The Real Cost of Ransomware in France: Hard Numbers, Case Studies, and Ground-Level Reality

In February 2021, on a Saturday morning, the 2,400 employees of Manutan arrived at the office on Monday to discover that nothing worked. No email, no ERP, no order processing. The office supply and industrial equipment distributor had just been hit by the DarkSide ransomware. The attack encrypted servers, paralyzed warehouses, and knocked out the phone system. It took 10 days to restore basic order processing. The final cost reported by management: 20 million euros.

Twenty million. For a company generating 800 million euros in annual revenue, that is 2.5% of yearly turnover gone. And Manutan is not an isolated case in France. Sopra Steria, Saint-Gobain, the Centre Hospitalier Sud Francilien (a major hospital south of Paris), Lise Charmel, Clestra - every year, French companies of all sizes are brought down by ransomware, with bills running into the millions and sometimes hundreds of millions.

Yet when people discuss the cost of ransomware, the conversation almost always centers on the ransom itself. Should you pay? How much are they asking? This misses the point entirely. The ransom rarely accounts for more than 10 to 15% of the total cost of an attack. The rest is business downtime, system rebuilding, legal fees, lost customers, higher insurance premiums, and exhausted teams.

This article breaks down the real cost of ransomware in France, line by line. With verifiable data (from ANSSI - France's national cybersecurity agency, CESIN - France's leading IT security professionals' association, IBM, Coveware, and Hiscox), concrete case studies from French companies, and a critical look at what the headline numbers fail to capture. If you are looking for an analysis focused specifically on small businesses, see also What Does a Cyberattack Cost an SMB of 50 Employees?.

Ransomware in France in 2025-2026: The Numbers

Let's start with the macro data. The ANSSI 2025 Cyber Threat Landscape report ranks ransomware as the number one threat to French organizations across every sector. The agency handled more than 4,386 security events in 2024, a stable proportion of which were ransomware attacks targeting local governments, healthcare facilities, and SMBs.

The CESIN 2025 barometer (conducted by OpinionWay with 397 respondents) shows that 40% of member companies experienced at least one successful attack in 2024. Ransomware was involved in 17% of reported incidents - a figure that has declined from previous years, though this reflects the rise of other vectors (account compromise, supply chain attacks) rather than any actual retreat of ransomware itself.

At the global level, the Verizon DBIR 2025 confirms that ransomware is present in 44% of analyzed breaches and in 88% of incidents targeting SMBs. The IBM Cost of a Data Breach 2025 report puts the average cost of a ransomware incident at $5.08 million worldwide.

What has changed in recent years is the attackers' business model. Ransomware-as-a-Service (RaaS) has democratized access to attack tools: affiliates with no advanced technical skills can rent infrastructure from LockBit, BlackCat, or Cl0p to run their own campaigns, paying 20 to 30% of collected ransoms back to the developers. The result: attack volume has risen and targeting has broadened. French SMBs are no longer collateral damage - they are direct targets.

Double Extortion Is Now Standard

Since 2020, virtually all ransomware groups practice double extortion: encrypting data AND stealing data with a threat to publish it. Some groups (such as Cl0p during the MOVEit campaign in 2023) have even dropped encryption entirely to focus solely on data theft and extortion.

For a French company, this shift changes the calculus entirely. Even if you have working backups and can restore your systems without paying, there is still the threat of customer data, financial records, and intellectual property being published on dark web leak sites. No backup can undo that.

Entry Vectors: Phishing Still Dominates

The initial entry vector for ransomware in France has remained remarkably stable. According to ANSSI, phishing and spear phishing are the leading initial access vectors, followed by exploitation of unpatched vulnerabilities (VPNs, Exchange servers, network appliances) and credential compromise via stolen databases.

The CESIN 2025 barometer confirms that phishing in all its forms (email, SMS, phone) is involved in 55% of incidents. For SMBs, the proportion is even higher: an employee clicking a malicious link or opening a weaponized attachment remains the most common scenario. This is precisely where a phishing simulation program makes the difference.

