15 Many organizations estimate ransomware costs by adding the ransom demand to a few days of downtime. The reality is much broader. Every additional hour spent recovering increases lost revenue, employee productivity, customer disruption, regulatory exposure, and recovery expenses. By the time systems are fully restored, the ransom itself may represent only a small fraction of the total financial impact. What the data says about ransomware costs Industry research gives useful benchmarks to anchor an estimate, even though every incident differs: The average cost of a ransomware or extortion breach was $5.08 million in the IBM Cost of a Data Breach Report 2025, one of the most expensive breach types. Across all data breaches, the global average was $4.44 million, rising to $10.22 million in the United States (IBM, 2025). The mean cost to recover from a ransomware attack, excluding any ransom paid, was $1.53 million, in the Sophos State of Ransomware 2025 survey of 3,400 organizations. The median ransom payment was about $1 million, and most organizations that paid negotiated below the original demand (Sophos, 2025). A majority of victims, 63%, refused to pay the ransom, up from 59% the year before (IBM, 2025). Recovery is rarely quick. Most breached organizations reported taking more than 100 days to recover (IBM, 2025). These figures are averages across thousands of organizations and sectors. Your own number depends on your revenue, your industry, and above all how quickly you can recover, which the rest of this guide helps you estimate. The false economy of paying the ransom Ultimately, payment is an additional cost stacked on top of the others, not a substitute for them. Paying a ransom is often viewed as a shortcut to recovery, but it rarely reduces the final bill. Most of a ransomware incident’s costs accumulate regardless of whether you pay the attackers. Even if a decryption key is purchased, organizations still face massive financial burdens: Decryption is notoriously slow: Provided decryption tools are often clunky and incomplete. Systems still suffer days or weeks of operational downtime as data is painstakingly restored, validated, and brought back online. The data leak threat remains: If data was exfiltrated before being encrypted, paying the ransom guarantees absolutely nothing. Attackers frequently leak or sell the data anyway, triggering the same regulatory fines and legal exposure. The long-tail costs still apply: A decryption key does not repair reputational damage, restore lost customer trust, or prevent your cyber insurance premiums from skyrocketing at the next renewal. Why attackers target backups Modern ransomware does not simply encrypt production data. It seeks out and disables the recovery mechanism first, because an organization that can restore cleanly has no reason to pay. Industry research underscores how deliberate this is. The Veeam Ransomware Trends report found that the large majority of attacks attempt to compromise backup repositories, that most affected organizations lost at least some of their backups, and that on average only a portion of affected data was recovered. When the backup is reachable and alterable, it becomes part of the attack surface rather than the safeguard against it. This is why immutability has moved from a feature to a requirement. A backup that cannot be altered or deleted within its retention window, regardless of credentials, removes the attacker’s ability to disable recovery. Our overview of building ransomware-proof backups covers the mechanics in detail. Recovery speed is the variable that dominates the cost Most ransomware cost is a function of time. The longer systems remain down, the larger the operational, productivity, and reputational losses become. That makes recovery speed the single most important factor an organization can influence, and it depends directly on how backups are stored. Two backup architectures can hold the same data and recover at very different speeds. A target that streams restores in parallel returns systems to service faster than one that must reassemble deduplicated data before it is usable. In a normal restore that difference is a convenience. In a full recovery across an estate under attack, it is the difference between a recovery measured in days and one measured in weeks, and the cost scales accordingly. The practical impact is visible in real incidents. One service provider running immutable storage restored all of a customer’s locked servers from immutable backups over a single weekend, because the recovery copy could not be touched by the attack and could be read back quickly. Recovery that fast contains the cost before it compounds. Estimating the cost for your organization A defensible estimate combines two figures: the per-hour or per-day cost of the disruption, and a realistic recovery duration based on your backup architecture. FactorExampleDaily cost of disruption$300,000Realistic recovery duration10 daysOperational loss subtotal$3,000,000Recovery and remediation$500,000Regulatory, legal, insurance$750,000Indicative total$4,250,000 The figures are illustrative, but the structure holds: the operational loss, driven by recovery duration, dominates the total. This is why investments that shorten recovery, particularly fast-restoring immutable backups, have such a large effect on the expected cost of an incident. For broader context on the threat, see our analysis of ransomware attacks on state governments. Reducing the expected cost Because recovery speed and backup integrity drive most of the cost, the most effective investments target both: Immutability on write, so the recovery copy cannot be disabled by the attack Fast, rehydration-free restore, so recovery duration stays short Layered controls, so a single compromised credential cannot reach the backups Tested recovery, so the restore works as expected under real conditions These measures do not prevent every attack, but they sharply reduce its expected cost by ensuring the organization can recover quickly without paying. For a structured approach, see our ransomware recovery strategy guide. Why Early Estimates Understate the Total A significant share of a ransomware incident’s financial impact trails months or even years behind the initial attack. Because these long-tail costs accumulate long after systems are back online, early estimates almost always understate the total. Accounting for this extended timeline matters because it fundamentally changes the investment calculus. When the full, multi-year cost of an outage is on the table, measures that guarantee rapid recovery become far easier to justify. It shifts the conversation from an IT expense to a core risk-management strategy. Quantifying this exposure makes the business case undeniable. To weigh the true cost of an outage against the investment in a resilient, immutable backup target, model your own five-year figure with the ARTESCA TCO calculator—and gain peace of mind knowing your data is backed by the $100,000 ARTESCA Cyber Guarantee. Frequently asked questions Should we factor the ransom into our cost estimate? It can be included, but it should not dominate the model. The operational, recovery, regulatory, and reputational costs are typically far larger, and they apply whether or not the ransom is paid. Does cyber insurance cover the full cost? Coverage varies, and insurers increasingly require specific controls such as immutable backups as a condition of cover. Insurance offsets part of the cost, but the operational and reputational impact still falls on the organization. What single change most reduces the expected cost? Ensuring backups are immutable and can be restored quickly. Together these remove the attacker’s leverage over recovery and shorten the disruption, which is where most of the cost accumulates.
