The Average Cost Of Ransomware Attacks In 2025
The average cost of a ransomware attack in 2024 was $5.13M.
This includes the ransom payment, recovery costs, and indirect costs such as damage to reputation and customer trust.
Over the last 6 years, the average cost of ransomware has increased by 574% from $761,106 to $5.13M.
In Q1 2025, Check Point reported a 126% increase in ransomware attacks, with the average number of daily attacks reaching 275, up 47% compared to last year.
Given the consistent upward trend in ransomware costs and threat actor activities, we can estimate the average ransomware attack cost in 2025 to be between $5.5M and $6M, an increase of 7% – 17% from 2024.
The average cost of ransomware attacks by year:
$35/MO PER DEVICE
Enterprise Security Built For Small Business
Defy your attackers with Defiance XDR™, a fully managed security solution delivered in one affordable subscription plan.
The Average Ransom Demand Is Increasing
From 2019 to 2024, the average ransom demand has increased by 4,559%.
Threat actors are getting bolder with their attacks and their demands. They understand their targets well and know their willingness to pay.
The average ransom demand by year:
- 2024 – $5.2M (Infosecurity Magazine)
- 2023 – 1.54M (Sprinto)
- 2022 – $812,360 (Sophos)
- 2021 – $220,298 (StationX)
- 2020 – $200,000 (Comparitech)
- 2019 – $111,605 (AAG IT Support)
It’s important to note that industry plays a significant factor when averaging out the ransom demand.
The average ransom demand by industry in the United States:
- Retail, Restaurant, And Hospitality: $5.7M (Statista)
- Energy And Technology: $5.4M (Statista)
- Finance And Insurance: $3.91M (Statista)
- Healthcare: $3.49M (Statista)
- Manufacturing: $3.35M (Statista)
- Government: $1.58M (Statista)
- Business And Professional Services: $1.13M (Statista)
- Education: $960,000 (Statista)
- Nonprofit: $100,000 (Statista)
Free Incident Response Policy
Skip the policy-writing hassle with our ready-to-use incident response policy template.
CISOs Agree To Higher Ransom Payments
From 2018 to 2024, the average ransom payment has increased 1343% from $28,920 to $417,410.
The largest single confirmed ransom payment was $75M paid to the Dark Angels ransomware group by an undisclosed Fortune 50 company.
In Splunk’s 2023, “The CISO Report,” CISOs were asked if those who had experienced a ransomware attack had paid the ransom demand.
83% responded with yes.
It stands to reason that if the average ransom demand increases and the majority of CISOs are willing to pay the ransom, ransom payments are also increasing.
The average ransom payment by year:
- 2024 – $417,410 (Statista)
- 2023 – $747,651 (Statista)
- 2022 – $600,688 (Statista)
- 2021 – $511,957 (Statista)
- 2020 – $794,620 (Statista)
- 2019 – $302,539 (Statista)
- 2018 – $28,920 (Statista)
CISOs are sometimes placed in situations where the only option is to pay the ransom demand.
This can stem from an inability to get adequate investments into their cybersecurity program, or because the financial losses of prolonged downtime are far worse.
For example, the average downtime from ransomware is 24 days. That downtime translates to hundreds of thousands or millions of dollars in daily losses.
Despite this, the attackers understand the trends and know that CISOs are willing to pay a ransom when their attacks significantly impact operations.
Is it worth paying the ransom demand?
Likely, no.
According to a Ponemon Institute report, of the 51% of businesses that choose to pay a ransom, only 13% received all of their data back. Ultimately, it’s a gamble that relies on threat actors to honor their terms of the agreement.
Choosing to pay the ransom is also an ethical and legal consideration.
The United States made it illegal to pay a ransom. The idea is that you’re rewarding criminal activity while funding the attacker’s next campaign.
For advanced persistent threats (APTs) and nation-state threat actors, paying the ransom could have national security and defense implications.