Direct Costs: What Shows Up on the Books

Direct costs are the ones companies identify most readily. They are the invoices that arrive in the weeks following the attack.

Ransom Payment

Let's start with the item that makes headlines. Ransom demands vary widely depending on the size of the target and the attacker group.

Reference data:

• The Verizon DBIR 2025 reports a median ransom of $115,000 across all sectors.
• Coveware, a ransom negotiation specialist, observed an average payment of $402,000 in Q4 2024, but with a much lower median of $180,000 - a sign that a few multi-million-dollar ransoms skew the average upward.
• For SMBs, demands typically fall between 10,000 and 500,000 euros, calibrated to stay in the zone where paying feels more attractive than enduring weeks of downtime.
• For large enterprises and mid-caps, demands routinely exceed one million euros.

In France, the payment rate has dropped. 64% of ransomware victims now refuse to pay (Verizon DBIR 2025), compared to 50% two years earlier. ANSSI and Cybermalveillance.gouv.fr (France's public assistance platform for cyber victims) have contributed significantly to this trend through active public messaging against payment.

But paying does not guarantee recovery. Coveware estimates that 20 to 30% of organizations that pay never recover all their files. The decryption tool provided by attackers is often slow, buggy, or incomplete.

Forensic Investigation

After a ransomware attack, the company needs to understand what happened. How did the attacker get in? How long were they in the network? What data was exfiltrated? This forensic investigation is essential for three reasons: securing the remediation (to avoid rebuilding on top of a persistent backdoor), meeting legal obligations (CNIL notification with a description of the breach), and supporting any criminal complaint.

Typical forensic investigation costs:

Service	Price Range
Emergency CERT response (first 48-72 hours)	15,000 - 50,000 euros
Full investigation (2-4 weeks)	50,000 - 200,000 euros
Data exfiltration analysis	20,000 - 80,000 euros
Complete forensic report	Included in investigation

For an SMB of 50 to 250 employees, the forensic investigation typically costs between 30,000 and 100,000 euros. Daily rates for forensic analysts range from 1,500 to 2,500 euros, and an investigation usually involves 2 to 5 consultants working for several weeks.

Large corporations pay considerably more. Sopra Steria mobilized teams from Airbus CyberSecurity and its own divisions for weeks after the Ryuk attack.

Incident Response

Beyond the investigation, incident response includes containment (isolating compromised systems), eradication (removing attacker access and cleaning systems), and crisis management (war room, internal and external communications).

Typical costs:

• ANSSI-qualified incident response provider (PRIS): 2,000 to 3,500 euros/day per consultant, with a minimum engagement of 3 to 10 days.
• Crisis management cell: internal coordination, often not invoiced but representing dozens of hours of senior leadership time.
• Crisis communications: PR agency, press releases, customer notification - between 10,000 and 50,000 euros for an SMB, significantly more for a large corporation.

All told, immediate direct costs (excluding the ransom) run between 50,000 and 300,000 euros for an SMB and between 500,000 and several million for a large corporation.

Operational Costs: When the Business Stops

This is the heaviest line item. By far. Business downtime accounts for an average of 50 to 60% of the total cost of a ransomware attack according to the IBM report. It is also the hardest cost to estimate in advance because it depends on how long systems are down, how dependent the business is on IT, and whether the company can operate in degraded mode.

Business Downtime

Reference data on duration:

• Coveware (Q4 2024): average downtime of 23 days after a ransomware attack.
• ANSSI: for cases handled by the agency, recovery timelines range from 2 weeks to several months depending on the organization's maturity.
• IBM Cost of a Data Breach 2025: average time to identify and contain a breach is 258 days (identification: 194 days, containment: 64 days).

