Download PDF (177 KB)
PDF version, ready to print or share with your team.
Most Canadian business owners ask the wrong question after a ransomware attack. They ask what the ransom will be. The ransom is rarely the biggest number. The downtime is.
Fusion Computing has helped Canadian companies clean up incidents where the ransom demand sat near CA$180,000 and the eventual cost of paying it was zero, because the real damage and the real spend live in the days the business cannot operate.
This benchmark pulls the credible 2025 figures together and sets them against what we actually see at 10 to 150 employee companies in Canada. The headline numbers from IBM, Sophos, and Coveware describe a global and enterprise-heavy population. The lived reality for a 45-person distributor in Mississauga looks different, and that gap is the whole point.
How much does a ransomware attack cost a Canadian small business in 2026?
A serious ransomware incident at a Canadian SMB runs from roughly CA$135,000 to CA$250,000 all in, with the largest share coming from downtime and recovery labour rather than the ransom. IBM’s 2025 Cost of a Data Breach report puts the average Canadian breach at CA$6.98 million, but that figure is weighted by large enterprises. For a sub-150-employee firm, the all-in cost is smaller in dollars and far more concentrated in lost operating days.
Three numbers frame the range. IBM pegs the average global ransomware or extortion incident at US$5.08 million. Sophos, in its 2025 State of Ransomware survey, puts the mean recovery cost excluding any ransom at US$1.53 million, down 44% year over year. Coveware reports an average ransom payment of US$1.13 million with a US$400,000 median in Q2 2025, and only 26% of victims paying at all.
Those are big, enterprise-skewed numbers. The useful translation for a Canadian SMB is the shape, not the size. Whatever the dollar total, most of it is downtime, and most of the downtime is avoidable with controls that cost a fraction of a single incident.
How long does ransomware downtime actually last?
For an unprepared Canadian SMB, ransomware downtime typically runs one to three weeks before full production returns. Sophos found that only about half of affected organizations recovered within a week in 2025, and that 54% restored from backups, a six-year low. The companies that recover in days rather than weeks share one trait. Their backups were immutable and tested before the attack, not after.
Here is the difference in practice. When Fusion Computing responded to a ransomware foothold at a Mississauga industrial-supply distributor, the company was back in full production in about 62 hours. Detection landed Friday at 5:47 PM. Monday at 8:00 AM, the warehouse was shipping. That timeline beats the Sophos benchmark because the recovery path was rehearsed, not improvised.
The clients who recover fast are not the ones with the biggest security budget. They are the ones who tested a restore in the last 90 days and knew it worked. Fusion Computing treats the untested backup as the single most expensive line item a business does not know it owns.
Where does the money actually go in a ransomware incident?
In a typical Canadian SMB incident, lost productivity and downtime are the largest cost line, ahead of recovery labour, regulatory and legal work, customer churn, and the ransom itself. When backups hold, the ransom line can be zero. The downtime line never is. A business that bills CA$50,000 a day loses that whether or not a single byte is encrypted.
See whether your backups would actually survive a ransomware attack →
The cost anatomy stacks up in a predictable order. Downtime and idle staff come first. Incident response and rebuild labour come second. Then breach notification and legal review, which in Canada means PIPEDA’s real-risk-of-significant-harm reporting and, in Quebec, Law 25. Customer churn and reputational repair trail behind, and they last the longest. The ransom, when paid, is often the smallest piece.
What makes ransomware recovery faster and cheaper?
Three controls do most of the work of cutting recovery cost: immutable backups that are tested monthly, endpoint detection and response paired with a 24/7 SOC, and an incident response plan that has been run as a tabletop. Each maps to CIS Controls v8.1, and each one shortens the recovery clock measurably.
The Mississauga case shows why the SOC matters. Fusion Computing isolated the first compromised endpoint about three minutes after the alert fired. That speed stopped a two-endpoint foothold from becoming full-environment encryption. The backups, air-gapped and verified every month, were never reached. The demand was roughly CA$180,000. The amount paid was CA$0, with zero data loss.
- Tested immutable backups. Sophos shows backup restoration at a six-year low, yet 97% of organizations that lost data eventually recovered it. The deciding factor is whether the restore was proven before the attack.
- EDR plus a 24/7 SOC. Containment speed decides blast radius. Minutes of isolation save weeks of rebuild.
- A rehearsed IR plan. The first hour of an incident is not the time to discover who calls the insurer, the privacy commissioner, or the bank.
Should you pay the ransom?
Paying does not buy fast recovery, and most Canadian victims do not pay. Coveware reports that only 26% of organizations paid in Q2 2025. Statistics Canada found that 88% of Canadian businesses hit by ransomware did not pay.
One caution on the data. CIRA’s 2025 survey of security professionals at larger, more mature organizations found 74% paying, so the two figures describe different populations and should not be blended. The throughline holds either way: a decryptor is slow, partial, and legally fraught.
| Factor | Pay the ransom | Restore from tested backups |
|---|---|---|
| Speed | Slow. Decryptors are buggy and partial. | Fast when the restore was rehearsed. |
| Data integrity | No guarantee. Some files never decrypt. | Clean, known-good copy. |
| Repeat risk | Marks you as a payer. | Closes the door the attacker used. |
| Legal exposure | Sanctions and CASL or PIPEDA risk. | Cleaner reporting position. |
What does ransomware cost by company size and sector in Canada?
