Should you pay the ransom? What ransomware actually costs an SME

The ransom note is the part everyone fixates on. It is almost never the expensive part.

When a mid-sized company gets hit, the number that ends up on the board slide is not the demand. It is the three weeks of half-working operations, the incident response retainer that bills by the hour, the overtime, the rebuilt domain controllers, and the customers who quietly moved on while the phones were down. The ransom, if it gets paid at all, is one line in a much longer invoice.

That matters for the decision, because if you only think about the ransom you ask the wrong question.

Where the money actually goes

Break a ransomware incident into its real components and the ransom shrinks fast.

Recovery is the big one. Rebuilding from a clean state means reimaging endpoints, restoring servers, validating backups, rotating every credential that touched the environment, and doing forensics so you know the attacker is actually gone and not sitting on a dormant scheduled task. In our model the base recovery cost for a roughly 10M-revenue firm sits around 150,000 USD before sector and size adjustments, and that excludes the ransom entirely. It is staff time, external responders and the slow grind of getting back to "trusted."

Then downtime. A material ransomware event takes a small business down for several days and a mid-market firm closer to a week or two of degraded operations. You do not lose 100% of revenue during that window, because some of the business keeps limping along, but you lose a meaningful chunk of it every day. Multiply daily revenue by the days down by the fraction you actually lose and the business interruption line often rivals recovery on its own.

The ransom, when paid, anchors around 140,000 USD in our SME calibration. And it is only paid roughly 40% of the time across the blended population (Coveware reports closer to a quarter of victims paying in recent quarters, Sophos finds higher rates in mid-market). So on an expected-value basis, the ransom is frequently the smallest of the three big costs.

This is grounded in claims data, not vendor fear marketing. NetDiligence's cyber claims study puts the average SME incident near 264,000 USD total, and the striking finding is that total cost tracks revenue, not the number of records you lost. The ransom is a slice of that, not the whole pie.

The decision, honestly

Here is the uncomfortable version most vendors will not say plainly.

If you have offline, tested, restorable backups, you almost certainly should not pay. Not for moral reasons, though those exist, but because paying buys you very little. The decryptor you get is often buggy and slow. Operators ship tooling that corrupts large files, chokes on databases, and processes one host at a time while your team sits idle. Restoring from a known-good backup is frequently faster than babysitting an attacker's decryptor, and at the end of it you actually trust your environment.

Paying also does not make the breach go away. By the time ransomware detonates, the data is usually already gone. Double extortion is the norm now: they encrypt and they exfiltrate, then they threaten to leak. Paying the decryption demand does nothing about the copy sitting on their infrastructure, and "we deleted it, here is a screenshot" is worth exactly nothing. You are negotiating with people whose entire business model is breaking promises.

The honest case for paying is narrow. Backups are gone or were encrypted too (because they were online and reachable, which is the single most common backup failure I see). The downtime is genuinely existential. The decryption is the only path that keeps the company alive. In that situation paying can be rational, and there is no shame in it, but go in knowing you are buying a chance, not a fix, and that you are now on a list of organizations known to pay.

One operational reality people forget: sanctions. Some ransomware operators are tied to sanctioned entities, and paying them can itself be illegal depending on your jurisdiction. This is exactly why bringing in legal counsel and, frankly, a professional negotiator early matters. Do not let the IT lead wire crypto at 2am because the CEO is panicking.

Why backups are where the real argument is

The entire pay-or-don't-pay debate collapses into one prior question: can you restore?

And "we have backups" is not the same as "we can restore." The failures are predictable. Backups sit on a share the attacker reached and encrypted along with everything else. Nobody ever tested a full restore, so you discover during the incident that the last six months of backups were silently failing. The restore works but takes four days you do not have. Recovery time objectives existed on paper and meant nothing in practice.

If you want to make ransomware boring, this is where the money goes. Offline or immutable backups, an actual tested restore on a schedule, and a recovery runbook someone has rehearsed. None of it is glamorous. All of it is cheaper than one incident.

Run your own numbers

Sector, size and revenue move these figures a lot. Healthcare and finance carry meaningfully higher frequency and severity; a 2M-revenue firm and a 40M-revenue firm are not in the same conversation. You can model your own exposure across ransomware and the four other scenarios that usually come with it, and every constant above is published in the methodology with its source so you can argue with the assumptions.

If you only take one thing from this: stop pricing the ransom. Price the recovery.