The formula for calculating downtime cost is straightforward:

Daily revenue x number of days down x percentage of activity affected

Take a manufacturing SMB generating 10 million euros in annual revenue. Its daily revenue is roughly 40,000 euros. If it is completely shut down for 5 days, then running at 50% capacity for 15 days, the revenue loss works out to:

• 5 days x 40,000 euros = 200,000 euros (full shutdown)
• 15 days x 40,000 euros x 50% = 300,000 euros (degraded mode)
• Total: 500,000 euros in lost revenue

And this calculation does not account for lost margin, late-delivery penalties on existing contracts, or the cost of acquiring new customers to replace those who switched to a competitor during the outage.

Operating in Degraded Mode

When systems are down, employees do not sit idle. They fall back on manual processes: paper purchase orders, phone calls instead of emails, Excel spreadsheets on personal laptops, manual data entry into backup systems. This degraded mode has a cost.

At CHSF Corbeil-Essonnes (Centre Hospitalier Sud Francilien, a major hospital south of Paris), medical staff reverted to paper records, handwritten prescriptions, and lab results delivered by courier between departments. Productivity dropped sharply for weeks.

At Manutan, sales teams took orders by phone and entered them manually into spreadsheets while the ERP was being rebuilt. Order error rates spiked, leading to returns, disputes, and customer dissatisfaction.

Degraded mode costs:

• Overtime: IT teams work 12 to 16-hour days during the crisis. Business teams put in overtime to clear the backlog. For a 200-employee company, expect 50,000 to 150,000 euros in overtime over the crisis period.
• Errors and rework: manual processes generate errors (incorrect orders, wrong invoices, lost data). The correction cost is hard to quantify but represents dozens of hours of labor.
• Temporary staff: some companies hire temps to handle the surge of manual work during the crisis.

The Supply Chain Domino Effect

Ransomware does not hit just one company. If you are a supplier, your customers are affected. If you are a buyer, your suppliers cannot deliver. This domino effect multiplies the true cost of the attack far beyond the walls of the victim organization.

Saint-Gobain experienced this with NotPetya in 2017: the attack struck its Ukrainian subsidiary, then spread across the global group. Flat glass and insulation production plants were shut down, orders could no longer be processed, and construction industry customers were left without supplies. Some switched to competitors and never came back.

Rebuilding Costs: Starting from Scratch

After containment and investigation comes the rebuilding phase. This is often where companies discover the full extent of the damage.

System Reconstruction

Ransomware that has encrypted Active Directory, file servers, the ERP, and workstations requires a near-complete infrastructure rebuild. Companies do not simply decrypt - they rebuild, because they no longer trust the compromised environment.

Typical cost items:

Item	SMB (50-250 employees)	Mid-cap / Large corporation
Server and AD reconstruction	30,000 - 100,000 euros	200,000 - 1M euros
Workstation reinstallation	200 - 500 euros per unit	Same
Data restoration	10,000 - 50,000 euros	50,000 - 500,000 euros
New hardware (if needed)	20,000 - 80,000 euros	100,000 - 500,000 euros
Software licenses	5,000 - 30,000 euros	50,000 - 300,000 euros
Cloud migration (often decided post-incident)	30,000 - 150,000 euros	200,000 - 2M euros

Manutan rebuilt its entire IT infrastructure. The company used the crisis as an opportunity to migrate part of its systems to the cloud - which increased the immediate cost but reduced future exposure. The pure rebuilding cost (excluding lost business) represented a substantial portion of the 20 million euros in total cost.

Data Restoration

Data restoration is the moment of truth. This is when companies find out whether their backups actually work.

Several scenarios:

• Intact and recent backups: best case. Restoration takes a few days. But there is almost always some data loss between the last backup and the moment of encryption (the "RPO gap").
• Partially compromised backups: attackers increasingly target backups. If the backup server was connected to the main network, it may have been encrypted too. According to Veeam, 93% of ransomware attacks target backup repositories, and 75% of those attacks succeed in at least partially degrading backups.
• No usable backups: worst-case scenario. The company has lost its data. This is what happened to Lise Charmel.

