Is it cheaper to recover after a ransomware attack or to rebuild?

Let's be honest...

When ransomware strikes, you stop thinking clearly. Your systems are locked. Operations come to a halt. And you have a ticking clock with criminals demanding payment.

We've guided dozens of customers through this nightmare. And the question they always ask is: "What costs us less – paying for recovery or starting from scratch?"

Here's what the actual data tells us.

The true costs of recovery: What the numbers say

First, let's talk about what "recovery" actually costs when you use backups (without paying the ransom).

According to Sophos' 2024 study, companies that used backups to recover from ransomware faced average recovery costs of 750,000 dollars. That's not exactly pocket change... but keep that thought.

The overall picture is more complex. Average total recovery costs reached 2.73 million dollars in 2024 (up from 1.82 million dollars in 2023), although this decreased to 1.53 million dollars in 2025 as companies improved their response. These figures encompass everything – downtime, incident response teams, forensics, legal fees, notification costs, and recovery efforts.

But here's where it gets interesting... these costs vary significantly depending on how the attack started.

If attackers exploited vulnerabilities to get in, average recovery costs rose to 3.58 million dollars compared to 2.58 million dollars for attacks that began with compromised credentials. Why? Because these attacks tend to be more severe, with higher rates of compromised backups and data encryption.

The ransom route: A gamble that often fails

Now let's talk about ransom payment.

The median ransom payment was 1 million dollars in 2025 – down from 2 million dollars in 2024. That still is... a lot of money. And 63% of ransom demands exceeded 1 million dollars, with 30% demanding over 5 million dollars.

Healthcare organizations tend to pay the lowest median amounts with 150,000 dollars, while state and local government agencies pay the highest at 2.5 million dollars.

But here's the part that should give you pause...

Even if you pay, only 46% of those who paid the ransom were able to successfully recover their data, and much of what they received back was corrupted. Another study found that 40% of companies that paid cybercriminals for decryption keys could not recover their data.

Let that sink in. You pay... and there's almost a fifty-fifty chance it won't work.

And even when companies recovered their data, only 59% restored ALL their data. The decryption tools are often faulty, slow, or leave corrupted files behind.

A security expert we spoke with put it succinctly: "The large-scale decryption across enterprise environments can take weeks and often fails with corrupted files or complex database systems. There are instances where the decryption process itself causes additional data corruption."

The hidden costs no one talks about

Here's the statistic that should alarm you: Nearly 80% of organizations that paid the ransom experienced a subsequent attack.

It's not a coincidence. If you pay, you signal to the criminal ecosystem that you're a worthwhile target. Your contact information is shared. Other groups take note.

You're essentially buying a big target sign on your back.

Time: The other currency

Money isn't the only consideration. Time counts too.

The good news? Companies are getting faster at recovery. 53% of companies now fully recover within a week, compared to just 35% in the prior year. Only 18% now take longer than a month to recover, down from 34% in 2024.

But here's the catch – speed heavily relies on the health of your backups. Organizations with intact backups saw 46% recover within a week, while those with compromised backups saw only 25% recover that quickly.

The backup vs. ransom economy

Let's do the math based on research...

If you have good backups:

• Median recovery cost: 750,000 dollars

• Recovery time: Potentially within a week, if backups are solid

• Success rate: High (if your backups are indeed tested and offline)

• Risk of repeated attacks: Lower

If you pay the ransom:

• Median ransom payment: 1 million dollars

• Plus recovery costs: 1.53 million dollars on average

• Total: ~2.5 million dollars or more

• Success rate: Only 46% fully recover their data

• Risk of repeated attacks: Nearly 80%

The economics seem clear, right?

But... it's not always that simple.

When the math gets complicated

This is where real-world decision-making gets messy.

Only 54% of companies used backups to restore their data in 2025 – the lowest percentage in six years. Why? More attacks are being stopped before data is encrypted, so there's nothing to recover.

This is actually a positive trend. But it also means that many organizations have untested backups or backups that attackers compromised during the attack. When backups were compromised, organizations received ransom demands twice as high compared to those whose backups were intact (2.3 million dollars vs. 1 million dollars).

And here's something we constantly see... organizations discovering that their "backups" aren't what they thought. They are either:

• Too old (last backup was weeks ago)

• Encrypted along with production systems

• Never actually tested for recovery

• Missing critical systems or databases

The most affected industries

Costs vary dramatically by sector.