Examples Of Ransom Payments
- CDK Global (June 2024): The BlackSuit ransomware gang, believed to be an offshoot of the Royal ransomware group and linked to the now-defunct Conti group, claimed responsibility for the attack. The attackers encrypted critical files and systems of CDK Global, a software provider for approximately 15,000 car dealerships in the U.S. and Canada. The initial ransom demand was reported as $10 million, but it escalated to over $50 million after a second cyberattack during recovery efforts. CDK Global reportedly paid a $25M ransom (approximately 387 Bitcoin) on June 21, 2024, to BlackSuit affiliates, as traced by blockchain security firm TRM Labs.
- Change Healthcare (February 2024): The ALPHV/BlackCat ransomware gang, operating under a ransomware-as-a-service (RaaS) model, claimed responsibility for the attack. The attackers encrypted key systems across Change Healthcare’s network, a major healthcare payment processing company handling 15 billion claims annually (about 40% of U.S. healthcare claims). They also exfiltrated approximately 6 terabytes of data, including personally identifiable information (PII) such as Social Security numbers, medical records, insurance records, payment details, and information on active U.S. military personnel. The initial ransom demand was $22 million. Change Healthcare, a subsidiary of UnitedHealth Group, agreed to pay the $22M ransom (approximately 350 Bitcoin) on March 1, 2024, to ALPHV/BlackCat, as confirmed by UnitedHealth Group CEO Andrew Witty during a congressional hearing on May 1, 2024.
- Caesar’s Entertainment (August 2023): The Scattered Spider (also known as UNC3944 or Oktapus) hacking group, an affiliate of the ALPHV/BlackCat ransomware gang, was responsible for the attack. The attackers gained access to Caesars’ network through a social engineering attack on an outsourced IT support vendor, encrypting unspecified systems and exfiltrating a copy of the Caesars Rewards loyalty program database. This database contained personal information of a significant number of members, including names, driver’s license numbers, Social Security numbers, dates of birth, and, for some, tax information or credit line details required for large casino winnings. The initial ransom demand was $30 million. Caesars Entertainment paid approximately $15 million, as confirmed in Caesars’ SEC filing.
- JBS Foods (May 2021): The FBI attributed the attack to REvil (also known as Sodinokibi) ransomware gang, a Russian-speaking cybercriminal group that has a history of targeting large organizations with high ransom demands. The attackers encrypted critical IT systems supporting JBS’s North American and Australian operations, disabling beef and pork slaughterhouses across the U.S., Canada, and Australia. In addition, 45 GB of data was exfiltrated from JBS’s systems between March 1 and May 29, 2021. The exact ransom demand was not publicly disclosed by JBS or REvil. However, given REvil’s history of demanding high ransoms, it is likely the demand was in the range of tens of millions of dollars. JBS paid a $11M ransom in Bitcoin on June 9, 2021, to REvil, as confirmed by JBS USA CEO Andre Nogueira.
- Colonial Pipeline (May 2021): The FBI and multiple media sources confirmed DarkSide’s involvement, noting the group’s origins in Eastern Europe or Russia, though no direct link to state-sponsored activity was established. The attackers encrypted Colonial Pipeline’s IT network, specifically targeting billing and accounting systems, and exfiltrated 100 gigabytes of data within a two-hour window. The compromised systems included the company’s shared internal drive, critical for managing the pipeline’s business operations. The ransom demand was approximately $4.4 million (75 Bitcoin at the time). Colonial Pipeline paid $4.4 million (75 Bitcoin) to DarkSide on May 7, 2021, within hours of the attack, as confirmed by CEO Joseph Blount. The U.S. government was able to recover $2.3M of the ransom.
Free Security Policy Templates
Get a step ahead of your cybersecurity goals with our comprehensive templates.
The Average Cost Of Stolen Data Is Increasing
From 2019 to 2024 the average cost per stolen record increased by 13%.
