Ransomware: Should I Pay or Not - By the Numbers
Ransomware Cases 2020-2025
To answer should I pay or should I not is unique to every transaction. The FBI has a firm stance on no, at least publicly in order to disincentivize the attackers.
“That being said, not paying means you can cover operating costs for the duration while your teams restore operations. This is completely dependent on your ability to restore operations.”
There will be added costs as we discuss in this post and includes cash on hand to meet insurance deductible, regulatory fines, litigation, and operational impacts, but the core factor in determining the impact to your business is restoration time.
The following is not an exhaustive list, but it is one I’ve spent time putting together some of the more notable events. According to ransomware[.]live there have been over 5000 ransomware attacks this year. Keep in mind this is not fully citable as this site is scraping the darkweb. These are not confirmed by the victims. However, there is some good data here. They have 241 messages they’ve tracked with ransom info. I aggregated the info and pulled some statistics:
Total Ransom Demands: $478M
Total Negotiated and Paid: $51M Negotiated to $12.6M and Paid
Total # Paid: 57 (23%)
Of those that Paid, they averaged reducing the demand by 75%
Average payment was $220k
Highest payment was $1.27M
Lowest payment was $200
Let’s compare this to some of the newsworthy attacks:
Executive Summary
| Metric | Value |
|---|---|
| Total Cases | 19 |
| Industries Impacted | Healthcare (5), Technology (2), Travel (1), Energy (1), Food Supply (1), Insurance (1), Chemicals (1), IT Software (2), Hospitality (2), Consumer Goods (1), Logistics (1), Retail (1) |
| Average Ransom Demand | ~$26M (skewed by Kaseya $70M, CNA $60M, Cencora $150M) |
| Highest Known Ransom Demand | $150M (Cencora, 2024) |
| Average Paid Ransom | $29.6M (based on known payments; Caesars, Cencora, Change Healthcare, CNA, JBS, Colonial, Brenntag, CWT) |
| Average Discount (Negotiated vs Demand) | ~44% reduction (CWT, Colonial, JBS, CNA, Brenntag, Cencora) |
| % of Cases with Ransom Paid | ~47% (9 of 19 where known) |
| Average Downtime | Without the 3 main outliers, the average downtime is 6.5days, total ~3–4 weeks (mean across cases with data; Change Healthcare 9mo and Clorox and Marks&Spencer 6wks inflate this) |
| Total Estimated Breach Costs | $1.2B+ (removed MOVEit $6–12B) |
| Average Breach Cost (depending on removal of outliers) | ~$80-120M per incident |
| Regulatory Fines | Reported in 4 cases (Colonial $986K, Cencora $40M claims, Change/Kettering/DaVita HIPAA reviews pending, Medibank pending up to AUD$21.5T theoretical max) |
| Records Impacted | ~267M+ individuals (dominated by Change Healthcare 192M, Medibank 9.7M, DaVita 2.7M, MOVEit 60M, Cencora 1.4M, Kettering 1.5M) |
| Data Exfiltrated | ~28TBs |
References
| Year | Company | Industry | Ransom Demand | Paid? | Downtime | Total Cost | Regulatory Fines | Records Impacted | References |
|---|---|---|---|---|---|---|---|---|---|
| 2020 | Garmin | Technology | $10M | No | 2+ days | $15M+ | Unknown reported | Unknown | Garmin, Heimdal Security |
| 2020 | CWT Travel | Travel | $10M (paid $4.5M via 414BTC) | Yes | ~3 days | Unknown | None | 2TB | Reuters |
| 2021 | Colonial Pipeline | Energy | $4.4M (paid 75BTC and 64BTC recovered) | Yes | 5+ days | $25M+ (Inc fuel prices) | $986k fines | 100GBs | BBC, DOT, Coverlink Insurance |
| 2021 | JBS Foods | Food Supply | $22.5M ($11M paid) | Yes | 3+days | $15M+ | Unknown | Unknown | Reuters, Wiki |
| 2021 | CNA Financial | Insurance | $60M ($40M paid) | Yes | ~2 weeks | Unknown | Unknown | Bloomberg, Insurance Journal, 10-k | |
| 2021 | Brenntag | Chemicals | $7.5M ($4.4MM paid) | Yes | \1+ weeks | Unknown | Unknown | 150GB stolen | BleepingComputer |
| 2021 | Kaseya | IT Software | $70M demand | No (Decryptor obtained via FBI) | 10 days | $100M+ | No | 1,500 firms | CSO Online |
| 2022 | Nvidia | Tech/Hardware | $1M+ (demand) | No | ~1 week | Unknown | Unknown | 1TB data stolen, 71k username/passwords | Security Week |
| 2022 | Medibank | Healthcare | $10M demand | No | \2+ weeks | $40M+ | Under review (Max potential $21.5T) | 520GB, 9.7M records | Bleeping Computer |
| 2023 | MGM Resorts | Hospitality | $30M demand | No | 10 days | $100M+ | $0 fines, FTC Investigation Dropped | Unknown | Reuters |
| 2023 | Caesars Entertainment | Hospitality | $15M demand ($15M paid) | Yes | ~1 week | Unknown | Unknown | 6TBs | CNBC, 8-K |
| 2023 | MOVEit (not directly impacting to the MOVEit company) | Software | ~$10M demand (est $100M in aggregate) | Varies | est $6-12B, but unknown | Unknown, 144+ class action lawsuits | 60M+ impacted, 2500 dowstream organizations | TechCrunch, Google | |
| 2023 | Clorox | Consumer Goods | Unknown | Unknown | 6 weeks | $380M | Unknown | Unknown | Forbes |
| 2024 | Change Healthcare | Healthcare | $22M (paid) | Yes | \9mos | $100M+ | HHS review (max annual penalty $2.1M), plus potential state penalties | 192M+ records | TechCrunch |
| 2024 | Kettering Health | Healthcare | Unknown | Unknown | Weeks | Unknown (est millions) | HHS review (max annual penalty $2.1M), plus potential state penalties | 1.5M patients (941GB) | Unknown |
| 2024 | Cencora (AmerisourceBergen) | Healthcare | $150M ($75M paid via 296BTC) | Yes | Unknown | Unknown | HHS review (max annual penalty $2.1M), plus potential state penalties, $40m in claims | 1.4M patients | HIPAA Journal |
| 2024 | Royal Mail | Logistics | $80M demand | No | ~1 week | $10M+ | Unknnown | Unknown | Unknown |
| 2024 | Marks & Spencer | Retail | Unknown demand | Unknown | ~6+ week | $400M+ | TBD | Unknown | Bleeping Computer, BBC |
| 2025 | DaVita | Healthcare | Unknown | No | Unknown | $13.5M+ | HHS review (max annual penalty $2.1M), plus potential state penalties | 2.7M Patients, 20TB+ | HIPAA Journal |