exposure

Model your specific ransomware cost using our interactive calculator.

Prevention Controls

Security investments that reduce ransomware risk and cost.

Breach Timeline

See ransomware incidents alongside other major breaches.

Reporting Requirements

Legal obligations after a ransomware incident, by jurisdiction.

Frequently Asked Questions

The average cost of a ransomware breach is $5.08 million according to IBM's 2025 report, while Sophos estimates the broader average (including recovery) at $5.75 million. This is 14% higher than the $4.44 million all-breach average. Critically, the ransom payment itself represents only about 12% of total incident cost. The majority of expenses come from business interruption (40% of total cost), data recovery (15%), forensic investigation (12%), and legal and regulatory response (13%). Even organizations that refuse to pay the ransom face a mean recovery cost of $1.53 million.
Most security experts and law enforcement agencies advise against paying ransoms. In 2025, 64% of organizations refused to pay (up from 59% in 2023). Key reasons against payment include: only 65% of data is recovered on average after payment; 80% of organizations that pay are attacked again within 12 months; payment may violate OFAC sanctions if the threat actor is a sanctioned entity; and payment funds future criminal activity. However, the decision is context-dependent. Organizations without adequate backups, or those in healthcare where system downtime affects patient safety, face different calculus. Legal counsel and law enforcement (FBI, CISA) should be consulted immediately, as they may already have decryption keys from prior investigations.
Ransomware payment amounts vary widely by source and methodology. The median ransom demand is approximately $1.32 million, but actual payments are typically lower after negotiation, ranging from $115,000 to $1 million depending on the organization's size and negotiating leverage. The largest confirmed payment is $75 million (Dark Angels, 2024). Payment amounts have been declining as a percentage of demands, reflecting both improved negotiation by incident response firms and the growing willingness of organizations to refuse payment entirely. Notably, demand amounts are calibrated to the victim's annual revenue — attackers research their targets and set demands they believe the organization can and will pay.
Full ransomware recovery typically takes 2-4 weeks for organizations with tested backup and recovery procedures, and 1-3 months for those without adequate backups. The timeline breaks down roughly as follows: initial triage and assessment (1-3 days), forensic investigation and scope determination (1-2 weeks), system rebuild or restoration (1-4 weeks), business process restoration (1-2 weeks), and security hardening (ongoing for months). Organizations that pay the ransom do not necessarily recover faster — decryptors provided by attackers are often slow, buggy, and may not work on all systems. The hidden cost of recovery extends well beyond system restoration to include months of legal proceedings, regulatory compliance, and security improvements.