According to a 2025 DreamHost study, 12% of American small businesses have paid hackers’ ransom demands, and 46% have already experienced cyberattacks. The data reveals a clear divide: businesses with tested backups and recovery plans refuse to pay, while those without them are far more likely to become victims. The solution doesn’t have to be complex — it’s disciplined preparation.
Key Findings at a Glance
- 12% of respondents have received a ransom demand related to their website, email, or data — and paid it.
- 42% are very concerned about ransomware attacks targeting websites.
- 46% have had their business hit by a cyberattack that exposed data, locked files, or took their website offline.
- 38% say their website has been hacked or infected with malware.
- 24% say they have never tested their backup and restore process to ensure it actually works.
- 40.5% would be most likely to invest in automated website backups if they knew backups would prevent them from having to pay a ransom.
source: nl.allianzgi.com
We surveyed 1,000 owners and managers of small businesses (50 or fewer employees) nationwide about website security. What we found: 12% have received a ransom demand related to their website, email, or data — and paid it.
Why does this matter?
Small businesses are low-hanging fruit for cybercriminals, making these attacks increasingly common. Our findings show how widespread — and costly — the threat has become for everyday business owners, not just large enterprises.
As a web hosting provider that serves thousands of small businesses, DreamHost wanted to understand the real-world impact of these threats and how prepared businesses are to respond. The results highlight clear gaps — and actionable solutions — in small business cybersecurity.
Picture a room of a hundred people who run websites: freelancers, store operators, small business owners — people who just want their site to work. Now count off twelve of them.
The data shows that 12 out of every 100 website operators have paid a ransom to regain access to their sites or data. When websites go offline due to cyberattacks, businesses face immediate disruptions: inaccessible admin panels, unfulfilled orders, and locked customer data.
For many, paying the ransom seems like the fastest way to get back online, even though attackers often fail to fully honor their promises.
The concern extends beyond those who have paid. Forty-two percent of respondents reported being “very concerned” about ransomware attacks targeting websites, reflecting broad awareness of the current threat landscape.
The full survey data reveals why that concern is justified — and what businesses can do about it.
Let’s get into it.
1 in 8 Americans Have Paid a Ransom
That 12% represents businesses pushed to a decision point: pay the ransom or face prolonged downtime.
Each payment reinforces the ransomware business model, proving the tactic works and increasing the odds that more businesses will face similar demands.
Ransomware attacks are not limited to large organizations. Small businesses with online operations face the same types of threats.
A closer look at those who received ransom demands shows how much preparedness shapes the decisions they make.
Of the 28.4% who faced a demand, 41.5% paid the ransom. In that moment — site down, data locked, revenue frozen — nearly half chose to pay.
On the flip side, 58.5% refused. That’s about 6 in 10 businesses that declined to pay.
The data suggests that businesses with tested backups, clear recovery protocols, and operational resilience were more likely to refuse payment. Strong infrastructure and planning appear to reduce vulnerability to ransom demands.
Businesses that understand their risks and maintain tested backups, secure logins, and automated recovery systems show lower susceptibility to these attacks.
Nearly Half of Americans are Deeply Worried About Ransomware Threats
Forty-two percent of respondents in our survey said they’re “very concerned” about the rising threat of ransomware attacks targeting websites. When you combine those who are “very concerned” with those who are “somewhat concerned,” 84.6% of respondents see ransomware as a serious threat.
For many small businesses, the website is the business — the storefront, the sales pipeline, the central hub. Any disruption to access can directly affect day-to-day operations.
This concern reflects a broader shift: ransomware has expanded beyond large enterprises and now frequently targets small businesses.
High-profile breaches show just how serious the problem can be.
When AT&T experienced a breach affecting 73 million current and former customers — including Social Security numbers, birth dates, and names — the company faced a $177 million settlement. The breach, which dated back to 2019, was only publicly acknowledged after customer data appeared on the dark web.
