Introduction

The title of this article is deliberately uncomfortable. Ransomware is not an investment. It is a cost, one that organisations overwhelmingly underestimate, miscalculate, or ignore entirely until the invoice arrives. And the invoice has grown dramatically.

In 2025, ransomware appeared in 44% of all data breaches globally, up from 32% the year before. For European organisations, the question is no longer whether ransomware will affect your business. It is whether the economics of your cybersecurity investment make sense given the near-certainty of an attempt.

This article examines the real costs of ransomware, the evolution of extortion tactics, and why thinking about ransomware as an ROI calculation is exactly the conversation your leadership team needs to have.

When boards think about ransomware costs, they typically think about the ransom payment. In 2025, the median ransom paid was approximately €106,000 (Verizon 2025 DBIR). Sophos reports a much higher median of approximately €920,000 for larger organisations. The gap reflects sample composition: the DBIR covers a broader population including SMBs, while Sophos surveys skew toward mid-to-large enterprises. That initial figure is misleading in two ways: it understates the payment for large organisations and entirely ignores the true cost.

The ransom payment itself is typically the smallest component of a ransomware incident. The average total cost of a breach where ransomware was disclosed by the attacker reached €4.7 million in 2025. For Benelux organisations specifically, the average breach cost sits at €5.4 million, the third highest globally, behind only the United States and the Middle East.

Cost category What it covers Typical impact
Detection and investigation Forensic analysis, assessment services, crisis management, external audits €1.47 million average
Containment and recovery Incident response, system restoration, data recovery, and business continuity measures 65% not fully recovered; 76% took 100+ days
Notification and compliance Customer notification, regulatory reporting, legal counsel, credit monitoring NIS2 fines up to €10 million or 2% turnover
Business disruption Lost revenue, operational downtime, supply chain delays, contract penalties 100+ days average degraded operations
Reputational damage Customer churn, brand devaluation, lost deals, increased acquisition costs Long-tail impact, hard to quantify
Extortion and ransom Ransom payment (if any), negotiation costs, cryptocurrency handling Median €106K (Verizon) to €920K (Sophos)

This breakdown makes the €5.4 million total feel justified and tangible. Detection and investigation costs exceed €1.4 million before the organisation has even begun recovery. Operational disruption extends across months. Regulatory exposure carries fines of €10 million or 2% of global turnover. The ransom itself is often the smallest line item.

The evolution of extortion: from single to quadruple

The ransomware business model has evolved with the sophistication you would expect from any profitable criminal enterprise. Understanding this evolution is essential to calculating your real exposure:

Single extortion (encryption only) was the original model: encrypt your data, demand payment for the decryption key. Organisations that maintained good backups could recover without paying. That created a market problem for the attackers.

Double extortion (encryption plus data exfiltration) solved it. Attackers now steal your data before encrypting it, threatening to publish sensitive information on leak sites. Even if you restore from backups, the data is out. This is currently the dominant tactic.

Triple extortion adds distributed denial-of-service (DDoS) attacks on top of encryption and data theft, compounding operational disruption and creating urgency to pay.

Quadruple extortion adds direct harassment of customers, employees, executives, and media. Attackers contact your clients individually, notify journalists, and pressure executives personally. The reputational damage becomes a lever independent of the operational impact.

Each layer of extortion increases both the cost and the complexity of response. An organisation prepared for single extortion through good backups is woefully unprepared for quadruple extortion, where the attacker controls multiple pressure channels simultaneously.

The scale of the ransomware economy is difficult to overstate:

88 active ransomware groups were observed operating in Q3 2025 alone, up from 65 in the prior quarter. This is an industrialised ecosystem with specialisation, supply chains, and customer service operations.

CL0P claimed 385 attacks in February 2025, a record for a single group in a single month. Qilin accounted for approximately 18% of all claimed victims globally and rapidly emerged as a dominant operator.

In Belgium, the Centre for Cybersecurity Belgium recorded 105 ransomware notifications in 2025. Active groups targeting Belgian organisations include Qilin, Akira, Clop, INC Ransom, Warlock, LockBit 3.0, Lynx, and SafePay.

SMBs are disproportionately affected: 88% experienced ransomware attacks. The myth that attackers only target large enterprises has been comprehensively debunked.

Despite this, a concerning trend emerged in the IBM 2025 report: only 49% of organisations plan to increase security investment after a breach, down from 63% in 2024. The market is becoming desensitised to ransomware risk precisely as that risk accelerates.

The AI accelerant

Generative AI has lowered the barrier to entry for ransomware operations. Groups like FunkSec and Black Basta are using large language models to create ransomware code. AI reduces the time to craft a convincing phishing email from 16 hours to 5 minutes. Synthetically generated malicious email text has doubled over two years.

