Vector-specific figure
Ransomware breach: $5.08M average.
14% above the all-breach average. Most of the cost is not the ransom payment, it is downtime, forensics, recovery, regulatory response, and customer churn. The pay-vs-don't-pay decision matters less than the controls that stop initial access.
Avg ransomware breach
$5.08M
vs $4.44M all-breach
Median demand
$1.32M
Sophos 2025
Refuse to pay
64%
Up from 59% in 2024
Recovery (excl. ransom)
$1.53M
Mean cost to restore ops
Section 06.1 / Anatomy of ransomware cost
The ransom is rarely the largest line item
Across the full incident-cost ledger, business interruption is the dominant component. Even when an organization pays the ransom and receives a working decryption key, the recovery operation costs $1-$2M and takes weeks. Forensics, legal, and regulatory work add $300K-$1.5M before any customer notification.
Primary source:Cost-component shares aggregated from Sophos State of Ransomware 2025, Coveware quarterly reports, and IBM 2025 ransomware-vector data.
Section 06.2 / Pay vs don't pay
The economics of refusing
Refusal rates have climbed steadily as recovery tooling has improved and law-enforcement decryption assistance (No More Ransom, FBI advisories) has expanded. Paying does not guarantee data recovery: roughly 30% of paying victims still report partial or no data return.
Don't pay path
64% of organizations refuse
- Mean recovery cost (excluding ransom): $1.53M.
- Recovery from immutable backups eliminates the data-return uncertainty inherent in paying.
- Avoids OFAC sanctions risk where the threat actor is on the US Treasury sanctions list.
- Insurance coverage is typically more straightforward when no ransom is paid.
- No incentive provided to threat actor for repeat targeting.
Pay path
36% choose to pay
- Median payment: $115K-$1M (varies sharply by source and victim size).
- Roughly 30% of paying victims report partial / no data return after payment.
- OFAC sanctions risk: paying a sanctioned entity may trigger US Treasury enforcement.
- Even with payment, full recovery still requires forensic investigation and infrastructure rebuild.
- Paying signals to other actors that the organization is willing to negotiate.
Section 06.3 / Largest known ransom payments
The publicly disclosed register
Each entry below references a public disclosure: a regulatory filing, a press statement, a DOJ release, or a credible chat-transcript leak. Many ransom payments are never disclosed. The figures below are therefore a floor on the market, not a representative sample.
| Year | Victim | Amount | Outcome | Primary source |
|---|---|---|---|---|
| 2024 | Dark Angels victim (Fortune 50) | $75M | Largest known single ransom payment ever | |
| 2021 | CNA Financial | $40M | Paid Phoenix CryptoLocker group. Full systems restored. | |
| 2024 | Change Healthcare | $22M | Paid ALPHV/BlackCat. Data still leaked by affiliate. | |
| 2021 | JBS Foods | $11M | Paid REvil. Operations restored within days. | |
| 2021 | Colonial Pipeline | $4.4M | Paid DarkSide. FBI recovered $2.3M. 6-day shutdown. | |
| 2023 | Caesars Entertainment | $15M | Paid Scattered Spider. Avoided extended outage. | |
| 2020 | CWT Global | $4.5M | Negotiated down from $10M. Ragnar Locker group. |
Primary source:Last verified April 2026.
Index / Companion schedules
01 Calculator
→Set vector to ransomware to apply x1.14 multiplier.
04 Biggest breaches
→Change Healthcare, Colonial Pipeline, MOVEit ransomware mega-breaches.
05 Prevention ROI
→MFA, EDR, immutable backups, the controls that block initial access.
09 Notification laws
→Reporting clocks for ransomware in the US, EU, Australia.
10 Cost breakdown
→Where the recovery $1.53M actually goes.
07 Small business
→SMBs are increasingly the primary ransomware target.
Schedule F / Reference Q&A