Global Cost of Ransomware Study: What the Numbers Tell Us

Your entire organization grinds to a halt. Files encrypted, operations frozen, and customers impacted. The ransom demand is just the beginning. Welcome to the all-too-real chaos of a ransomware attack.

Ransomware isn’t something that might happen. It’s reality, and businesses get hit every day.

Illumio’s new Global Cost of Ransomware Study uncovers the true toll of these attacks. We spoke with Trevor Dearing, Illumio’s director of critical infrastructure solutions, to unpack the report’s insights and understand the right way forward.

Q: The report highlights a sharp increase in organizations shutting down due to ransomware — up from 45% in 2021 to 58% today. What does this tell us about ransomware’s evolution?

That jump from 45% to 58% is one of the most powerful statistics in the report. It shows a shift in attacker tactics. They’re not just stealing data anymore — they’re using ransomware to create disruption.

Think about what happens when a hospital, an energy grid, or a manufacturing plant shuts down. Look at the recent attack on Synnovis that halted 1,130 planned operations and 2,190 outpatient appointments at London hospitals. Or even the attacks on Germany’s Südwestfalen IT that paralyzed 70 municipalities and affected 1.6 million citizens. Ransomware’s impact goes far beyond IT. It threatens operational resilience and even public safety.

This focus on disruption makes ransomware more dangerous than ever. Attackers know they can extort much larger ransoms by halting operations rather than stealing records.

The World Economic Forum’s Global Cybersecurity Outlook from both 2024 and 2025 highlight this shift. In fact, 45% of cyber leaders surveyed in this year’s report said they’re concerned about disruption to operations and business processes due to ransomware. This is a shift from previous years when data theft was the biggest worry.

And honestly, many organizations aren’t ready for this. They’re still worried about preventing and detecting breaches. In reality, they should be focusing on breach containment strategies that keep them resilient against inevitable attacks.

Q: Organizations dedicate nearly a third of their IT budgets to ransomware defense, and yet 88% still report being victims. Where’s the disconnect?

It’s not about how much organizations are spending. It’s about how they’re spending it.

Budgets are rising year over year, but the investment is often misplaced. Too many organizations are still focused on preventing breaches. But the truth is, you can’t stop everything. Attackers will find a way in.

Right now, there’s a lot of overconfidence and complacency. Organizations think they’re prepared, but the numbers tell a different story.

What’s needed is a shift in mindset. Instead of pouring resources into stopping every possible attack, organizations need to prioritize resilience — limiting the impact of an attack once it happens. This means investing in things like breach containment and basic security hygiene.

Another issue is complexity. The more complex your security environment, the harder it is to respond effectively. Simplifying your tools and focusing on reducing the attack surface can make a huge difference.

Q: The report states that ransomware attacks take an average of 132 hours and 17.5 people to contain and remediate. Why does recovery require so many resources?

Ransomware recovery is a massive drain. It’s not just about the immediate financial cost — though that’s significant — it’s about the time and opportunity cost. You’re pulling key people away from their day-to-day responsibilities to deal with the fallout.

Essentially, it’s like assigning multiple full-time employees for a year to remediation.

A big part of the problem is that many organizations still don’t have effective containment strategies in place. When an attack spreads across systems, it takes exponentially more time and resources to recover.

The time, cost, and resources put into ransomware attacks won’t start decreasing until organizations have tools in place that will contain breaches.

Q: Cloud and hybrid environments are cited as particularly vulnerable. Why is that?

Cloud environments are inherently complex, and that complexity creates vulnerabilities.

Organizations often struggle with visibility. They don’t know what’s at risk. Legacy systems in hybrid setups compound the problem. Many of these systems can’t be patched, either because of operational constraints or because they’re simply too old.

Another issue is skepticism around automatic updates. IT incidents like those in July 2024 have made organizations wary of patching, even when it’s necessary. But leaving systems unpatched is like leaving your front door wide open for attackers.

The key is balancing patch management with reducing risk. If you can’t patch immediately, you need to control access to those systems until you can.

Microsegmentation is critical here. It allows you to isolate vulnerabilities while maintaining operations.

Q: Why are backups alone not a sufficient defense against ransomware?

Backups are essential, but they’re not a silver bullet. One of the biggest risks is overconfidence. Organizations assume that as long as they have backups, they’re safe. But the reality is far more complicated.

If attackers have already infiltrated your network, you could end up backing up malware without realizing it. Even when backups work as intended, restoring systems takes time — time you might not have during a ransomware attack.

And let’s not forget the risk of something going wrong in the backup process. It’s a fragile solution that can’t be your only line of defense.

The goal should be to combine backups with containment. If you can reduce the number of systems impacted by an attack, you’ll have fewer systems to restore, making the recovery process faster and less costly.

Q: What are the most immediate steps organizations should take to improve their ransomware resilience?

Resilience starts with adopting a Zero Trust strategy. Assume breach and focus on limiting the impact.

Microsegmentation is a foundational tool for Zero Trust. It allows you to isolate threats quickly which in turn reduces downtime and recovery costs.

Containment is key. The faster you can isolate an attack, the faster you can recover.

Organizations also need to get the basics right. Simplify your security tools, train your teams, and ensure you have a solid incident response plan in place.

Resilience isn’t just about preventing attacks — it’s about being prepared to recover when they happen.

Q: What does the report tell us about supply chain security?

The increased confidence in supply chain security really caught my attention.

While it’s good to see organizations raising their expectations for third-party security, it’s dangerous to rely too heavily on your suppliers’ security. You can’t control what’s happening in their environments or how seriously they take security at their organization.

But you can control what they have access to in yours.

This is where Zero Trust comes into play. It’s not about trusting your suppliers less — it’s about trusting them differently. Limit their access, prepare for the worst, and focus on securing your own environment.

I see supply chain attacks are one of the biggest risks out there. It’s up to organizations to take responsibility for their own security.

Contain ransomware with Illumio

Ransomware is relentless, but it doesn’t have to devastate your business. Illumio Zero Trust Segmentation (ZTS) is built to contain ransomware at its core by stopping its ability to spread across your network. Even if attackers breach your defenses, Illumio ensures the damage is limited, isolating the threat before it can spread to critical systems.

Illumio provides granular visibility into all your workloads, applications, and environments. You can see exactly how systems communicate, making it easier to identify vulnerabilities and pinpoint unusual activity. This insight allows you to create and enforce microsegmentation policies that block unauthorized access in real time.

With Illumio, ransomware doesn’t have room to operate. By containing the blast radius of an attack, you safeguard sensitive data, maintain operational continuity, and avoid costly disruptions.

Download your free copy of The Global Cost of Ransomware Study today.