[STUDY] 12% of Small Businesses Say They’ve Paid a Ransom Demand

Key Findings at Glance

• 12% of respondents have received a ransom demand related to their website, email or data — and paid it.
• 42% are very concerned about ransomware attacks targeting websites.
• 46% have had their business hit by a cyberattack that exposed data, locked files or took their website offline.38% say their website has been hacked or infected with malware.
• 24% say they have never tested their backup and restore process to ensure it actually works.
• 40.5% would most likely invest in automated website backups if they knew backups would prevent them from having to pay a ransom.

We surveyed 1,000 owners and managers of small businesses (50 or fewer employees), nationwide about website security. What we found: 12% have received a ransom demand related to their website, email, or data — and paid it.

Why does this matter? 

Small businesses represent low-hanging fruit for cybercriminals, making these attacks increasingly common. Our findings reveal how widespread — and costly — the threat has become for everyday business owners, not just large enterprises.

As a web hosting provider that serves thousands of small businesses, DreamHost wanted to understand the real-world impact of these threats and how prepared businesses are to respond. The results point to clear gaps — and actionable solutions — in small business cybersecurity.

Picture a room of a hundred people who run websites: freelancers, store operators, small business owners; folks who just want their site to work. Now count off twelve of them. 

The data shows that 12 out of every 100 website operators have paid a ransom to regain access to their sites or data. When websites go offline due to cyberattacks, businesses face immediate operational disruptions: inaccessible administrative panels, unfulfilled orders, and locked customer data. 

For many, paying the ransom appears to be the fastest path to restoration, despite low attacker compliance rates.

The concern extends beyond those who have paid. 42% of respondents reported being “very concerned” about ransomware attacks targeting websites, reflecting widespread awareness of the threat landscape. 

The full survey data reveals why that concern is justified — and what businesses can do about it.

Let’s get into it. 

1 in 8 Americans Have Paid a Ransom

That 12% represents businesses at a decision point: pay the ransom or face prolonged downtime.

Each payment reinforces the ransomware business model, validating the tactic and increasing the likelihood that more businesses will face similar demands. 

Ransomware attacks are not limited to large enterprises. Small businesses with accessible online infrastructure face the same threats.

A closer look at those who received ransom demands reveals the role preparedness plays in decision-making.

Of the 28.4% who faced a demand, 41.5% paid the ransom. When facing that moment — site down, data locked, revenue frozen — nearly half choose to pay.

On the flip side: 58.5% refused. That’s 6 in 10 businesses who declined to pay. 

The data suggests that businesses with tested backups, recovery protocols, and operational resilience were more likely to refuse payment. Infrastructure preparedness appears to reduce vulnerability to ransom demands.

Businesses that understand their risks and maintain tested backups, secure logins, and automated recovery systems demonstrate lower susceptibility to these attacks.

Nearly Half of Americans are Deeply Worried About Ransomware Threats 

42% of respondents in our survey said they’re “very concerned” about the rising threat of ransomware attacks targeting websites. Combined with those who are “very concerned” with those who are “somewhat concerned,” 84.6% of respondents see ransomware as a legitimate threat. 

The website is the business — the storefront, the pipeline, the hub. Disruption to access can directly impact business operations. 

This apprehension reflects a broader shift: ransomware has expanded beyond large enterprises to target small businesses.

High-profile breaches illustrate the scope of the threat. 

When AT&T experienced a breach affecting 73 million current and former customers — including their Social Security numbers, birth dates, and names — the company faced a  $177 million settlement. The breach, dating back to 2019, was only acknowledged after customer data appeared on the dark web.

If organizations with dedicated security teams experience breaches of this scale, small businesses face similar vulnerabilities without comparable resources for proactive protection.

The writing’s on the wall: neglect invites exposure.

Our survey data shows that many business owners recognize common security weaknesses: outdated plugins, weak passwords, and neglected CMS updates. This awareness is driving increased attention to cybersecurity practices among small businesses.

