The cost of ransomware for an SMB is rarely limited to the ransom alone. In 2026, a French SMB must above all anticipate business interruption, backup restoration, technical expertise, legal matters, and communications. For a moderate incident, French public estimates often range from a few tens of thousands to more than €100,000, while major international studies measure much higher average costs.
Ransomware cost for SMBs: why the figures vary so much
Ransomware is malicious software that encrypts your files to make them unusable, then demands payment. The problem, for a business leader, is that two apparently similar attacks can produce very different bills. A company with tested backups can sometimes restart in a few days. Another discovers that its backups are contaminated, incomplete, or can never be restored.
The available figures show this clearly. IBM reported in 2025 a global average data breach cost of $4.44 million, and €3.59 million for France according to the IBM/Ponemon figure cited that same year. But these averages concern data breaches, not only SMBs nor only ransomware. They are driven upward by large corporations, heavy regulatory cases, and massive data volumes.
At the other end, an Asterès/CRIP study from 2023 estimated the average direct cost of a successful cyberattack in France at €25,600 hors ransom. Useful, but older and not specific to ransomware. ANSSI also points out in its panorama 2025 that reliable public figures on ransomware cost for SMBs remain rare and inconsistent.
The right approach is therefore to think in terms of cost items, not to look for a magic amount. It is more accurate for your budget. And more useful for reducing risk.
What you really pay after an attack
The ransom gets attention, but it is often only one line among others. Verizon reported in its DBIR 2026 a median ransomware payment of around $139,875, with 69 % of victims not paying. That does not mean that not paying costs zero. It means that you still need to fund recovery.
The main cost items are fairly consistent. First of all, digital investigation: understanding the point of entry, isolating the machines, checking whether data was copied. Then reconstruction: servers, workstations, Microsoft 365 or Google Workspace accounts, website, ERP, CRM, shared files. Add legal fees if personal data is involved, because the GDPR requires an assessment and sometimes notification to the CNIL within 72 hours.
A common trap: counting only the IT intervention. Yet the most painful cost is often business interruption. If your sales team loses five days of access to the CRM, if invoicing stops, or if the e-commerce site goes down, the loss quickly exceeds the provider’s bill.
On the projects we handle, we often see an underestimation of the time needed to restore access: email, two-factor authentication, user rights, business connectors. These are details that are barely visible before a crisis. During a crisis, they are what block the return to work.
Realistic ranges for a French SMB
The amounts below do not replace an audit. They provide a decision-making framework. An SMB with 15 people, a file server, and Microsoft 365 does not face the same risk as a company with 180 employees, production, ERP, VPN, and several sites.
| 2026 scenario | Example situation | Common impact duration | Budget to plan for hors ransom |
|---|---|---|---|
| Contained incident | A few workstations affected, healthy backups, no confirmed exfiltration | 1 to 3 days | Around €8,000 to €30,000 |
| Partially shut down SME | Encrypted file server or business application server, gradual recovery | 1 to 2 weeks | Around €40,000 to €150,000 |
| Severe crisis | Compromised Active Directory, questionable backups, sensitive data exposed | 2 to 6 weeks | €150,000 to several hundred thousand euros |
| Observed international case | Studies of large organizations, broad recovery costs | Variable | Sophos 2025: €1.53 M$ average recovery excluding ransom |
Honestly, for a French SME, announcing “several million” upfront without context is of limited use. But assuming that ransomware will cost only the price of IT troubleshooting is dangerous. Between €50,000 and €120,000 for a moderate case with two weeks of partial disruption, the French commercial estimates published in 2026 remain plausible, even if not all of them are verified by primary sources.
The real budget question then becomes: how much should be invested beforehand to avoid this scenario? At that budget level, it is often better to fund properly isolated backups, security monitoring, and a tested recovery plan rather than piling up tools that no one manages.
The factors that drive the bill up sharply
The first factor is downtime. A consulting firm can sometimes operate in degraded mode with phones, spreadsheets, and restored email. An industrial SME blocked by its ERP or production workstations does not have that flexibility. Same technical outage, different economic impact.
The second factor is backup quality. A backup is only worthwhile if it can be restored. Veeam indicated in 2026 that 90 % of respondents said they were confident in their recovery, but less than one third of ransomware victims fully recovered their data; ITPro reminded ort of 28 % full restoration and 72 % of data recovered on average. The gap between confidence and proof is costly.
