Ransomware Costs Continue to Escalate
The name pretty much sums it up. Ransomware is a form of malware. An attacker seizes control of a user’s files and demands a ransom to restore them. But how much do attackers demand today?
According to The State of Ransomware 2025, the average ransom payment is $1.0 million, while the average recovery cost has risen to $1.5 million. Recovery includes downtime, device costs, network repairs, lost opportunities, ransom payments, and more.
Ransomware attacks most frequently target government, manufacturing, construction, utilities, and service industries. Safety Detectives reported that the government sector suffered 15.4% of ransom attacks. Even worse, only 39% of organizations stopped an attack before data encryption occurred. Nearly one-third of organizations ended up paying the ransom.
An organization’s need to restore access to files often determines whether they pay. Agencies with sensitive or mission-critical data—such as government, medical facilities, or law firms—are especially likely to pay quickly. In many cases, businesses pay simply to avoid public exposure.
How Ransomware Works
Ransomware comes in many forms. Phishing is still the leading delivery method, impacting 65% of organizations. Other attacks, like NotPetya, exploit system vulnerabilities directly.
Once inside, ransomware typically encrypts Microsoft Word documents, databases, images, and other files. The hacker controls the decryption key, leaving the victim locked out.
In severe cases, ransomware spreads beyond the user level to infect entire systems and networks. Typically, attackers demand payment within 24–48 hours. Despite paying, only about 65% of data is fully restored.
Some Notable Ransomware Examples
- WannaCry: Impacted 200,000+ computers across 150 countries.
- TeslaCrypt: Responsible for 48% of ransomware attacks in 2016.
- SimpleLocker: A trojan that specifically targeted Android devices.
- SamSam: Disrupted the Colorado Department of Transportation and the City of Atlanta.
- Ryuk: Impacted newspapers and organizations in 2018–2019, with operators reportedly earning over $150 million in Bitcoin.
Recovery times range from two to four weeks, but in some cases, it can take months.
Responding to a Ransomware Attack
The first instinct may be to remove the ransomware, but that could make recovery harder. Instead, follow a clear remediation plan:
- Isolate the affected system: Disconnect from networks immediately.
- Notify your IT team and cyber insurance provider: Start mitigation and legal processes quickly.
- Identify the ransomware strain: This helps assess risk and possible recovery tools.
- Check backups: If backups are current and unaffected, restore your systems from them.
- Report the incident: Ransomware is a crime, and compliance may require reporting.
When it’s time to remove the malware, standard recovery steps include:
- Booting Windows in Safe Mode
- Installing anti-malware software
- Scanning and cleaning infected systems
- Restoring from backups
Preventing Ransomware Attacks
Prevention is always less expensive than recovery. Best practices include:
- Enforce strict password policies with multi-factor authentication.
- Keep operating systems and applications fully updated.
- Remove legacy apps and unused software.
- Deploy antivirus and endpoint protection.
- Regularly scan files and monitor network traffic.
- Whitelist approved applications.
- Conduct cybersecurity awareness training.
- Always back up data securely, with off-site or cloud redundancy.
- Use Managed Detection & Response (MDR) supported by a Security Operations Center (SOC).
To Pay or Not to Pay the Ransom
According to Emisoft, ransomware demand costs exceeded $1.4 billion in 2020. That number has only grown since. But should companies pay?
The FBI strongly advises against it. There’s no guarantee that hackers will provide the decryption key, and paying could make you a repeat target. Each business must weigh the costs of downtime versus ransom payment, but paying is never a safe bet.
Lay Down a Strong Cyber Defense
As the saying goes, an ounce of prevention is worth a pound of cure. A layered security approach is your best defense against ransomware.
At IntermixIT, we deliver award-winning cybersecurity services throughout Pennsylvania, Maryland, Delaware, and beyond.
Talk to us about a network assessment. We’ll review your infrastructure, identify vulnerabilities, and provide you with a clear CyberSUCCESS Score—so you know where your defenses stand.
Ransomware FAQs
1. What is ransomware?
Ransomware is malicious software that encrypts files and demands payment (a ransom) for their release. Victims are often locked out of their systems until they pay.
2. How much does ransomware cost businesses in 2025?
On average, ransom payments are $1.0 million, while recovery costs (including downtime and remediation) average $1.5 million.
3. Should I pay the ransom if my business is attacked?
The FBI advises against paying because there’s no guarantee files will be restored. Paying also encourages future attacks. Instead, rely on backups and recovery planning.
4. How can I protect my business from ransomware?
Use multi-factor authentication, keep software updated, run endpoint protection, conduct cyber awareness training, and maintain secure backups.
5. What industries are most at risk for ransomware?
Government, healthcare, manufacturing, construction, utilities, and SMBs are frequent targets because of sensitive data and often limited cybersecurity budgets.
6. What should I do first if I’m hit by ransomware?
Immediately isolate the infected device from the network, notify your IT provider, contact your cyber insurance carrier, and report the incident to authorities.