Manufacturing saw the highest rate of ransom payments at 62%, with a median payment of 1.2 million dollars. Why? The pressure to avoid production standstills is so intense that many firms see payment as the quickest way back to operation.

Healthcare organizations have an attack rate of 68%, though they typically pay lower amounts. The urgency of patient care creates immense pressure to pay quickly, making them lucrative targets.

Government agencies have a reported attack rate of 68%, the highest of any sector, with attacks increasing by 65% in the first half of 2025.

What we actually tell clients

Having helped organizations repeatedly, here's our take...

If you have solid backups (tested, offline, current), the numbers overwhelmingly support using them. You spend less, recover faster, and avoid becoming a repeat victim.

If your backups are compromised or non-existent, you're in a tough spot. Payment might seem like the only option... but remember that fifty-fifty success rate. You could pay and still lose everything.

The hybrid approach we see working best:

1. Isolate systems immediately to stop spreading

2. Honestly assess backup integrity (not wishfully)

3. Rebuild critical systems from clean sources

4. Restore what you can from verified backups

5. Consider payment only for truly irreplaceable data you can't recover otherwise

6. Plan to replace all "restored" systems at some point anyway

A healthcare client we worked with followed this approach. They rebuilt central patient systems from scratch (too risky to trust restored systems with protected health information) but restored some archived data from backups. Total costs: around 2.1 million dollars. Timeline: 5 weeks.

Could they have paid the 1.5 million dollar ransom and been "done" faster? Maybe. But they would have spent months wondering if attackers were still lurking in their systems. Peace of mind mattered.

The questions you need to answer now

Before ransomware strikes (since an attack happens every 2 seconds worldwide), answer these questions honestly:

About your backups:

• When did you last test a full recovery? (Not "checked backups ran" – actually restored something)

• Are your backups offline and air-gapped?

• How much data would you lose if you recovered right now?

• Do you have separate backups for critical systems?

About your business:

• Can you survive a week at reduced capacity? A month?

• What are your actual operations disruption costs per day?

• Do you have cyber insurance? What does it actually cover?

• Are there regulatory implications for ransom payments in your industry?

About your security posture:

• Do you know how attackers typically get in? (32% exploit vulnerabilities, 29% use compromised credentials)

• Have you patched critical vulnerabilities?

• Is multi-factor authentication enabled everywhere?

• Do you have 24/7 monitoring?

The bottom line

The data paints a clear picture:

• Recovery with backups: 750,000 dollar median, high success rate if backups are solid

• Ransom payment: 1 million dollar median payment + 1.53 million dollars recovery costs, with only 46% successfully recovering and 80% being hit again

• Rebuilding from scratch: Higher upfront costs, but you gain assurance and improved security

The "cheaper" option isn’t just about the dollar amount. It’s about:

• Certainty vs. gambling with criminals

• One-time costs vs. becoming a repeat victim

• Clean systems vs. wondering if malware still lurks

• Business survival vs. going bankrupt from repeated attacks

What actually works

Here's what studies show works:

Organizations with immutable backups reported 4x faster recovery times and were 50% less likely to pay a ransom. That’s the single greatest factor for positive outcomes.

Companies are getting better at stopping attacks before encryption – 44% now stop attacks in progress, a six-year high.

The organizations that do best? They:

• Regularly test their backups

• Have offline, immutable copies

• Use multi-factor authentication everywhere

• Patch vulnerabilities quickly

• Have incident response plans (and practice them)

• Invest in 24/7 monitoring

One last thing...

Every organization we've worked with that's been through ransomware says the same thing afterward: "We should have invested more in prevention."

Because here’s the truth... the absolute cheapest option is to never get hit at all.

The global average recovery costs are now 1.53 million dollars. How much security could you buy with that? How many years of monitoring, backups, training, and tools?

Prevention isn’t sexy. It doesn’t feel urgent... until it’s too late. But it’s dramatically cheaper than recovery or ransom payments.

And that’s the statistic that should count the most.

Sources:

• Sophos State of Ransomware 2025

• Cloudwards Ransomware Statistics

• N2W Ransomware Statistics 2025

• CSO Online Ransomware Recovery Analysis

• Bright Defense Ransomware Stats

• G2 Ransomware Statistics

• Programs.com Ransomware Stats for Small Businesses

• DeepStrike Ransomware Costs 2025

• Help Net Security Recovery Costs

• Infosecurity Magazine Ransom Payments

Need help assessing your ransomware readiness or (worst case) responding to an active incident? We work with organizations at every stage – because no one should have to make these decisions under pressure at 2 AM with incomplete information.