Ransomware Cost: What a Ransomware Attack Costs in 2026
Ransomware attacks encrypt or exfiltrate an organisation's data, then demand payment for decryption or data suppression. As of 2025, ransomware is the costliest category of IT security incident, averaging $5.75M per event (Resilience Cyber Risk Report 2025), up 17% year-over-year and the highest figure on record.
Cost Breakdown
| Cost Category | Avg Amount | % of Total | Notes |
|---|---|---|---|
| Ransom payment (where paid) | $0-$2.2M avg demand | ~30-40% | 54% of orgs paid ransom in 2025 (Sophos) |
| System recovery and rebuild | $1.53M | ~27% | Restore from backup or rebuild from scratch |
| Downtime revenue loss | $1.1M avg | ~19% | Varies enormously by revenue and duration |
| Legal and regulatory | $0.6M avg | ~10% | Counsel, GDPR/HIPAA notification where applicable |
| Forensics and IR | $0.35M avg | ~6% | External IR firm, evidence preservation |
| PR and reputation | $0.25M avg | ~4% | Crisis communications, customer trust rebuilding |
Sources: Resilience Cyber Risk Report 2025, Sophos State of Ransomware 2025, Coveware Q4 2024
To Pay or Not to Pay: The Real Cost Comparison
- Average ransom demand: $2.2M (Coveware Q4 2024)
- Actual payment often 50-70% of demand after negotiation
- Recovery cost on top of ransom: $1.82M median (Sophos)
- 60-70% attacked again within 12 months (Cybereason)
- Data still at risk: 35% of paying orgs had data leaked anyway
- Decryptor may be slow or incomplete: only 65% get all data back
- Recovery cost from backups: $1.62M median (Sophos)
- No exposure to ransom-as-terrorism fund (OFAC risk)
- Slower restoration if backups are not immutable
- Must still address data exfiltration (notification required if data was taken)
- 46% of orgs that didn't pay had data published on leak sites
Bottom line: Paying the ransom costs more, not less, when all costs are included. The primary argument for paying is speed of restoration, not total cost reduction. Having tested backups and an IR retainer is the only reliable cost-reducer.
Extortion Variants and Their Cost Profiles
| Variant | Tactic | Cost vs Basic Ransomware |
|---|---|---|
| Basic encryption only | Files encrypted, demand for decryption key | Baseline |
| Double extortion | Encrypt + exfiltrate; pay or data published | +$0.8M-$1.5M (notification + legal + brand) |
| Triple extortion | Double + DDoS attack on victim during negotiations | +$1M-$2M (DDoS mitigation + faster payment pressure) |
| Ransom DDoS (RDDoS) | No encryption; DDoS threatened unless crypto paid | $50K-$500K typically (mitigation cost) |
Notable Ransomware Incidents 2021-2025
| Organisation | Year | Est. Total Cost | Details |
|---|---|---|---|
| Change Healthcare | 2024 | $2.87B+ | AlphV/BlackCat affiliate; UHG subsidiary |
| CDK Global | 2024 | $1B+ (est.) | BlackSuit ransomware; auto dealer disruption |
| MGM Resorts | 2023 | $100M+ | Scattered Spider vishing attack |
| Caesars Entertainment | 2023 | $15M ransom (paid) | Same group as MGM; chose to pay |
| Clorox | 2023 | $356M total impact | Manufacturing disruption, supply chain impact |
| Colonial Pipeline | 2021 | $4.4M ransom + weeks downtime | DarkSide; critical infrastructure |
Cost Reducers
Most effective single control. Organisations with tested immutable backups reduce recovery cost by 40-60%. Must be tested quarterly.
Emergency hourly rates without a retainer run $800-$1,500/hr. Retained IR firms respond in 2-4 hours vs 24-48 hours cold. Retainer cost: $25K-$100K/yr.
Covers ransom negotiation, IR costs, legal, and notification. Premium averages $10K-$150K/yr depending on size and industry. Insurers increasingly require MFA and EDR as conditions.
Endpoint Detection and Response reduces ransomware deployment success. MFA eliminates credential-based ransomware entry, which accounts for 36% of incidents (Verizon DBIR 2025).