Ransomware Cost Calculator
Estimate the full cost of a ransomware incident — not just the ransom. Enter the demand, how many days you would be down, your revenue per day and how much of it you would actually lose, plus recovery and notification costs. The tool shows the total with paying the ransom and without, so you can see exactly what the ransom adds — and that downtime, recovery and notification apply either way. Numbers update as you type. This is a planning estimate, not incident-response or legal advice. See sources; every figure is editable.
| Component | If you pay | If you don't pay |
|---|---|---|
| Ransom | $200,000 | $0 |
| Downtime (days × revenue/day × disruption) | $96,000 | $96,000 |
| Recovery (rebuild & restore) | $80,000 | $80,000 |
| Notification | $40,000 | $40,000 |
| Total | $416,000 | $216,000 |
Paying the ransom is an additional outlay. It does not remove the downtime, recovery or notification costs, and it carries no guarantee that data is restored cleanly.
Total = ransom + (downtime days × revenue/day × disruption) + recovery + notification
Without paying = same, with ransom set to $0
Default (paying): $200,000 + (8 × $20,000 × 0.6) + $80,000 + $40,000 = $416,000
How it works
A ransomware incident is widely — and wrongly — discussed in terms of the ransom alone. The headline a board hears is "they demanded $200,000", but that figure is usually the smallest part of the bill. This calculator builds the total from four components, only one of which is the ransom, so the real shape of the cost is visible. The other three — downtime, recovery and notification — are incurred whether or not you pay, which is why the tool deliberately shows both totals side by side.
The largest line item for most businesses is downtime. While systems are encrypted you cannot trade normally, and the cost is the revenue you lose for each day you are down. We model it as days × revenue-per-day × a disruption factor between 0 and 1. The disruption factor matters because an outage rarely costs you 100% of revenue: some orders defer rather than vanish, some work continues on paper, and some sales are recovered once you are back. A factor of 0.6, the default, says you lose 60% of daily revenue per day down — for 8 days at $20,000/day that is $96,000. If an outage halts you completely, push the factor toward 1.0; if you can keep trading partially, lower it. For a more detailed treatment of business interruption, the dedicated downtime cost calculator works in revenue-per-hour and a productivity factor.
Recovery is the cost of getting back to normal: rebuilding servers, restoring from backups, validating that systems are clean, paying incident-response specialists and replacing any hardware that has to be retired. Notification applies when personal data was exposed — increasingly common, because modern ransomware crews exfiltrate data before encrypting it and threaten to leak it. In that case the incident is also a data breach, and you owe the affected individuals and regulators the notices required by law; the breach-notification cost calculator sizes that line precisely from your record count. Both of these costs land regardless of the ransom decision, which is the whole point of separating them out.
Then there is the ransom itself. Paying it is an additional outlay on top of everything above — it does not shorten the downtime you have already suffered, it does not pay for the rebuild, and it does not discharge your notification duties. It may, if the attacker cooperates, speed restoration; but decryptors are often slow or incomplete, and paying funds and emboldens the criminal ecosystem. Law-enforcement guidance generally discourages payment, and the most reliable way to avoid the choice altogether is tested, isolated backups, which let you restore without a key. This tool takes no position on whether to pay — it simply puts an honest number on each path so the decision is made with eyes open.
A worked example
Consider a small business hit by ransomware. The attackers demand $200,000. The owner estimates 8 days to recover, normal revenue of $20,000/day, and reckons they would lose about 60% of that per day while down. The IT team budgets $80,000 to rebuild and restore, and because customer data was copied by the attackers, breach notification will cost about $40,000.
- Downtime = 8 × $20,000 × 0.6 = $96,000
- Costs that apply either way = downtime + recovery + notification = $96,000 + $80,000 + $40,000 = $216,000
- Total if they do not pay = $216,000
- Total if they pay = $216,000 + $200,000 ransom = $416,000
The lesson is stark: even refusing the ransom, this incident costs $216,000, and paying lifts it to $416,000 with no guarantee of a clean restore. The cheapest variable to move is almost always downtime — faster recovery (often through tested backups) shrinks the single biggest component. To weigh the cost of an insurance policy against retaining this risk yourself, use the cyber insurance calculator; to model business interruption in more detail, the cost of downtime calculator.
Frequently asked questions
How much does a ransomware attack cost a business?
Far more than the ransom itself. For the default SMB profile here — a $200,000 demand, 8 days of downtime at $20,000/day, plus recovery and notification — the total comes to $416,000 if you pay and $216,000 if you do not. Downtime alone accounts for $96,000. Adjust every figure above to match your situation.
Should I pay the ransom?
This calculator does not advise paying or not paying — it just shows the cost both ways so you can see what the ransom buys (and does not). Paying does not remove the downtime, recovery or notification costs, which still apply; it is an additional outlay, often with no guarantee of clean data restoration. Law-enforcement guidance generally discourages payment, and tested, isolated backups are what usually let a business recover without it. Treat this as a planning estimate, not legal or incident-response advice.
Why is the cost without paying still so high?
Because the ransom is rarely the biggest line item. Even if you refuse to pay, you still lose revenue during downtime, you still pay to rebuild and restore systems (recovery), and you still owe breach-notification costs if personal data was exposed. For the default profile those non-ransom costs are $216,000 on their own.
What is the disruption factor?
It is the fraction of normal revenue you actually lose per day of downtime — rarely 100%. Some sales defer rather than disappear, some operations continue manually, and some revenue is recovered later. A factor of 0.6 means you lose 60% of daily revenue for each day systems are down. Lower it if you can keep trading partially, raise it toward 1.0 if an outage halts you completely.
How current are these benchmarks?
The default values are illustrative SMB figures, not a fixed dataset — every input is editable. The supporting cost-component and downtime methodology was verified on Jun 25, 2026 against IBM/Ponemon and Verizon DBIR analysis; see the sources page.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.