Nearly Half of Businesses Have Already Been Hacked

That widespread concern isn’t unfounded. 46% of our respondents have already experienced a cyberattack, resulting in exposed data, encrypted files, or complete site shutdowns.

For 38% of respondents, those attacks came in the form of everyday breaches that rarely make headlines but can lead to:

• Compromised logins
• Infected plugins
• SEO spam redirects
• Suspended domains

Each can mean lost revenue from downtime, damaged search rankings, and eroded customer trust — problems that compound quickly for small businesses operating on thin margins.

Malware infections, in particular, can spread quickly through outdated plugins and themes, and for 14% of those who’ve been hacked, it’s not a one-time event — they’ve experienced multiple attacks.

The data shows that relying on a web host’s built-in security isn’t enough, and the cost of recovery far exceeds the cost of prevention. Yet many continue operating with the same vulnerabilities that got them breached in the first place — ignoring updates, skipping security audits, and using weak credentials.

These incidents often serve as precursors to larger ransomware events. Many website owners approach cybersecurity reactively rather than proactively.

1 in 4 Americans Never Test Their Website Backups

Even after being hacked or seeing peers experience data loss, many businesses still haven’t verified that their website backups actually work. Nearly one in four respondents (24%) reported they’ve never tested their backup and restore process.

That gap between having a plan and having a plan that works is where minor crises become major business disruptions. 

Many owners assume “auto-backup” means “auto-recovery.” 

It doesn’t. 

Backups can fail silently or become corrupted. Testing a backup takes less than 15 minutes and could be the difference between a brief inconvenience and weeks of downtime.

40% of Americans Would Pay for Backups To Avoid Paying Hackers

There is a positive trend in the data: 40% of respondents said they’d be most likely to invest in automated website backups if it meant they could avoid paying a ransom.

This represents a shift toward prevention as a financial decision. Nearly a quarter of respondents cited cost or complexity as the barrier keeping them from backup solutions. However, automated backups cost significantly less than recovery from a data breach.

4.6% said they’d never invest in backups at all. These businesses remain vulnerable to ransomware attacks.

The average total cost for a small business to respond to and recover from a data breach can range from $120,000 to $1.24 million.

When a site can be restored in minutes, ransom demands lose their effectiveness. The faster recovery happens, the less leverage attackers have. This positions backup tools as essential infrastructure. If a site can be restored quickly, attackers lose their primary bargaining tools: time and access.

Summary 

Nearly half of small businesses have already experienced a cyberattack. This widespread threat is driving a shift in how businesses approach cybersecurity: awareness is now high, and website owners increasingly view cybersecurity as continuity planning, not just technical cost.

The path forward is clear. Resilience is built with disciplined preparation: rigorously tested backups, tools that automate defense, and a commitment to digital preparedness.

The most effective defense is quick response and recovery capability.

Businesses that prepare in advance face significantly lower risk when attacks occur.

Methodology

This article is based on a nationwide survey conducted in October 2025, in which we collected responses from 1,000 Americans to better understand their experiences and concerns related to website security and cyber threats. The survey specifically targeted individuals who own or manage businesses with 50 or fewer employees, ensuring the data reflects the unique challenges and realities faced by small business operators. 

Participants represented a diverse cross-section of industries and professional backgrounds, offering a well-rounded snapshot of public sentiment and real-world impacts. Respondents were asked a series of questions about ransomware, website breaches, data protection practices, and incident response, providing valuable insights into the current state of cybersecurity awareness and preparedness among small business owners in the U.S.

Fair Use

Users are welcome to use the insights and findings from this study for non-commercial purposes, such as academic research, educational presentations, and personal reference. When referencing or citing this article, please ensure proper attribution to maintain the integrity of the research. Direct linking to this article is permissible, and access to the original source of information is encouraged.

For commercial use or publication purposes — including but not limited to media outlets, websites, and promotional materials — please contact our Corporate Communications team for permission and licensing details. 

We appreciate your respect for intellectual property rights and adherence to ethical citation practices. Thank you for your interest in our research.