The cost of ransomware: Why every business pays, one way or another (updated for 2025)

For anybody who wonders whether cybersecurity measures actually do any good, the answer is yes, they do. The average cost of a data breach actually fell from 2024 to 2025. The number of organizations opting to pay ransoms to cyberattackers also fell. The average length of a data breach shrunk by 17 days.

Those positive trends reflect the positive impact solid cybersecurity can have for organizations looking to minimize their ransomware risks. But ransomware is still a menace for organizations of all kinds, and cybercriminals aren’t slowing their development of malicious applications designed to take data hostage.

There was some good news in the IBM Cost of a Data Breach Report 2025. For starters, the global average cost of a data breach fell to $4.44 million, a 9% decrease and the first decline in five years.

The health care sector saw a $2.35 million reduction in data breach costs from 2024 to 2025, although the average breach still cost $7.42 million. In 2024, 63% of organizations opted not to pay a ransom when threatened, compared to the 59% the year before. The global average breach lifecycle — the time to identify and contain a breach — dropped to 241 days in 2024, a 17-day reduction from 2023.

However, even organizations that recovered rapidly from a breach took more than 100 days on average to do so. That’s a long time for ransomware to be in an organization’s system undetected. And while the cost of data breaches overall fell between 2024 and 2025, the average cost of a ransomware attack has steadily grown from $4.62 million in 2021 to $5.08 million in 2025.

So, while cybersecurity measures are producing positive results, ransomware remains a major threat to organizations of all types and sizes. And attackers are casting wider nets to find victims. The Acronis Cyberthreats Report H1 2025 found that the number of publicly known ransomware victims in H1 2025 increased by nearly 70% compared to the same period in both 2023 and 2024.

Even as numbers fluctuate from year to year, they’re still massive. Few businesses could afford to lose millions of dollars to a ransomware attack. Plus, there’s more to the cost of ransomware than just paying a ransom.

Of course, the ransom itself can be extremely costly if an organization chooses to pay it. In 2024, Change Healthcare paid a $22 million ransom to the Alphv/BlackCat ransomware group. But the ransom payment only accounts for a small portion — often as little as 15% — of the overall costs associated with a ransomware attack.

The average cost of downtime as a result of a ransomware attack can frequently amount to fifty times more than the ransom demand. In the wake of an attack, the entire organization must shift its attention to recovery, from IT teams restoring encrypted or damaged data to teams from marketing, legal, human resources and other organizations handling crisis messaging. Organizations that suffer attacks are under immediate pressure to restore data and get operations up and running normally again.

Additional ransomware costs include lost sales opportunities, reduced product or services output, reputational harm, fees for external consultants to speed recovery efforts, fines by regulatory agencies and penalties paid to partners and customers. A business that fails to bring a client back quickly after ransomware attack will certainly take a reputational hit.

The consequences of ransomware attacks extend far beyond initial containment. Nearly all organizations suffer operational disruption following a data breach. The impact on businesses and their customers alike is devastating. According to IBM, nearly half of all organizations reported that they planned to raise the price of goods or services because of a breach, and nearly one-third reported price increases of 15% or more.

The ransomware landscape has continued to evolve with several high-profile attacks demonstrating the ongoing threat:

One of the most significant attacks of 2024 occurred against UnitedHealth Group's Change Healthcare. The health care technology company suffered a massive data breach through a Citrix portal that did not have multifactor authentication (MFA) enabled. Change Healthcare paid the Alphv/BlackCat ransomware group a $22 million ransom to restore operations. The total cost of the breach reached at least $2.4 billion, according to HIPAA Journal.

An attack on California-based mortgage lender LoanDepot led to significant loan service disruptions and affected 16.6 million customers. Data breach notifications showed affected information included names, addresses, phone numbers, Social Security numbers and financial account numbers. The total cost of the breach reached nearly $27 million, according to SecurityWeek.

CDK Global experienced a damaging ransomware attack. The automotive technology provider, which serves 15,000 dealerships, forced most of its systems offline to contain the threat, causing significant disruptions for downstream customers.

