Ransomware costs: here’s where the damage happens

For organized gangs and amateur criminals alike, ransomware offers a quick way to make money. And especially with the proliferation of ransomware-as-a-service on the dark web, it doesn’t take a tech genius to get an attack off the ground.

For the businesses targeted, a ransomware attack means a big dent in company finances - and we’re not just talking about the cost of the ransom if you choose to pay it.

If your boss is skimping on cyber security, training and anti-ransomware planning, here’s how those failures could end up hitting the company in the wallet...

Ransom payments

According to Sophos, the average ransom paid by businesses last year was just over $170,000. The most common payment was $10,000.

But how many people actually pay up? Accurate figures are hard to get, because (understandably) most businesses try not to advertise the fact that they’ve given in to extortion. But if recent research from the UK is reflective of what’s happening globally, then it seems that around half of businesses do actually pay.

It’s easy to see why some businesses might go down this route. Meeting the fraudster’s demands might seem like the quickest, easiest and least costly way to get back to normal.

But costs-wise, just bear in mind the following:

  • 92% of organizations who pay a ransom do not get all of their data back. On average, they recover just 65% of it.
  • There’s a real risk of getting nothing back at all. The fraudster might simply disappear without supplying you with a decryption key, or the key may be flawed, meaning that some or all of your files remain inaccessible.
  • Even if systems access is regained, the data has already been exploited. Sensitive data (e.g. customer account details) may already be out in the wild, so you will still need to notify customers.

The FBI and other enforcement agencies advise against paying a ransom in the strongest possible terms. It doesn’t usually make the clean-up costs go away: it just means you are handing over a five-figure sum (or more) to a fraudster, on top of those costs.

Remediation and recovery

Once an attack has occurred, you need to isolate affected systems and endpoints, forensically check the location and extent of impact, before reconnecting your backup and restoring your data.

Most organizations need external help with this, and it doesn’t come cheap. The Palo Alto Networks’ 2021 report shows that the average cost across the U.S., Europe and Canada for remediation and recovery services following an attack is $73,851. Smaller businesses pay an average of $40,719.


Let’s say your CFO is reluctant to sign off on the cost of updating your security and backup capabilities. If it seems expensive, how does it compare to 16 days’ lost revenue?

According to Coveware, the average outage time following a ransomware attack now stands at 16.2 days. If you are sensible, your restoration plan will focus on getting business-critical systems back online first of all, so sales channels should be prioritized. However, even a few days’ outage can be extremely costly.


Do you have to tell outsiders about the attack? If so, who?

It depends on what categories of data have been compromised and the severity of the breach. In the UK and Europe for instance, there’s an obligation to inform individuals as well as local data protection authorities if personal data has been compromised. The situation can get especially complicated if you have customers in multiple locations.

It’s likely that the company will need to call on legal advice to ensure compliance with your reporting obligations. It’s expensive, but often essential, to avoid sleepwalking into regulatory fines and/or civil action.

Public relations

The lawyers tell you who you need to notify, and the information you need to provide. But to get the message right, you need reputation management expertise. Once again, it may be necessary to call on outside help.

A PR expert should be able to advise you on how to frame your initial notifications. You may well be faced with an influx of customer queries, so you’ll need help in putting together a crisis communications team.


Information security incidents - including ransomware attacks - are almost never covered by general insurance. For anti-ransomware protection, the business will need a specific cyber insurance policy.

Cyber insurance should protect you from direct loss of income as a result of an attack. Many insurers will also put you in contact with remediation and recovery services. However, some costs may not be covered, such as the long-tail reputational damage of an attack. What’s more, if you have to wait for the insurer to investigate before paying out, it can place massive pressure on cash-flow.

Don’t ignore the threat 

Knowledge of malware detection, network security, user education, backup and recovery are all essential elements of any anti-ransomware strategy. For a head start in keeping your company safe, take a closer look at our Complete Cyber Security Course.

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

  • Dylan says:

    Hi Nathan,
    Point in case in my country atm (New Zealand) is the Waikato DHB (regional health department) suffering from a Crypto attack. 2 weeks and the hospitals in this area are still running on pencil and paper with no end in sight.

  • Darren says:

    Did you guy’s here about the big cyber attack in the meat industry the cyber attack affected Australia, Canada and America the FBI are looking into it.

  • Ali Sougouma Ali says:

    I would like to follow you, because I already happy with you

  • The Sky Rider says:

    So I had recently watched the video on ransomware and related, You said that there is a very low decryption rate, But can you not access the code of the ransomware program and read the encryption key off of it?, It would need it stored somewhere, especially if the hacker doesn’t want to have to continuously send the key to the virus (As that could in theory be tracked), otherwise it wouldn’t be possible for it to encrypt more then one file with the same key

  • >