Cyber Cost Crisis: Ransomware Demands Spike 70% as Lawsuits Surge

WASHINGTON, D.C. – March 26, 2026 – The financial and legal fallout from data breaches escalated dramatically in 2025, with ransomware gangs demanding exponentially higher ransoms and class action lawsuits becoming a far more common consequence of cyberattacks. A new report from the law firm BakerHostetler paints a stark picture of a threat landscape where familiar dangers like phishing are being amplified by artificial intelligence and persistent supply chain vulnerabilities, creating a costly and complex new reality for organizations of all sizes.

Drawing on firsthand data from over 1,250 security incidents it managed for clients, the 12th annual Data Security Incident Response (DSIR) Report provides a unique, in-the-trenches view of the escalating cyber crisis. The findings underscore a perilous environment where the cost of an attack is no longer just the ransom paid, but a cascade of expenses from forensic investigations, regulatory fines, and a growing likelihood of being taken to court.

“As a firm, our competitive advantage stems from the unique perspective we gain by managing incidents, litigation and regulatory investigations across entities of all sizes,” said Theodore J. Kobus III, chair of BakerHostetler’s Digital Assets and Data Management Practice Group. “It helps us provide clients with the data-driven clarity needed to navigate cyber risks of any nature.”

The Soaring Price of a Breach

The most alarming trend highlighted in the report is the staggering increase in ransomware costs. The average initial demand from attackers spiked by 70% in 2025, reaching $4.2 million. While negotiation remains a critical tool—often taking 20 to 60 days to achieve discounts between 50% and 75%—the final average payment still climbed by 36% to $682,702.

This trend, however, exists within a complex payment landscape. While BakerHostetler’s data shows a sharp rise in the average payment, other industry analyses, such as the Verizon 2025 Data Breach Investigations Report, noted a decrease in the median payout, suggesting that while some attacks are commanding massive sums, many smaller organizations may be successfully refusing to pay. Nonetheless, for those who do pay, the costs are climbing.

Compounding the financial pressure is a dramatic surge in legal liability. The likelihood of a class action lawsuit being filed after a disclosed incident jumped significantly, occurring in 14% of cases in 2025, up from just 9% the previous year. The report reveals that large organizations, particularly those with over $5 billion in revenue, now face a high probability of litigation even for breaches affecting fewer than 1,000 individuals. In total, 68 lawsuits were filed in the 482 disclosed incidents analyzed, a notable increase from 51 lawsuits in 518 incidents in 2024, signaling a more aggressive legal environment for victim organizations.

AI and Vendors: The New Frontiers of Attack

While phishing remains the most common initial cause of security incidents, accounting for 30% of breaches, the methods of attack are rapidly evolving. The report identifies artificial intelligence as a “tipping point” technology that is dramatically increasing the speed, scale, and sophistication of cyberattacks. This has ignited what many experts call an “AI arms race,” where both attackers and defenders are leveraging advanced algorithms.

Cybercriminals now use AI to generate hyper-personalized and grammatically flawless phishing emails that are far more convincing than their predecessors. Beyond phishing, attackers are weaponizing deepfake audio and video to impersonate executives and authorize fraudulent transactions, creating a new and dangerous form of social engineering. AI is also being used to develop polymorphic malware that constantly alters its code to evade detection and to automate vulnerability scanning on a massive scale.

Alongside the rise of AI, the report underscores the persistent and growing threat posed by third-party vendors. Vendor-related failures were the root cause of 25% of all matters analyzed, a figure that aligns with broader industry trends. Other reports confirm this vulnerability, with some indicating that third-party involvement in breaches has doubled and that a significant portion of all ransomware attacks now originate through the supply chain. This highlights a critical weakness for many organizations, as their own security posture is only as strong as that of their least secure partner.

Navigating a Maze of Regulation and Risk

The increasingly dangerous threat landscape is matched by a more complex and fragmented regulatory environment. The proliferation of AI has spurred a wave of new state-level regulations, creating a compliance patchwork that challenges businesses operating across the country. States like California, Texas, and Colorado have enacted their own rules governing AI transparency, bias, and data usage, forcing companies to develop flexible governance programs to navigate the differing requirements.

This heightened scrutiny is particularly acute in the sectors most frequently targeted by attackers. Healthcare remained the most affected industry, accounting for 27% of incidents. Its vulnerability stems from holding highly valuable patient data (PHI), its reliance on often-insecure legacy medical devices (IoMT), and the critical need for operational continuity, which makes it a prime target for ransomware. The finance and insurance sector (18% of incidents) is targeted for direct monetary gain and faces intense regulatory pressure from bodies like the SEC and FTC.

Business and professional services firms (15% of incidents), which handle vast amounts of sensitive client data and intellectual property, are also prime targets, often exploited through their heavy reliance on email and human interaction. The challenge for all these sectors is to balance security investments against a backdrop of increasing operational complexity and regulatory demands.

“We are proud that the DSIR Report has become a trusted resource,” said Craig Hoffman, co-leader of BakerHostetler’s Digital Risk Advisory and Cybersecurity team. “Looking back at the data gives us the ability to deliver clear and actionable advice during incidents, as part of building compliance programs and solving challenges related to data and technology.”

Even as organizations get faster at certain aspects of incident response—the time to notify individuals improved by three days due to quicker forensic investigations—the overall costs continue to rise. The price tag for the largest and most complex investigations grew by more than 10% in 2025, a clear sign that in the ongoing battle against cyber threats, progress in one area is often met with escalating challenges in another.