Skip to content

Table of Contents

Ransomware Recovery Costs Expenses Fees

What Does it Cost to Recover From Ransomware? A Breakdown of Fees & Expenses

After finding out your files are encrypted from a ransomware attack, you may be wondering what it will cost to get those files back and the business up and running again. You’re likely uncertain about the cost of ransomware recovery and the potential hidden costs of being a victim.

This page describes, in detail, the average cost of a ransomware attack, and the fees and expenses you can expect when using a ransomware recovery service. 

As a ransomware recovery service provider, we understand that the cost of ransomware can be a confusing topic. There can be indirect costs your company may not even be aware of. 

We deliver insight into the data recovery fees taken from our own internal 2020 cases to give you an idea of what we observe from the front lines. Also, we provide information on hidden costs to expect while remediating a ransomware attack. We want to ensure you have all the information you need to make your decision to use a ransomware recovery service and what costs you can expect throughout the process.

Whether you decide to remediate a ransomware incident on your own or contact someone else, this piece will give you all the information you need.

Average cost of ransomware recovery

The cost of ransomware recovery may vary depending on the size of your organization, the severity of the ransomware attack, and the country your business is located. Remediation costs include downtime, labor, product cost, network cost, lost opportunity, ransom paid, and/or other damages. 

According to an independent survey conducted with 5,000 IT managers across 28 countries, the average ransomware remediation cost in the United States is $622,596.18, citing the Sophos State of Ransomware 2020 report. Our experts agree with this estimation and agree the average cost of ransomware recovery is dependent on the below range of factors.

Average Ransomware Recovery Costs By Country, Sophos State of Ransomware 2020

Indirect costs of ransomware

If your files are encrypted or locked during ransomware, you are researching the recovery methods and the cost associated with recovering from the attack. Victims of ransomware should understand that the “sticker price” of paying the ransom (to obtain decryption keys) is only a small piece to the larger picture to recovering your data, and there may be hidden costs. 

We will layout all the ransomware costs below, including the average ransom demand, we calculated for 2020.

Here are some expenses you may incur outside of an engagement with a ransomware data recovery service that you must be mindful of:

Business interruption losses

Organizations that fall victim to a ransomware attack might become paralyzed and unable to service clients. In a matter of a few weeks, Danish transportation Giant Maersk suffered up to $300M in damages from business disruption. The company did not pay the ransom nor suffer any data loss. 

No matter what type of business you operate, if you don’t have access to the data needed to run your business, you will suffer disruption losses from ransomware. Someone can easily use a competitor in today’s world with so many options available to you at the press of a button. 

Legal expenses

Ransomware victims may have to engage an attorney to ensure they are following all applicable laws regarding data breaches at their local, state, and federal levels. 

Organizations that host Personally Identifiable Information (PII) or Protected Health Information (PHI) will need additional legal counsel to determine what breach notification laws were triggered and how to let your clients know. These expenses will vary depending on the size of your organization and the industry in which you operate. 

Ransomware recovery services can work with said client’s legal counsel throughout a ransomware incident. It is crucial to preserve the evidence early to ensure there are sufficient forensic artifacts to conduct a forensic investigation thoroughly. 

An example, the IT department may accidentally reformat a device that contains forensic evidence, and therefore it is not possible to investigate the potential breach of data.


If your business operates within the medical, banking, or critical infrastructure agencies, there may be fines associated with a ransomware attack as it relates to a data breach and your failure to protect clients’ data. 

Your legal counsel will help determine if there are breach notification requirements in your specific incident.

Brand damage

Your company has a professional shine, and falling victim to ransomware can tarnish your reputation.

If hackers accessed a client database, a company would be required by law to disclose the breach to their clients. According to research reported by security firm BitDefender, “Businesses can lose half of their customers after a data breach.” 

A recent high profile ransomware case involves the REvil group that hacked a law firm containing data from celebrities, including Madonna, Lady Gaga, Bruce Springsteen, and Christina Aguilera. This case has garnered national media attention. Not all data breaches receive this kind of spotlight; however, these attacks happen every day. Any public relations specialist will tell you repairing the damage is not an easy task.

These losses can be unfathomable, and organizations need to stay resilient as they seek to recover from ransomware. 

How does a ransomware recovery service help?

Ransomware recovery services can help you recover your data from a ransomware attack efficiently and effectively. Most businesses do not staff an expert who specializes in ransomware recovery, and a tested procedure needed to unlock your files. 

In brief, ransomware recovery services can: 

  • Identify ransomware variants 
  • Research the malware to see if it can be decryptable
  • Develop a risk profile based on the ransomware
  • Run sanction compliance checks before submitting ransom payments
  • Provide ransom payments on behalf of the client
  • Troubleshoot issues during the decryption process
  • Repair damaged files

Above all, you should feel confident and comfortable with your ransomware recovery process when working with an expert, and you are informed of all options to recover your files. 

We understand that the nature of ransomware recovery can seem complicated, and you’re not quite sure how these recovery services develop a quote for your specific recovery case. Your ransomware recovery service should be transparent about the direct fees that may arise during the process. 

You should question any ransomware recovery company if they aren’t transparent on the statement of work, outlining the process to recover your locked files. There are also newer services that will only pay the ransom on your behalf (often cheaper), however, they leave you to do all the troubleshooting yourself. 

After an evaluation of your system, a ransomware recovery service establishes a quote for your specific ransomware recovery case: 

What determines ransomware recovery costs?

Understanding what costs might determine your ransomware recovery fees will help you make more informed decisions when looking for services to decrypt your locked files.