Post-Incident Security Investment

After a ransomware attack, companies invest heavily in cybersecurity. Understandable, but it is also an additional cost on top of the bill:

• EDR (Endpoint Detection and Response): 3 to 8 euros per endpoint per month.
• Outsourced SOC: 3,000 to 15,000 euros per month for an SMB.
• Full security audit: 15,000 to 50,000 euros.
• Awareness training program: 2 to 5 euros per employee per month. To build the business case for your leadership: Cybersecurity Awareness ROI: How to Convince Your Management.
• Network architecture overhaul (segmentation, Zero Trust): 50,000 to 300,000 euros.

These investments would have cost a fraction of the amount had they been made before the attack. Easy to say in hindsight.

Legal and Regulatory Costs: A Rapidly Growing Line Item

The legal dimension of a ransomware attack has become a cost category in its own right, driven by the combined pressure of GDPR, NIS2, and the LOPMI law.

CNIL Notification

Any personal data breach must be reported to the CNIL (France's data protection authority, equivalent to the UK ICO) within 72 hours of discovery (Article 33 of the GDPR). If the risk to affected individuals is high, the company must also notify them individually (Article 34).

In the case of ransomware with data exfiltration, notification is almost always required. Associated costs:

• Specialized legal counsel: 5,000 to 30,000 euros to support the notification process and manage the relationship with the CNIL.
• Identifying exfiltrated data: this analysis is often the most expensive, as it requires cross-referencing network logs (if they still exist) with the impacted databases.
• Individual notification: letters, emails, setting up an FAQ page and a dedicated hotline. For a database of 10,000 individuals, expect 15,000 to 40,000 euros.
• Credit monitoring: some companies offer affected individuals a personal data monitoring service. Cost: 5 to 15 euros per person per year.

Potential Fines

The CNIL can impose fines of up to 4% of annual global revenue or 20 million euros (whichever is higher). In practice, the CNIL considers the degree of negligence, the security measures in place before the incident, and the company's level of cooperation.

Selected CNIL sanctions related to security gaps that facilitated cyberattacks:

• Dedalus Biologie: 1.5 million euros (2022) for security failures that led to the leak of medical data belonging to 500,000 patients.
• ChamberSign: 200,000 euros (2023) for insufficient security measures.
• Numerous CNIL sanctions in 2024-2025 for failure to secure personal data, with amounts ranging from 50,000 to 800,000 euros.

Under the NIS2 directive, transposed into French law since 2024, obligations have expanded. "Essential entities" and "important entities" must notify ANSSI within 24 hours (preliminary alert) and submit a full report within 72 hours. NIS2 fines can reach 10 million euros or 2% of global revenue for essential entities.

The LOPMI Law and the Police Report Requirement

The LOPMI law (France's Interior Ministry orientation and programming law), effective since April 2023, makes insurance indemnification conditional on filing a police report within 72 hours of becoming aware of the attack. This requirement has concrete implications:

• It forces companies to publicly acknowledge the attack (a police report is an official act).
• It accelerates the response timeline (72 hours is tight when you are managing a crisis).
• It can trigger a judicial investigation that demands executive time.

Long-Term Legal Costs

Beyond the immediate crisis, the legal aftermath of a ransomware attack can stretch on for months or even years:

• Collective actions by affected individuals: in France, class actions related to personal data are still rare but they do exist (CNIL group action mechanism).
• Disputes with business partners: if the attack compromised client or supplier data, contractual claims may follow.
• Insurance disputes: disagreements over coverage, exclusions, or indemnification amounts can lead to negotiations or legal proceedings.

A law firm specializing in cybersecurity charges between 300 and 600 euros per hour. On a complex ransomware case, cumulative legal fees easily reach 50,000 to 200,000 euros over two years.

Reputational Costs: The Invisible Bill

This is the hardest cost to quantify, yet often the most painful over the long term. A ransomware attack - especially one that draws media coverage - leaves lasting marks on how customers, partners, and prospects perceive the company.

Customer Loss

The IBM report estimates the "lost business" component at approximately 30% of the total cost of an incident. This figure includes existing customer churn, lost revenue from prospects who walk away, and higher acquisition costs for new customers.

