ToolSec

Ransomware Downtime Cost Calculator

Estimate the total impact of a ransomware attack from downtime, recovery and ransom.

Updated: June 26, 2026

The real cost of ransomware is downtime

When people picture a ransomware attack, they think of the ransom demand. But for most organisations the ransom is a fraction of the total — the dominant cost is downtime: every hour systems are offline, you lose revenue and your staff can't work. Add the cost of recovery (incident response, rebuilding systems, consultants) and the true number is often many times the ransom. This calculator adds those pieces up.

What goes into the estimate

  • Revenue lost per hour — sales, transactions or billable work you can't process while down.
  • Productivity lost per hour — idle staff: affected headcount × their loaded hourly cost.
  • Downtime hours — ransomware recovery commonly runs days, not hours.
  • Recovery cost — incident response, forensics, rebuilding, and hardening.
  • Ransom demand — shown separately, because paying is generally not advised.

Why we separate the ransom

Law enforcement agencies broadly advise against paying ransoms: payment funds criminal operations, marks you as a willing target, and offers no guarantee of a working decryptor — many organisations that pay still can't fully recover. The calculator shows your total impact without the ransom as the headline, and the "if you paid" figure separately, so the trade-off is explicit.

Turning the number into action

A large downtime figure is the strongest argument for investing in prevention and resilience — tested, offline backups, network segmentation, and a rehearsed incident response plan that shortens recovery time. Use the security ROI calculator to compare this potential loss against the cost of those controls, and the breach cost estimator if data was also exfiltrated (modern ransomware usually steals data too).

An estimate, not a quote

Real incidents vary enormously. This tool is a planning aid to size the risk and prioritise resilience spending — not a prediction of any specific attack.

Frequently asked questions

What's usually the biggest cost in a ransomware attack?

Downtime. Lost revenue and lost productivity while systems are offline typically far exceed both the ransom and the technical recovery cost, because recovery often takes days or weeks.

Should we just pay the ransom?

Generally no. Authorities advise against it — payment funds crime, marks you as a target, and doesn't guarantee recovery. Many who pay still can't fully restore. Invest in backups and an IR plan instead.

How do I estimate productivity loss per hour?

Multiply the number of staff who can't work by their fully loaded hourly cost (salary plus overhead). Even partial impairment across a large team adds up fast.

Does this include data breach costs?

Not directly. Modern ransomware often steals data too. If that applies, add the breach impact using our data breach cost estimator.

Build ransomware resilience

The fastest way to cut downtime cost is to recover faster:

  • Immutable / offline backup solution Tested, tamper-proof backups let you restore without paying — the single biggest lever on recovery time.
  • Incident response retainer A pre-arranged IR team gets you back online faster, directly reducing the costly downtime window.

Learn more

Related tools