Assessment fee

Ransomware recovery services may or may not charge prospective clients for an assessment fee, which will evaluate their current affected systems. We have seen as high as $5,000 for an evaluation or assessment fee, reported by our clients.

Proven Data charges $497 for a standard evaluation and $997 for an emergency evaluation. The emergency evaluation is conducted after business hours and holidays.

Number of encrypted systems

The total number of encrypted systems and networks might be a factor when determining the ransomware recovery cost. The more devices on your network are encrypted, the more resources are allocated to run the decryption utilities, monitor, and troubleshoot any issues that arise.

Before reaching out for a ransomware recovery service, businesses should inventory how many critical computers and servers they are looking to have recovered. This step will expedite the process and help a service provider understand the scope of the ransomware recovery process.

Failing to assess which systems are needed by the organization may result in unforeseen costs if your company discovers other encrypted computers down the road. 

Ransom risk

Some ransomware variants have higher risks when dealing with the ransomware threat actor for unlocking your files. Ransomware recovery experts can help organizations make more informed decisions about ransom risk and engaging with particular ransomware variants.

Common risk factors for ransomware:

  • A threat actor does not provide decryption utility.
  • A threat actor increases ransom demand after payment.
  • A faulty decrypter or bad key is provided.
  • Decrypted files are corrupted and unusable.

Type of ransomware

The decryption process for some ransomware variants is more complex than others and requires multiple steps to complete. 

For example, Sodinokibi ransomware is considered a faster and easier decryption than Dharma or Phobos. This is because with Sodinokibi, the decryption keys are built into the program executable. 

On the other hand, Dharma and Phobos use a public and private key encryption where you actually have to scan for the public key and manually enter the private key. 

Therefore, the type of ransomware could affect the ransomware recovery cost.

Speed of service

Depending on how quickly you need your files back will impact the quote you receive from a ransomware recovery service.

For example, Proven Data provides several service levels for ransomware recovery, depending on how quickly clients will need their files decrypted. 

It is important to note that there are some factors which affect how fast your files can be recovered. This includes responsiveness of the threat actor (where applicable), the number of systems which require restoration, and the total number of files/file sizes.

Here are our service levels and average turnaround times:

  • Standard: 3-5 business days on average
  • Expedited: 2-3 business days on average
  • Emergency: 24/7 service until completion, usually within 24-48 hours on average

For example, so far in 2020, the average Proven Data service fees for ransomware recovery (not including ransom payments where applicable) through May have been:

  • Standard: $1,924
  • Expedited: $3,645
  • Emergency: $4,967

Ransom demand

We explained in detail how some victims might only have the option of paying the ransom to recover their files in our guide ‘How Ransomware Encryption Happens & 4 Methods for Recovery’. To decrypt their data, businesses that choose to pay the ransom will have to include the cryptocurrency payment to the ransomware threat actor.

$ 0
Average negotiated ransom demand in 2020 based on previous cases from Proven Data

How do cyber attackers determine the ransomware price?

Ransomware operators will make the initial demand for the ransomware price either accessible via a Tor link or instruct you to contact them via email. It can be random, or they might have a system in place. 

Based on our experience, here are some ways we believe the cyber extortionists might choose their price:  

  • The size of the company
  • The number of devices on a network
  • The type of company
  • Their perceived ability to pay (probing financial statements & bank records)
  • Random demand

However, in each case, it is not entirely known how the cyber attackers come to a definitive ransomware price. A further digital forensics investigation can reveal network activity and learn more about their probing efforts.

Ransom payment increase

Something to consider is that you might have to make a second payment after the threat actor agrees to an amount. This is a trend we have observed and still continues in 2021.

Some ransomware groups are known to continue the extortion of their victims after they have paid. This type of behavior can be difficult to curtail, as they demand extra money just to unlock your files.

A ransomware recovery service can inform you if this might happen and take precautions during the negotiation process to reduce your risk.

Does cyber insurance cover ransomware recovery cost?

Businesses recovering from a ransomware attack may be wondering if these fees & expenses will be coming out of pocket to recover their locked files. 

We recommend that you reach out to your insurance provider and see what ransomware coverage your existing policy includes. Your insurance broker will be able to review if you have coverage such as:

  • Business interruption 
  • Extortion
  • Computer data loss and restoration
  • Information privacy
  • Network security 

These coverages might be used to help finance and reduce your ransomware recovery costs. 

Can you recover ransomware by yourself?

Some firms may want to pay the ransom on their own, and that is perfectly understandable if you have the qualified internal staff to do so. DIY ransomware recovery is an option that may cut costs for your business to unlock your files. 

Is ransomware recovery right for you?

Is ransomware recovery is as simple as making a ransom payment? Unless you’re an IT Security professional and depending on the ransomware variant, probably not. 

Ransomware recovery is a tricky area, one that does not have enough awareness around. Letting the professionals do what they do best will ensure your systems are restored quickly, correctly, and efficiently while keeping the bad guys off your systems.

If you believe you have extensive IT knowledge and are willing to accept the risks, it might be worth trying to perform your own ransomware recovery.

At Proven Data, we take the uncertainty and some elements of the risk out of the equation. Expect a transparent and streamlined process that puts you at ease. You can rely on one of the first ransomware recovery organizations that has recovered data from ransomware attacks since 2015. 

If you would like to speak with us about how we can recover your locked files, we’re here to help. 

Remember, whether you choose Proven Data to assist you in ransomware recovery or choose another service provider… you must make sure to secure your network from ransomware

Next steps for ransomware recovery

Are you a victim of ransomware and need assistance?

Was this content helpful?

Popular Insights