In e-commerce and B2B, the effect is measurable. When an e-commerce site is down for several weeks (as Manutan's was), business buyers redirect their purchases to competitors. Some come back; others do not. Customer retention rates drop by 3 to 5 percentage points in the year following a major incident according to Ponemon data.

Lost Contracts

A growing number of procurement teams - particularly in the public sector and at large corporations - demand cybersecurity guarantees in their tenders (ISO 27001 certification, NIS2 compliance, documented security policies). A public ransomware incident can disqualify a company from these contracts for years.

This is an opportunity cost that is impossible to pin down precisely, but sales teams feel it acutely. A sales director at a French IT services firm told Le Monde Informatique after the Sopra Steria attack: "For six months, at every client meeting, the first question was about the attack. It completely changed the dynamic of the relationship."

Media Coverage

Ransomware attacks receive increasing media coverage in France. National newspapers, specialist outlets (Le Mag IT, Le Monde Informatique, ZDNet.fr), and 24-hour news channels regularly cover incidents. For publicly listed companies, the stock price impact is measurable.

Saint-Gobain's stock dropped 3% in the days after the NotPetya announcement before recovering. For a privately held SMB, media coverage affects the confidence of banking partners and customers.

Hidden Costs: What Never Makes It into the Budget

Beyond direct, operational, rebuilding, legal, and reputational costs, there is a category of expenses that rarely get quantified but are entirely real.

Executive Time

During a ransomware crisis, the CEO, CTO, CFO, and HR director stop doing their regular jobs. They manage the crisis instead. For a minimum of 2 to 4 weeks, the leadership team is entirely consumed by the incident rather than running the business.

This opportunity cost is rarely measured. Yet if you value a typical SMB executive committee (CEO, CFO, CTO, sales director, HR director) at roughly 2,500 euros/day per person, and these 5 people devote 50% of their time to the crisis for 3 weeks, the math is simple: 5 x 2,500 x 15 x 50% = 93,750 euros in diverted executive time.

For a large corporation, this figure balloons. Sopra Steria mobilized its executive committee for several weeks, with daily crisis meetings and constant communication with clients and regulators.

Insurance Premium Increases

After a cyber claim, the insurer reassesses the risk. The consequences:

• Premium increase of 30 to 100% at the next renewal.
• Higher deductible (the amount the company pays out of pocket before insurance kicks in).
• Reduced coverage (lower caps, additional exclusions).
• In the most serious cases, non-renewal, which forces the company to find a new insurer in a market where the claim is known.

According to data from AMRAE (France's risk management association, LUCY 2025 report), cyber premiums broadly declined in 2024 (soft market), but companies that filed a claim faced significant increases against the market trend. For more detail on the French cyber insurance market: Your Cyber Insurer Wants Proof of Employee Training?.

Team Burnout

The human cost is the great absence from financial analyses. Yet it is entirely real.

After a ransomware attack, IT teams work week after week, often 60 to 80 hours, under relentless pressure. The Hiscox Cyber Readiness Report 2025 indicates that 32% of employees at companies hit by a cyberattack reported experiencing burnout. IT staff turnover rises in the 6 to 12 months following a major incident.

The cost of replacing a systems engineer or network administrator (recruitment, training, ramp-up time) runs between 6 and 12 months of salary. If a company loses 2 or 3 members of its IT team after an incident, the cost reaches tens of thousands of euros.

Beyond IT, the stress radiates across the entire organization. Sales staff must reassure anxious customers. Accountants must reconstruct lost data. Managers must maintain morale in exhausted teams. The productivity impact can persist for 6 to 12 months after the incident.

Accumulated Technical Debt

During the crisis and rebuilding phase, the company makes emergency decisions. Systems are brought back up quickly with "temporary" configurations that become permanent. Updates are deferred. IT projects are frozen. This technical debt has a cost that materializes in the months and years that follow, in the form of increased maintenance, degraded performance, and unpatched vulnerabilities.

