For anybody who wonders whether cybersecurity measures
actually do any good, the answer is yes, they do. The average cost of a data
breach actually fell from 2024 to 2025. The number of organizations opting to
pay ransoms to cyberattackers also fell. The average length of a data breach shrunk
by 17 days.
Those positive trends reflect the positive impact solid
cybersecurity can have for organizations looking to minimize their ransomware
risks. But ransomware
is still a menace for organizations of all kinds, and cybercriminals aren’t
slowing their development of malicious applications designed to take data
hostage.
Some proof
that cybersecurity measures work …
There was some good news in the IBM Cost of a Data Breach Report 2025. For starters, the global average cost of a data breach fell to $4.44
million, a 9% decrease and the first decline in five years.
The health care sector saw a $2.35 million reduction in data
breach costs from 2024 to 2025, although the average breach still cost $7.42
million. In 2024, 63% of organizations opted not to pay a ransom when
threatened, compared to the 59% the year before. The global average breach
lifecycle — the time to identify and contain a breach — dropped to 241 days in
2024, a 17-day reduction from 2023.
… and
evidence that there’s still work to do
However, even organizations that recovered rapidly from a
breach took more than 100 days on average to do so. That’s a long time for ransomware
to be in an organization’s system undetected. And while the cost of data
breaches overall fell between 2024 and 2025, the average cost of a ransomware
attack has steadily grown from $4.62 million in 2021 to $5.08 million in 2025.
So, while cybersecurity measures are producing positive results,
ransomware remains a major threat to organizations of all types and sizes. And
attackers are casting wider nets to find victims. The Acronis
Cyberthreats Report H1 2025 found that the number of publicly known
ransomware victims in H1 2025 increased by nearly 70% compared to the same
period in both 2023 and 2024.
How
ransomware can wreck a business
Even as numbers fluctuate from year to year, they’re still
massive. Few businesses could afford to lose millions of dollars to a
ransomware attack. Plus, there’s more to the cost of ransomware than just
paying a ransom.
Of course, the ransom itself can be extremely costly if an
organization chooses to pay it. In 2024, Change Healthcare paid a $22 million
ransom to the Alphv/BlackCat ransomware group. But the ransom payment only
accounts for a small portion — often as little as 15% — of the overall costs
associated with a ransomware attack.
Downtime, lost data and recovery
The average cost of downtime as a result of a ransomware
attack can frequently amount to fifty times more than the ransom demand. In the
wake of an attack, the entire organization must shift its attention to
recovery, from IT teams restoring encrypted or damaged data to teams from
marketing, legal, human resources and other organizations handling crisis
messaging. Organizations that suffer attacks are under immediate pressure to restore
data and get operations up and running normally again.
Additional ransomware costs include lost sales opportunities, reduced product or services output,
reputational harm, fees for external consultants to speed recovery efforts,
fines by regulatory agencies and penalties paid to partners and customers. A
business that fails to bring a client back quickly after ransomware attack will
certainly take a reputational hit.
The consequences of ransomware attacks extend far beyond
initial containment. Nearly all organizations suffer operational disruption
following a data breach. The impact on businesses and their customers alike is devastating.
According to IBM, nearly half of all organizations reported that they planned
to raise the price of goods or services because of a breach, and nearly
one-third reported price increases of 15% or more.
Major ransomware
attacks of 2024–2025
The ransomware landscape has continued to evolve with
several high-profile attacks demonstrating the ongoing threat:
Change Healthcare (February 2024)
One of the most significant attacks of 2024 occurred against
UnitedHealth Group’s Change Healthcare. The health care technology company
suffered a massive data breach through a Citrix portal that did not have multifactor
authentication (MFA) enabled. Change Healthcare paid the Alphv/BlackCat
ransomware group a $22 million ransom to restore operations. The total cost of
the breach reached at least $2.4 billion, according to HIPAA Journal.
LoanDepot (January 2024)
An attack on California-based mortgage lender LoanDepot led
to significant loan service disruptions and affected 16.6 million customers.
Data breach notifications showed affected information included names,
addresses, phone numbers, Social Security numbers and financial account
numbers. The total cost of the breach reached nearly $27 million, according to SecurityWeek.
CDK Global (June 2024)
CDK Global experienced a damaging ransomware attack. The
automotive technology provider, which serves 15,000 dealerships, forced most of
its systems offline to contain the threat, causing significant disruptions for
downstream customers.