A ransomware attack on Aug. 5 significantly disrupted services at Michigan-based McLaren Health Care. The organization was forced to reschedule nonemergency and elective procedures, affecting primary care, specialty care clinics and cancer care. Systems were not fully restored until Aug. 27.

The Port of Seattle, which oversees the Seattle-Tacoma International Airport, suffered a ransomware attack on Aug. 24. The attack disrupted bag checking, check-in services, flight information displays and phone systems, with some services remaining down two weeks after the attack.

Arizona-based Blue Yonder suffered a ransomware attack that disrupted its supply chain management services, leading to massive fallout for downstream customers including Starbucks, Sainsbury's and Morrisons supermarkets.

The Acronis Cyberthreats Report H1 2025 drew attention to some emerging trends in ransomware:

• New groups: From January to May 2025, new ransomware groups accounted for a total of 145 victims globally.

• Emerging players: The new ransomware gangs highlighted include Devman, Nightspire and RALord/Nova.

• RaaS model: Devman and RALord/Nova operate as ransomware-as-a-service (RaaS), providing tools and infrastructure to affiliates. Devman is known to share its encryption tools with Qilin and RansomHub.

• Double extortion: Devman and Nightspire use double extortion tactics, which involve both encrypting files and threatening to leak them if the ransom is not paid.

One particularly vulnerable sector is manufacturing. Attacks on supply chain companies like Blue Yonder demonstrate how ransomware can cascade through entire sectors. In fact, manufacturing was the most targeted industry in Q1 2025, according to Acronis Cyberthreats Report H1 2025, accounting for 15% of all recorded cases.

Manufacturing and supply chain sectors, including logistics, accounted for more than 20% of cases in a campaign by the prolific Cl0p ransomware group.

Ransomware attackers continue to target victims across other industries, including:

Health care: Hospitals often have sensitive patient data and face critical operational pressures when systems are locked down, as patient care cannot be delayed.

Finance: Banks and financial institutions store confidential customer data, and regulatory penalties for data breaches can be severe.

Government: Government institutions possess critical infrastructure data, and public pressure to restore services quickly creates additional leverage for attackers.

Education: Educational organizations often retain personally identifying information and research data while operating with budget constraints and less robust cybersecurity measures.

Given the escalating costs and frequency of attacks, prevention remains critical. Among the essential elements of cyber resilience are:

• MFA: The Change Healthcare breach highlighted the critical importance of MFA on all access points.
• Backup and recovery: Robust backup systems remain essential for recovery and help organizations avoid paying ransoms.
• Employee training: Human error continues to be a primary attack vector, so training employees to avoid ransomware is essential.
• Zero trust architecture: Implementing comprehensive security models that verify every access request is a critical cybersecurity measure.

Cyber insurance policies may cover ransomware attacks, but coverage terms vary significantly. Lately, insurance rates have increased dramatically due to the rising frequency and cost of attacks. There's also ongoing debate about whether insurance companies should continue reimbursing ransom payments, as some argue this perpetuates the problem. Cyber insurance is essential but should never be a replacement for cybersecurity measures.

The news about ransomware isn’t all bad, but the threat is still severe. The continued evolution of ransomware groups demonstrates that the threat landscape is becoming more complex and includes a growing number of organizations. Success in combating ransomware requires a comprehensive approach combining robust cybersecurity measures, incident response planning, employee training and strategic investments in ransomware protection technologies.

Acronis Cyber Protect takes just such an approach. Acronis Cyber Protect is an integrated and cost-effective cyber protection solution that uses AI to detect malicious activity and prevent businesses from falling victim to ransomware attacks. It analyzes the behavior of files and applications on a system, terminating malicious processes and automatically reversing any damage done.

Acronis Cyber Protect includes a robust anti-ransomware engine that proactively detects and blocks attempts to encrypt or delete your data, and protects against other types of malware. In addition, Acronis Cyber Protect can quickly restore any data encrypted by ransomware. It includes best-of-breed data backup and disaster recovery capabilities, making it a valuable tool for businesses.

Get a closer look at how you can protect your organization against ransomware in an expert-led webinar.