Cost scales with revenue per hour and data sensitivity, not headcount alone. Statistics Canada found 16% of Canadian businesses hit by a cyber incident, rising to 30% of large firms, and CIRA reports 24% of organizations hit by ransomware in the past year. A 10-employee professional-services firm and a 120-employee manufacturer face very different downtime costs because their revenue per hour and their regulatory load differ.
This is where the objection we hear most often falls apart. A 25-seat Canadian firm that takes a direct ransomware hit averages roughly CA$180,000 to CA$240,000 in direct cost when Fusion Computing benchmarks against the incidents we have helped non-clients clean up, plus 14 to 21 days of lost productivity.
A right-sized managed program for that firm runs a few thousand dollars a month. One prevented incident pays for years of the program, and we have not seen a client go five years without an attempted one.
Sector matters on top of size. Healthcare carries PHIPA breach duties, legal firms carry confidentiality and Law Society obligations, and regulated finance carries OSFI expectations. Each adds notification and review cost that a general contractor does not face. Fusion Computing maps those obligations per client before an incident, so the recovery does not stall on a question nobody prepared for.
The number worth tracking is not the monthly fee. It’s the cost of the first incident the program prevents, and in Canada that first incident is no longer a remote risk.
Get a real recovery-time estimate for your environment before an attacker forces one →
Why Canadian firms bring this work to Fusion Computing
CISSP-led, a Microsoft Solutions Partner and a CompTIA Managed Services Trustmark holder, securing IT for Canadian SMBs across Toronto, Hamilton, and Metro Vancouver since 2012.
Fusion Computing helps Canadian businesses across Toronto and the GTA, Hamilton, and Metro Vancouver with managed IT, cybersecurity, and Microsoft 365.
Frequently Asked Questions
Does cyber insurance cover ransomware recovery costs in Canada?
Sometimes, and increasingly with conditions. Most Canadian cyber insurers now require multi-factor authentication, endpoint detection and response, and tested backups before they will bind a policy or pay a claim. Carriers have denied claims where those controls were missing. Treat insurance as a backstop for a funded recovery plan, not a replacement for one.
Do you have to report a ransomware attack in Canada?
Often yes. PIPEDA requires reporting any breach that poses a real risk of significant harm to the Office of the Privacy Commissioner and to affected individuals, plus keeping records of every breach. Quebec’s Law 25 adds its own notification duties, and PHIPA governs health information in Ontario. The clock starts when you become aware.
What is the average ransomware payment in 2025?
Coveware reported an average ransom payment of US$1.13 million and a median of US$400,000 in the second quarter of 2025, with only 26% of victims choosing to pay. The average is pulled upward by a few very large demands, so the median better reflects what a typical Canadian SMB would face.
Can you recover from ransomware without paying the ransom?
Yes, and most Canadian victims do. Statistics Canada found that 88% of Canadian businesses hit by ransomware did not pay, and Sophos reports that 97% of organizations that lost data eventually got it back, usually from backups. The deciding factor is whether your backups are immutable and were tested before the attack.
Is it legal to pay a ransomware ransom in Canada?
Paying a ransom is legal in Canada in most cases, yet it carries real risk. Sending funds to an entity on a Canadian or US sanctions list can expose your business to penalties, and payment marks you as a willing target for repeat attacks. Most incident-response counsel advises exhausting backup recovery before any payment is even considered.
If you pay the ransom, do you get all your data back?
Rarely all of it. Attacker-supplied decryptors are slow, buggy, and frequently fail on a portion of files. Data from Sophos and Coveware shows that paying does not guarantee full or fast recovery, which is why a tested backup almost always beats a decryption key on both speed and data integrity.
How fast can a managed IT provider restore operations after ransomware?
With immutable backups tested monthly and a 24/7 security operations centre, full restoration can take hours rather than weeks. Fusion Computing returned a 45-employee Mississauga distributor to full production in about 62 hours, from Friday-evening detection to Monday-morning shipping, because the recovery path was rehearsed before the incident rather than improvised during it.
What is the most expensive part of a ransomware attack?
Downtime and lost productivity, not the ransom. A company that bills CA$50,000 a day loses that revenue whether or not a single file is encrypted, and recovery labour follows close behind. When backups hold, the ransom line can be zero while the downtime line never is. That is where the budget belongs first.
How common is ransomware for Canadian small businesses?
Common enough to plan for. Statistics Canada found that 16% of Canadian businesses were hit by a cyber incident in its survey period, rising to 30% of large firms, and CIRA’s 2025 survey found 24% of organizations hit by ransomware in the past year. The risk is no longer rare for a typical SMB.
Talk through your incident response plan with a CISSP before you need it →
What single control most reduces ransomware recovery cost?
A tested, immutable backup. Sophos shows backup restoration at a six-year low, yet 97% of organizations that lost data recovered it, and the ones who recovered in days had verified their restore beforehand. Fusion Computing treats the untested backup as the most expensive line item a business does not know it owns.