Another accelerator: digital identity. If the Active Directory directory or administrator accounts are compromised, reinstalling a server is not enough. Sometimes rights must be rebuilt, passwords reset, cloud access verified, and the persistent backdorts left by the attacker closed.
- Backups permanently connected to the network, therefore encryptable by the attacker.
- Lack of multi-factor authentication, meaning an additional verification after the password.
- Security patches applied too late on VPN, firewall, CMS, or WordPress plugins.
- Unclear hosting contracts regarding restoration, technical logs, and response times.
- Personal data not mapped, which complicates GDPR analysis in the middle of a crisis.
Public vulnerabilities remain a sensitive issue. Verizon’s 2026 DBIR reports median remediation times of around 43 days in related analyses, which leaves a comfortable window for attackers. Issues involving exposed firewalls, such as vulnerabilities affecting certain Fortinet devices, are a reminder of why security monitoring must be tied to concrete actions, not just a simple technical bulletin; on this point, a useful example is the analysis of risks related to exposed Fortinet firewalls.
To pay or not to pay: the financial trade-off is not so simple
Paying a ransom may seem rational if each day of downtime is costly. However, payment guarantees neither full recovery, nor the absence of data leaks, nor that it will not happen again. It can also raise legal and insurance-related questions, particularly if the intermediary or beneficiary is subject to sanctions.
Coveware by Veeam noted for the first quarter of 2026 an increase in the average payment to around $680,000, while the median was falling. This reflects a classic phenomenon: a few very large payments drive up the average. For an SMB, the Verizon median of around $139,875 provides a clearer indication, without constituting a direct French benchmark.
The decision is made with the cyber insurer, legal counsel, incident response experts, and sometimes the authorities. But it should never be plan A. If your backups, procedures, and restoration evidence are solid, you gain essential freedom: the ability to refuse.
One case where the obvious solution is the wrong one: restoring too quickly. If systems are brought back online without understanding the initial access, the attacker can return through the same account, the same VPN, or the same compromised plugin. Better to lose a few hours of analysis than two weeks to a relapse.
Reducing the cost before the attack: the measures that really change the budget
Cybersecurity that is truly useful for SMBs is not necessarily spectacular. It is based on verifiable measures. 3-2-1 backups, for example: three copies, two different media, one offline or immutable copy, meaning it cannot be modified for a defined period. OVHcloud, Scaleway, AWS, Microsoft Azure, or NAS appliances can fit into a proper strategy, provided that restoration is tested.
Email also deserves special attention. Many attacks begin with a phishing email, a fake document share, or a reused password. The choice and configuration of your collaboration tools matter: account security, MFA, access rights, log retention. To frame this topic from the usage side, you can compare approaches in this guide on Microsoft 365 and Google Workspace in business.
Your website and applications are not separate. An unmaintained WordPress, an abandoned plugin, an exposed admin interface, or hosting without monitoring can serve as an entry point or a source of leverage. Recent obligations, in particular NIS2 since October 2024 for the organizations concerned and their subcontracting chains, encourage better risk documentation; a practical reminder is available on the impacts of NIS2 on a WordPress site.
From the agency side, the instinct is to translate these measures into budget priorities: what reduces the immediate risk, what reduces downtime, then what improves compliance. To better understand the basic threats without excessive technical vocabulary, a look at the main families of malware often helps management teams ask the right questions.
Framing this type of risk upstream avoids most unpleasant surprises: hosting architecture, backups, application maintenance, administrator access, and recovery procedures are easier to discuss before the incident than on a Friday evening, with the server encrypted and clients waiting.
FAQ on the cost of ransomware for an SMB
How much does a ransomware attack cost an SME in France?
There is no reliable French average specifically for SMEs. A limited incident can remain under a few tens of thousands of euros, while a crisis involving business interruption, complex restoration, and exposed data can exceed €100,000.
Is the ransom the main cost of a ransomware attack?
Not always. Business interruption, technical experts, system reconstruction, legal, communication, and commercial losses can cost more than the ransom itself.
Does cyber insurance reimburse ransomware?
It all depends on the contract, the exclusions, and the required security measures. Insurers often require MFA, backups, updates, and proof of best practices before providing compensation directly.
How long does it take to recover from ransomware?
With tested backups and a limited scope, a few days may be enough. If the directory, business servers, or backups are compromised, recovery can take several weeks.
Should the CNIL be notified after a ransomware attack?
If personal data may have been accessed, copied, or made unavailable with a risk to individuals, a GDPR analysis is required. Notification to the CNIL may be necessary within 72 hours.