Yannick H.,
Too Long; Didn't Read
The figures are sobering. Recovery with backups costs a median of $750,000, while paying the ransom means an additional $1 million (median) on top of $1.53 million in recovery costs. But here’s the catch – only 46% of those who pay the ransom can successfully recover their data, and almost 80% who pay get attacked again. Rebuilding costs more upfront, but eliminates the uncertainty. The real answer? It depends on your backups, your company’s downtime tolerance, and whether you’re willing to bet that criminals will keep their word.
Let’s be honest...
When ransomware hits, you’re no longer thinking clearly. Your systems are locked. Operations come to a standstill. And you’re on a ticking clock with criminals demanding payment.
We’ve guided dozens of clients through this nightmare. And the question they always ask is: "What costs us less—paying for recovery or starting over?"
Here’s what the actual data tells us.
The true cost of recovery: What the numbers say
First, let’s talk about what recovery actually costs when you use backups (without paying ransom).
According to Sophos’ 2024 study, companies that used backups to recover from ransomware incurred median recovery costs of $750,000. That’s no small amount... but hold that thought.
The full picture is more complex. Average total recovery costs reached $2.73 million in 2024 (up from $1.82 million in 2023), although this dropped to $1.53 million in 2025 as organizations improve their response. These figures include everything—downtime, incident response teams, forensics, legal fees, notification costs, and restoration work.
But this is where it gets interesting... these costs vary significantly depending on how the attack began.
When attackers exploited vulnerabilities to get in, average recovery costs rose to $3.58 million compared with $2.58 million for attacks that started with compromised credentials. Why? Because these attacks tend to be more severe, with higher rates of compromised backups and data encryption.
For a deeper look, see our article Jaguar Land Rover Cyberattack – A Wake-Up Call for Business Risk Management.
The ransom route: A gamble that often fails
Now let’s talk about paying ransom.
The median ransom payment in 2025 was $1 million—down from $2 million in 2024. That is still... a lot of money. And 63% of ransom demands exceeded $1 million, with 30% demanding more than $5 million.
Healthcare organizations tend to pay the lowest median amounts at $150,000, while state and local government agencies pay the highest at $2.5 million.
But here’s the part that should make you pause...
Even if you pay, only 46% of those who paid ransom were able to successfully recover their data, and much of what they got back was corrupted. Another study found that 40% of companies that paid cybercriminals for decryption keys could not recover their data.
Let that sink in. You pay... and there’s almost a fifty-fifty chance it won’t work.
And even when companies got their data back, only 59% recovered ALL of their data. Decryption tools are often faulty, slow, or leave files damaged.
A security expert we spoke with put it bluntly: "Large-scale decryption across enterprise environments can take weeks and often fails on corrupted files or complex database systems. There are cases where the decryption process itself causes additional data corruption."
The hidden costs no one talks about
Here’s the statistic that should alarm you: Nearly 80% of organizations that paid ransom experienced a follow-up attack.
That’s no coincidence. When you pay, you signal to the criminal ecosystem that you’re a profitable target. Your contact details get shared. Other groups take notice.
You’re essentially buying yourself a giant target on your back.
Time: The other currency
Money isn’t the only consideration. Time matters too.
The good news? Companies are recovering faster. 53% of businesses now recover fully within a week, compared with only 35% the year before. Only 18% now take longer than a month to recover, down from 34% in 2024.
But here’s the catch—speed depends heavily on the health of your backups. Organizations with intact backups saw 46% recover within a week, while those with compromised backups saw only 25% recover that quickly.
The backup vs. ransom economics
Let’s run the numbers based on the research...
If you have good backups:
Median recovery cost: $750,000
Recovery time: Possibly within a week if backups are solid
Success rate: High (if your backups are actually tested and offline)
Risk of repeat attacks: Lower
If you pay ransom:
Median ransom payment: $1 million
Plus recovery costs: $1.53 million average
Total: ~$2.5 million or more
Success rate: Only 46% fully recover their data
Risk of repeat attacks: Nearly 80%
The economics seem clear, right?
But... it’s not always that simple.
When the math gets complicated
This is where real-world decision-making gets messy.
Only 54% of organizations used backups to restore their data in 2025—the lowest percentage in six years. Why? More attacks are stopped before data is encrypted, so there’s nothing to restore.