McLaren Health Care (August 2024)
A ransomware attack on Aug. 5 significantly disrupted
services at Michigan-based McLaren Health Care. The organization was forced to
reschedule nonemergency and elective procedures, affecting primary care,
specialty care clinics and cancer care. Systems were not fully restored until
Aug. 27.
Port of Seattle (August 2024)
The Port of Seattle, which oversees the Seattle-Tacoma
International Airport, suffered a ransomware attack on Aug. 24. The attack
disrupted bag checking, check-in services, flight information displays and
phone systems, with some services remaining down two weeks after the attack.
Blue Yonder (November 2024)
Arizona-based Blue Yonder suffered a ransomware attack that
disrupted its supply chain management services, leading to massive fallout for
downstream customers including Starbucks, Sainsbury’s and Morrisons supermarkets.
A
continually evolving threat landscape
The Acronis Cyberthreats Report
H1 2025 drew attention to some emerging trends in ransomware:
- New groups: From
January to May 2025, new ransomware groups accounted for a total of 145 victims
globally.
- Emerging players:
The new ransomware gangs highlighted include Devman, Nightspire and
RALord/Nova.
- RaaS model: Devman
and RALord/Nova operate as ransomware-as-a-service (RaaS), providing tools and
infrastructure to affiliates. Devman is known to share its encryption tools
with Qilin and RansomHub.
- Double extortion:
Devman and Nightspire use double extortion tactics, which involve both
encrypting files and threatening to leak them if the ransom is not paid.
Manufacturing
is a popular target, but every sector is vulnerable
One particularly vulnerable sector is manufacturing. Attacks
on supply chain companies like Blue Yonder demonstrate how ransomware can
cascade through entire sectors. In fact, manufacturing was the most targeted
industry in Q1 2025, according to Acronis Cyberthreats Report H1 2025,
accounting for 15% of all recorded cases.
Manufacturing and supply chain sectors, including logistics,
accounted for more than 20% of cases in a campaign by the prolific Cl0p ransomware
group.
Ransomware attackers continue to target victims across other
industries, including:
Health care: Hospitals often have sensitive patient
data and face critical operational pressures when systems are locked down, as
patient care cannot be delayed.
Finance: Banks and financial institutions store
confidential customer data, and regulatory penalties for data breaches can be
severe.
Government: Government institutions possess critical
infrastructure data, and public pressure to restore services quickly creates
additional leverage for attackers.
Education: Educational organizations often retain
personally identifying information and research data while operating with
budget constraints and less robust cybersecurity measures.
Ransomware
prevention strategies
Given the escalating costs and frequency of attacks,
prevention remains critical. Among the essential
elements of cyber resilience are:
- MFA:
The Change Healthcare breach highlighted the critical importance of MFA on
all access points. - Backup
and recovery: Robust backup systems remain essential for recovery and
help organizations avoid paying ransoms. - Employee
training: Human error continues to be a primary attack vector, so
training employees to avoid ransomware is essential. - Zero
trust architecture: Implementing comprehensive security models that
verify every access request is a critical cybersecurity measure.
A note
about cyber insurance
Cyber
insurance policies may cover ransomware attacks, but coverage
terms vary significantly. Lately, insurance rates have increased
dramatically due to the rising frequency and cost of attacks. There’s also ongoing
debate about whether insurance companies should continue reimbursing ransom
payments, as some argue this perpetuates the problem. Cyber insurance is
essential but should never be a replacement for cybersecurity measures.
Ransomware
is here to stay … but Acronis Cyber Protect can stop ransomware attacks
The news about ransomware isn’t all bad, but the threat is
still severe. The continued evolution of ransomware groups demonstrates that
the threat landscape is becoming more complex and includes a growing number of
organizations. Success in combating ransomware requires a comprehensive
approach combining robust cybersecurity measures, incident response planning,
employee training and strategic investments in ransomware
protection technologies.
Acronis
Cyber Protect takes just such an approach. Acronis Cyber Protect is an
integrated and cost-effective cyber protection solution that uses AI to detect
malicious activity and prevent businesses from falling victim to ransomware
attacks. It analyzes the behavior of files and applications on a system,
terminating malicious processes and automatically reversing any damage done.
Acronis Cyber Protect includes a robust anti-ransomware
engine that proactively detects and blocks attempts to encrypt or delete your
data, and protects against other types of malware. In addition, Acronis Cyber
Protect can quickly restore any data encrypted by ransomware. It includes
best-of-breed data backup and disaster recovery capabilities, making it a
valuable tool for businesses.
Get a closer look at how you can protect your organization
against ransomware in an expert-led
webinar.