Attackers Are Beginning To Favor Extortion Over Ransom
Extortionware, which involves stealing sensitive data and threatening to leak it, has become more prevalent than encryption-based ransomware.
In 2024, 90% of ransomware attacks involved data exfiltration, up from 85% in 2023 and 10% in 2019.
Encryption requires more technical expertise, longer dwell time, and is detectable by modern endpoint detection and response (EDR) or extended detection and response (XDR) systems.
The effectiveness of backups and decryption tools has reduced the incentive to pay encryption-based ransoms, pushing attackers toward extortion.
Law enforcement actions, such as the FBI’s release of 7,000 LockBit decryption keys in 2024, further diminished encryption’s viability, encouraging groups to prioritize data leaks.
In contrast, extortionware requires less technical expertise than encryption, enabling less-skilled attackers to participate via Ransomware-as-a-Service (RaaS) platforms. This accessibility has fueled its growth.
Evolution To Double And Triple Extortion
Attackers also combine encryption with data exfiltration (double extortion) or add further pressure through DDoS attacks, media leaks, or contacting customers (triple extortion), amplifying extortion’s impact.
Double extortion was used in 62% of financially motivated data breaches in 2024, while triple extortion is becoming more common, with 27% of attacks involving it in 2023.
Understanding The True Cost Of Ransomware Attacks
The cost of a ransomware attack goes beyond the ransom demand or downtime. On average, small businesses impacted by a data breach can expect to pay $120,000 to $1.24M to respond and recover.
To understand the full impact of a ransomware attack on your business, consider the following:
- Direct financial damages.
- Employee hours spent resolving the breach.
- Hiring firms specializing in incident response.
- Loss of revenue from clients.
- Higher insurance premiums.
- Penalties for non-compliance.
Beyond finances, breaches cause reputational damage, stolen intellectual property, and loss of future investments, eroding customer trust.
IT and security teams may also face significant stress and long hours, leading to burnout and staff turnover, further compounding costs.
$35/MO PER DEVICE
Enterprise Security Built For Small Business
Defy your attackers with Defiance XDR™, a fully managed security solution delivered in one affordable subscription plan.
Why Ransomware Attacks Are On The Rise
In most cases, the motive for threat actors is financial.
As discussed earlier, CISOs are willing to pay higher ransom demands, small businesses make ideal victims for attackers, and the price of data sold on the dark web is increasing.
These are excellent market conditions for the entrepreneurial cybercriminals.
Ransomware as a service (RaaS) gangs continue to innovate with new affiliate models and are joining forces to expand their operations and launch campaigns.
From a cyber operations perspective, there are four main contributing factors to the growth of ransomware attacks:
- Poor Infrastructure Visibility: Inadequate visibility into network devices and data flows enables ransomware to spread undetected.
- Lack Of Strategic Guidance: Without a cybersecurity strategy in place or guidance from a virtual CISO, businesses fail to prioritize defenses, making them easy targets for ransomware gangs.
- Unpatched Vulnerabilities: Unpatched systems remain a critical weak point for businesses, serving as prime entry points for ransomware attacks. Monthly scanning and patching cycles are no longer sufficient.
- Weak Incident Response Planning: An ineffective incident response plan prolongs ransomware recovery, averaging 24 days, increasing costs and damage as businesses lack tailored policies to mitigate sophisticated attacks.
Small Businesses Are Most Vulnerable To Ransomware Attacks
Cybercriminals target small businesses because they often lack dedicated IT security teams, rely on outdated or basic security tools, and fail to patch systems regularly.
Only 14% of small businesses have a cybersecurity plan, leaving them exposed to sophisticated attacks that exploit poor infrastructure visibility, unpatched vulnerabilities, lack of strategic guidance, and weak incident response planning.
In addition, ransomware gangs like Phobos, Akira, Crysis/Dharma, and Royal have all been known to target small businesses.
The Impact Of AI On Ransomware Attacks
AI in cybersecurity has evolved tremendously over the last 5 years.