That’s actually a positive trend. But it also means many organizations have untested backups or backups that attackers compromised during the attack. When backups were compromised, organizations received ransom demands twice as high as those whose backups were intact ($2.3M vs. $1M).
And here’s something we see all the time... organizations discover their "backups" are not what they thought. They are either:
Too old (last backup was weeks ago)
Encrypted together with production systems
Never actually tested for recovery
Missing critical systems or databases
The hardest-hit industries
Costs vary dramatically by sector.
Manufacturing recorded the highest rate of ransom payments at 62%, with a median payment of $1.2 million. Why? The pressure to avoid production shutdowns is so intense that many companies see payment as the fastest way back to operations.
Healthcare organizations have an attack rate of 68%, even though they typically pay lower amounts. The urgency of patient care creates immense pressure to pay quickly, making them lucrative targets.
Government agencies have a reported attack rate of 68%, the highest of any sector, with attacks rising 65% in the first half of 2025.
What we actually tell clients
After repeatedly helping organizations through this, here’s our assessment...
If you have solid backups (tested, offline, current), the numbers overwhelmingly support using them. You spend less, recover faster, and avoid becoming a repeat victim.
If your backups are compromised or missing, you’re in a difficult position. Paying may seem like the only option... but remember that fifty-fifty success rate. You could pay and still lose everything.
The hybrid approach we see working best:
Isolate systems immediately to stop the spread
Assess backup integrity honestly (not wishfully)
Rebuild critical systems from clean sources
Recover what you can from verified backups
Only consider payment for truly irreplaceable data you cannot recover any other way
Plan to replace all "recovered" systems eventually anyway
A healthcare client we worked with followed this approach. They rebuilt core patient systems from scratch (too risky to trust recovered systems with protected health information), but restored some archived data from backups. Total cost: around $2.1 million. Timeline: 5 weeks.
Could they have paid the $1.5 million ransom and been "done" faster? Maybe. But they would have spent months wondering whether attackers were still lurking in their systems. Peace of mind mattered.
The questions you need to answer now
Before ransomware hits (because an attack happens every 2 seconds worldwide), answer these questions honestly:
About your backups:
When was the last time you tested a full recovery? (Not "check if backups ran"—actually restore something)
Are your backups offline and air-gapped?
How much data would you lose if you had to recover right now?
Do you have separate backups for critical systems?
About your business:
Can you survive a week at reduced capacity? A month?
What are your actual daily business interruption costs?
Do you have cyber insurance? What does it really cover?
Are there regulatory implications for paying ransom in your industry?
About your security posture:
Do you know how attackers typically get in? (32% exploit vulnerabilities, 29% use compromised credentials)
Have you patched critical vulnerabilities?
Is multi-factor authentication enabled everywhere?
Do you have 24/7 monitoring?
The bottom line
The data paints a clear picture:
Recovery with backups: $750,000 median, high success rate when backups are solid
Ransom payment: $1 million median payment + $1.53 million recovery costs, with only 46% recovering successfully and 80% being hit again
Rebuilding from scratch: Higher upfront costs, but you gain confidence and improved security
The "cheaper" option is not just about the dollar amount. It’s about:
Certainty vs. gambling with criminals
One-time cost vs. becoming a repeat victim
Clean systems vs. wondering whether malware is still lurking
Business survival vs. bankruptcy from multiple attacks
What actually works
Here’s what studies show works:
Organizations with immutable backups reported 4x faster recovery times and were 50% less likely to pay ransom. That is the single biggest factor for positive outcomes.
The best-performing organizations? They:
Test their backups regularly
Maintain offline, immutable copies
Use multi-factor authentication everywhere
Patch vulnerabilities quickly
Have incident response plans (and practice them)
Invest in 24/7 monitoring
One last thing...
Every organization we’ve worked with that has gone through ransomware says the same thing afterward: "We should have invested more in prevention."
Because here’s the truth... the absolute cheapest option is not getting hit at all.
Global average recovery costs now stand at $1.53 million. How much security could you buy with that? How many years of monitoring, backups, training, and tools?
Prevention isn’t sexy. It doesn’t feel urgent... until it’s too late. But it is dramatically cheaper than recovery or ransom payments.
And that’s the statistic that should matter most.
Sources:
Need help assessing your ransomware readiness or (in a worst-case scenario) responding to an active incident? We work with organizations at every stage—because no one should have to make these decisions under pressure at 2 a.m. with incomplete information.