If organizations with full-time security teams can experience breaches at this scale, small businesses face similar risks without the same resources for proactive protection.
The writing’s on the wall: neglect invites exposure.
Our survey data shows that many business owners recognize common security weaknesses: outdated plugins, weak passwords, and skipped CMS updates. This awareness is driving more attention to cybersecurity practices among small businesses.
Nearly Half of Businesses Have Already Been Hacked
That widespread concern isn’t unfounded. Forty-six percent of our respondents have already experienced a cyberattack that exposed data, encrypted files, or took their website offline.
For 38% of respondents, those attacks took the form of everyday breaches that rarely make headlines but can lead to:
- Compromised logins
- Infected plugins
- SEO spam redirects
- Suspended domains
Each of these issues can mean lost revenue from downtime, damaged search rankings, and eroded customer trust — problems that can quickly snowball for small businesses operating on thin margins.
Malware infections in particular can spread quickly through outdated plugins and themes. For 14% of those who’ve been hacked, it wasn’t a one-time event — they’ve experienced multiple attacks.
The data shows that relying solely on a web host’s built-in security isn’t enough, and the cost of recovery is often far higher than the cost of prevention. Yet many continue with the same weaknesses that led to a breach in the first place — ignoring updates, skipping security checks, and using weak credentials.
These incidents often act as stepping stones to larger ransomware events. Many website owners still approach cybersecurity reactively instead of proactively.
1 in 4 Americans Never Test Their Website Backups
Even after being hacked or seeing peers lose data, many businesses still haven’t confirmed that their website backups actually work. Nearly one in four respondents (24%) reported they’ve never tested their backup and restore process.
That gap between having a plan and having a plan that works is where small issues turn into major business disruptions.
Many owners assume “auto-backup” means “auto-recovery.”
It doesn’t.
Backups can fail silently or become corrupted. Testing a backup typically takes less than 15 minutes and can be the difference between a brief inconvenience and weeks of downtime.
40% of Americans Would Pay for Backups To Avoid Paying Hackers
There is good news in the data: 40% of respondents said they’d be most likely to invest in automated website backups if it meant they could avoid paying a ransom.
This reflects a shift toward prevention as a business decision. Nearly a quarter of respondents cited cost or complexity as the main reason they haven’t adopted backup solutions. However, automated backups are usually far less expensive than recovering from a serious data breach.
Still, 4.6% said they’d never invest in backups at all. These businesses remain highly vulnerable to ransomware attacks.
The average total cost for a small business to respond to and recover from a data breach can range from $120,000 to $1.24 million.
When a site can be restored in minutes, ransom demands lose much of their power. The faster recovery happens, the less leverage attackers have. This makes backup tools essential infrastructure. If a site can be quickly restored, attackers lose their main bargaining chips: time and access.
Summary
Nearly half of small businesses have already experienced a cyberattack. This widespread threat is changing how businesses think about cybersecurity: awareness is now high, and website owners increasingly see cybersecurity as business continuity planning, not just a technical expense.
The path forward is clear. Resilience is built through disciplined preparation: rigorously tested backups, tools that automate defense, and a commitment to ongoing digital readiness.
The most effective defense is the ability to respond and recover quickly.
Businesses that prepare in advance face significantly lower risk when attacks occur.
Note: This article is based on a nationwide survey conducted in October 2025, in which we collected responses from 1,000 Americans to better understand their experiences and concerns related to website security and cyber threats. The survey specifically targeted individuals who own or manage businesses with 50 or fewer employees, ensuring the data reflects the unique challenges and realities faced by small business operators.
Participants represented a diverse cross-section of industries and professional backgrounds, offering a well-rounded snapshot of public sentiment and real-world impacts. Respondents were asked a series of questions about ransomware, website breaches, data protection practices, and incident response, providing valuable insights into the current state of cybersecurity awareness and preparedness among small business owners in the U.S. via dreamhost