Cybercriminals are using AI to enhance ransomware attacks with unprecedented sophistication, scalability, and stealth.
Threat actors can now leverage AI to create realistic phishing campaigns and deepfakes at scale and at no cost. AI tools also enable hackers to write sophisticated malware faster and with little coding knowledge.
According to Deloitte, generative AI could enable fraud losses to reach up to $40B in the United States by 2027.
- Generating Adaptive Ransomware: AI creates polymorphic ransomware that mutates to evade detection, challenging traditional antivirus systems.
- Enhancing Phishing Delivery: AI crafts personalized phishing emails to deliver ransomware, exploiting social engineering for higher infection rates.
- Automating Reconnaissance: AI scans for vulnerabilities, streamlining target selection for ransomware exploitation.
- Scaling And Personalizing Campaigns: AI orchestrates large-scale, tailored ransomware attacks, overwhelming organizational defenses.
- Evading Detection: AI uses adversarial attacks and data poisoning to bypass AI-based security, increasing ransomware success.
How Defiance XDR™ Protects Businesses From Ransomware Attacks
Defiance XDR™, a fully managed Extended Detection and Response (XDR) solution, provides robust protection against ransomware attacks by leveraging threat intelligence, AI-driven automation, and expert oversight to secure the entire IT infrastructure—from endpoints (e.g., laptops, servers) to cloud environments (e.g., Microsoft 365, AWS) and connected devices (e.g., IoT).
Defiance XDR™ protects businesses from ransomware attacks by leveraging threat intelligence to detect and respond to threats proactively.
Real-time monitoring feeds, behavioral analytics, and targeted protections identify ransomware early, while our proactive threat hunting, automated responses, and unified visibility deliver enterprise-grade security.
Starting at $35/month, Defiance XDR™ consolidates cybersecurity tools and offloads management to experts, making it affordable and accessible.
Built for small businesses, the user-friendly design, scalability, and expert-led support ensure robust ransomware defense without complexity.
$35/MO PER DEVICE
Enterprise Security Built For Small Business
Defy your attackers with Defiance XDR™, a fully managed security solution delivered in one affordable subscription plan.
Frequently Asked Questions
How Much Has The Cost Of Ransomware Increased Over The Last 6 Years?
The average cost of a ransomware attack increased by 574% from $761,106 in 2019 to $5.13 million in 2024.
What Is The Average Cost Of A Ransomware Attack?
In 2024, the average cost of a ransomware attack was $5.13 million, including ransom payments, recovery costs, and indirect damages like reputational harm; it’s estimated to rise to $5.5–$6 million in 2025.
What Is The Recovery Cost Of A Ransomware Attack?
The average recovery cost of a ransomware attack in 2023 was $1.82M, excluding the ransom payment, covering downtime, legal fees, and system restoration.
What Is The Average Payment For Ransomware?
In 2024, the average ransomware payment was $417,410, up from $747,651 in 2023.
What Is The Largest Ransomware Payment?
The largest confirmed ransomware payment was $75 million, paid to the Dark Angels ransomware group by an undisclosed Fortune 50 company
How Much Cyber Insurance Coverage Do I Need For Ransomware Attacks?
Cyber insurance coverage needs vary, but policies should cover first-party costs (e.g., ransom payments, recovery, legal fees) and third-party liabilities, with premiums projected to grow from $14 billion in 2023 to $29 billion by 2027; consult an insurer to tailor coverage to your business’s risk profile and potential $5.5–$6 million attack costs.
What Was The Global Cost Of Ransomware In 2024?
The global cost of ransomware in 2024 was between $40-$50B.
What Is The Estimated Global Cost Of Ransomware By 2031?
The global cost of ransomware is projected to reach $265 billion annually by 2031.
What Is The Average Cost per Record of Data?
In 2024, the average cost per stolen record was $169, up 13% from $150 in 2019.
Article by
Related Content