The implication is clear: the volume and quality of attacks will increase. Organisations that were previously below the threshold of attacker attention will find themselves targeted as AI reduces the cost of each attack to near zero.

The ROI calculation your board needs to see

Take a mid-sized Belgian organisation with €200 million in annual revenue:

Expected cost of a ransomware breach: €5.4 million (Benelux average). This includes direct costs, operational disruption, regulatory penalties (NIS2 fines up to €10 million or 2% of turnover), and reputational impact.

Probability of experiencing a breach: With ransomware in 44% of all breaches, 88 active groups, and a 70% surge in Belgian incidents, the probability for any given organisation in a one-year window is non-trivial. Over a three-year horizon, it approaches near-certainty for organisations without adequate defences.

Cost reduction from security investment: IBM’s data shows that organisations with extensive AI and automation in their security operations save €1.8 million per breach. A DevSecOps approach reduces costs by 4.7%. Threat intelligence by 4.3%. Attack surface management by 3.3%. These are not abstract percentages. They translate to hundreds of thousands of euros in avoided cost.

The investment in continuous security operations, vulnerability management, attack surface monitoring, and threat intelligence is a fraction of the expected cost of a single ransomware incident. The ROI is not speculative. It is mathematically compelling.

From calculation to action: turning numbers into your numbers

Understanding the economics is the first step. Turning that understanding into action requires a different approach to security.

Industry averages show what happens to organisations like yours, but every organisation has a unique threat profile. A tailored risk evaluation combines adversary simulation with threat intelligence specific to your industry, geography, and infrastructure. The result is not a generic maturity score, but a realistic estimate of your breach probability and financial exposure based on the attack paths an adversary would actually use against your environment.

The same methodology applies to M&A cyber due diligence. Understanding a target’s real cyber exposure, not just its compliance status, is essential to accurate valuation.

Whether protecting your organisation or evaluating an acquisition, the starting point is the same: understand what an attacker actually sees. Not what policies claim, but what your real attack surface reveals. That clarity transforms cybersecurity from a cost centre into a strategic investment.

From calculation to strategy

Understanding the economics is the first step. Translating that understanding into action requires a shift in how organisations approach security:

Move from periodic to continuous. Annual penetration tests and quarterly scans were designed for a world where threat actors moved slowly. With 88 ransomware groups operating simultaneously and AI accelerated attack capabilities, you need continuous visibility into your vulnerabilities and attack surface.

Prioritise based on real threat exposure. Not every vulnerability carries the same risk. Start from your actual threat landscape: which groups target your industry, which attack vectors they use, which of your assets are exposed. Prioritise remediation based on real-world exploitation probability, not generic severity scores.

Test your response before you need it. A ransomware incident is not the time to discover gaps in your backup strategy, your communication plan, or your legal response. Realistic adversary simulation that includes ransomware scenarios, from initial access through encryption through quadruple extortion, reveals whether your organisation can actually respond.

Present the business case. Frame cybersecurity investment in the language of risk reduction and financial impact, not technical metrics. A board understands €5.4 million average breach cost, reduced by €1.8 million with the right security operations far better than we need to reduce our mean time to patch.

The question is not if, but when and how much it will cost

Ransomware is a business risk. It has clear financial parameters, quantifiable probabilities, and proven mitigation strategies. Treating it as a purely technical problem, or worse, as someone else’s problem, is a governance failure.

The organisations that frame cybersecurity as an investment with measurable ROI, rather than a cost centre with unpredictable returns, are the ones that will navigate the next five years successfully. The economics are clear. The threat is accelerating. The only question left is whether your investment matches your exposure.

At asUgo, we help organisations translate cyber risk into actionable business strategy through continuous security operations, attack surface management, threat intelligence, adversary simulation, and cyber due diligence services. Because effective cybersecurity is not only about protection, it is about enabling resilience, operational continuity, and long-term business value.

Sources:

  1. IBM, Cost of a Data Breach Report 2025
  2. Verizon, 2025 Data Breach Investigations Report
  3. Akamai, State of the Internet: Ransomware Trends 2025
  4. CrowdStrike, 2026 Global Threat Report
  5. Centre for Cybersecurity Belgium (CCB), Cyber Threat Landscape Belgium 2025
  6. CrowdStrike, 2025 European Threat Landscape Report
  7. Sophos, The State of Ransomware 2025

Author: Robin Descamps, Head of SecurityasUgo

Let’s Turn Cybersecurity From a Cost Centre Into a Strategic Advantage.