What do gas shortages, unpaid health insurance claims, and inoperable slot machines have in common?

Each was the indirect result of a ransomware attack. 

No other digital crime has forced us to reckon with the aftershocks of digital dependencies like ransomware, the most costly and disruptive of all cyber incidents.

And it’s not just large corporations with a target on their back: 82% of ransomware attacks are on small and midsize businesses (SMBs). That’s hundreds of thousands of ransomware cases you’ve (probably) never heard of.

Without the right protection in place, one unpatched vulnerability or stolen password can result in lasting fiscal and reputational damage. Below, with findings from Coalition’s 2025 Cyber Claims Report and Cyber Threat Index 2025, we’ll explore how the ripples of a single cybersecurity breach extend far beyond the initial compromise — and what that means for your business’s bottom line.

Getting a foot in the door 

Ransomware is a type of malicious software that encrypts a business’s data or systems, rendering them inaccessible until a ransom is paid to obtain a decryption key. Threat actors rely on tried-and-true tactics to deploy ransomware to encrypt and exfiltrate data as quickly as possible for profit. 

They often target the same exploitable technologies and gain network access by forcing their way inside, whether through software vulnerabilities, stolen employee logins, or social engineering. 

Exploitable technologies

Threat actors regularly exploit technologies that are highly common among SMBs, like virtual private networks (VPNs), remote desktop software, and email. 

VPNs and firewalls collectively accounted for 58% of all ransomware claims in 2024. Well-intentioned businesses turn to these technologies to provide secure remote access to internal systems and to block malicious connections. But that same access can be weaponized by threat actors when boundary devices aren’t secured with up-to-date software and multi-factor authentication (MFA). 

Compromised credentials 

Compromised credentials, which typically refer to username and passwords that have been stolen, exposed, or otherwise obtained by cyber criminals, accounted for 47% of all ransomware claims in 2024.

Credentials provide threat actors with a direct route to infiltrate systems and access sensitive data. Without security measures in place to flag suspicious logins, threat actors can leverage an employee’s credentials to essentially walk through your business’s virtual front door.

Vulnerabilities

Just over 40,000 vulnerabilities were published in 2024, a 38% increase from 2023. Threat actors had over 3,000 vulnerabilities each month to use as an entry point for attacks.

The year-over-year surge in vulnerabilities illustrates the need for speed and efficiency in how businesses patch vulnerable software and prioritize the critical issues. SMBs can’t expect to address thousands of vulnerabilities every month, which is why many seek guidance on the threats that present the greatest potential for financial loss.

Paying the ransom (or not)

Ransomware actors often establish a foothold in your business’s network to map out your digital environment and move laterally from one system to another, looking for sensitive data.

Cyber criminals may take months gathering information before deploying ransomware. But once it spreads across your systems, it doesn’t take long for critical applications to stop working. At this point, you’ll likely find the ransom note. In 2024, the average ransom demand was $1.1 million. 

If critical systems are down due to an attack and a business is unable to restore data from backups, they may decide to purchase a decryptor tool specific to the ransomware variant to restore data and “return to normal” as quickly as possible. 

Despite most businesses having some form of backups, ransomware attacks can stress test how viable they are. For example, do you have all the data you need to get up and running? If threat actors target your backups, do you have offsite or immutable data elsewhere?

Among Coalition policyholders, 44% paid the ransom when deemed reasonable and necessary.  

Alternatively, businesses may decide to pay to get ransomware actors to delete stolen information to avoid having sensitive data posted on leak sites, regain access to encrypted data, and minimize business interruption. Of course, it’s important to remember there’s no honor among thieves — and threat actors don’t always do what they promise. 

The negotiation process can be quick, especially if a business is ready to pay. But if they want to negotiate a lower ransom or get the threat actor to prove what data they have, back and forth communications can last for multiple weeks.

The decision is never made lightly. Among Coalition policyholders, 44% paid the ransom when deemed reasonable and necessary.  

In cases where a Coalition policyholder has opted to pay the ransom, Coalition Incident Response (CIR) was retained to directly engage the threat actor and, on average, successfully negotiated a 60% reduction in payment based on the initial demand.

Financial impact: More than just ransom payments

In 2024, the average ransomware attack cost $292,000. Contrary to popular belief, not all of these losses are tied directly to ransom payments.

It’s not back to business as usual even if a ransom is paid. Ahead, there’s still the decryption process, legal proceedings, and customer notification, for example. All of these additional costs contribute to the high severity of ransomware cases: 

Average business interruption loss: $102,000

Imagine a retailer without access to critical systems. They can’t process orders, access customer information, or make shipments. Depending on the scale of the attack, operations can come to a complete standstill. 

When a business has thousands of endpoints, downstream customers, or complete digital dependencies, losses can skyrocket due to extended downtime. 

Average digital asset restoration cost: $18,000

Digital asset restoration is the process of recovering or recreating all of the information lost as a result of the attack.

Depending on the extent of the loss, full restoration can take anywhere from a few days to several months. Whether you gain access to a decryptor or restore from backups, it can still take significant effort to get all of your business’s data back as it was. 

Average forensic vendor cost: $58,000

Digital forensics involves the collection, analysis, and preservation of electronic evidence. Through an investigation, vendors are able to determine how malware entered the network and provide actionable advice for businesses to limit their exposure in the future. 

How MDR plays a role in prevention

SMBs make attractive targets for threat actors because they often lack the resources of their larger peers. With small or non-existent security teams and little budget dedicated to cybersecurity, small businesses look like an easy target for opportunistic cyber criminals.

Managed detection and response (MDR) provides 24/7 security expertise without any additional headcount. By monitoring your network activity and applying behavioral analytics, MDR can identify suspicious activity in real-time. 

Businesses with MDR respond 50% faster on average, dramatically minimizing the impact of a cyber attack.

If a ransomware indicator is detected, MDR triggers an automated response, enabling security teams to stop the spread before it’s too late. Businesses with MDR respond 50% faster on average, dramatically minimizing the impact of a cyber attack.

As long as they are profitable, ransomware attacks will persist. And SMBs are far from immune. But with proper security measures, you can significantly reduce the likelihood and severity of an attack to your business. You might just need the right security expert on your side.

PREVENT MORE CYBER INCIDENTS. RESPOND FASTER.

Round-The-Clock Threat Detection & Response 

See how Coalition MDR works for your business >

Coalition Insurance Solutions, Inc., an affiliate of Coalition, Inc., is a licensed insurance producer and surplus lines broker (Cal. license # 0L76155), acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company a licensed insurance underwriter (NAIC # 29530). See license and disclaimers. Coalition Incident Response, Inc. dba Coalition SecurityTM an affiliate of Coalition Inc., provides security products and services, including incident response and MDR, globally. Incident response services are provided to Coalition policyholders as an option via Coalition’s Panel Provider List. Coalition Security does not provide insurance products and products and services may not be available in all countries and jurisdictions. Non-insurance products and services may be provided by independent third parties and may require separate payment. 

Coalition is the marketing name for the global operations of affiliates of Coalition, Inc.

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. The reader is cautioned to consult independent professional advisers and formulate independent conclusions and opinions regarding the subject matter discussed herein. Coalition is not responsible for the accuracy or completeness of the contents herein and expressly disclaims any responsibility or liability based on any legal theory or in any form or amount, based upon, arising from or in connection with, for the reader’s application of any of the contents herein to any analysis or other matter, nor do the contents herein guarantee and should not be construed to guarantee any particular results or outcome. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only.

Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.