Six French Case Studies That Show the Scale of Damage

Let's move from abstract figures to concrete cases. Here are six ransomware attacks that hit French organizations, with available data on the financial impact.

Manutan: 20 Million Euros Total Cost

Date: February 2021 Ransomware: DarkSide Entry vector: compromised account via VPN access (credentials likely stolen)

Manutan, a European leader in office and industrial supply distribution (800 million euros in revenue, 2,400 employees), was hit on a weekend. The ransomware encrypted a large share of its servers, paralyzing the ERP, email, IP telephony, and warehouse management system.

Crisis timeline:

• Day 0 to Day 3: total containment, no orders processed.
• Day 3 to Day 10: workaround solutions deployed, orders taken by phone.
• Day 10: partial restoration of online order processing.
• Several months: full infrastructure rebuilding, partial cloud migration.

Reported cost: 20 million euros, covering lost business, rebuilding, forensic investigation, and security hardening. Management stated that no ransom was paid.

The company drew lessons from the attack by investing heavily in post-crisis cybersecurity: outsourced SOC, network segmentation, employee awareness program, offline backups. Investments that would have cost a fraction of 20 million euros had they been made beforehand.

Sopra Steria: 50 Million Euros in Impact

Date: October 2020 Ransomware: Ryuk Entry vector: phishing email followed by lateral movement via Cobalt Strike and BazarLoader

Sopra Steria, a French IT services firm with 46,000 employees and 4.3 billion euros in revenue, was hit by Ryuk on October 20, 2020. The attack affected several thousand workstations and part of the server infrastructure.

The company detected the attack relatively quickly and took aggressive containment measures: isolating nearly the entire IT environment, cutting client VPN access, and severing interconnections. This rapid response limited the scope of encryption, but the operational impact was considerable.

Reported cost: in its 2020 annual report, Sopra Steria estimated the financial impact at approximately 50 million euros, covering remediation, lost business (some client projects were delayed or suspended), and security hardening. Cyber insurance covered part of the loss (roughly 30 million euros according to analyses), leaving a net residual impact of approximately 20 million euros.

What makes the Sopra Steria case instructive is that the company is itself a cybersecurity player. Its incident response team was among the best in the French market. Despite that, a single phishing email was enough to trigger a weeks-long crisis and a 50-million-euro impact. Proof that preventing the human factor (awareness training, simulations) is at least as important as detection technology.

Saint-Gobain and NotPetya: 220 Million Euros in Lost Revenue

Date: June 2017 Malware: NotPetya (wiper disguised as ransomware) Entry vector: update of the Ukrainian accounting software M.E.Doc, then propagation via EternalBlue

The NotPetya attack was a special case: it was not a typical ransomware with a ransom demand, but a destructive wiper attributed to Russia's GRU, using Ukrainian accounting software as the initial distribution vector. But the impact on French companies was identical to that of ransomware: encrypted systems, halted operations, full rebuild required.

Saint-Gobain was among the hardest-hit French companies. The group reported an impact of 220 million euros on revenue and 80 million euros on operating income in the first half of 2017. Flat glass and insulation production plants were shut down for several days. Logistics were paralyzed. The company took several weeks to return to normal operations.

Renault was also hit by NotPetya (via the WannaCry variant a few weeks earlier), with production halted at several plants.

This case demonstrates that even very large corporations with IT budgets in the hundreds of millions of euros are not immune. And that the financial impact of ransomware on an industrial group can reach amounts that exceed the entire cybersecurity budget of any SMB.

CHSF Corbeil-Essonnes: The Human Cost of Ransomware

Date: August 2022 Ransomware: LockBit 3.0 Ransom demanded: $10 million (reduced to $1 million)

The Centre Hospitalier Sud Francilien (CHSF), a 1,000-bed hospital located in Corbeil-Essonnes south of Paris, was hit in the middle of August. The attack paralyzed the hospital's information systems: electronic medical records, medical imaging, pharmacy, and laboratory.

Operational impact:

• Patient transfers to other facilities.
• Return to paper-based processes for prescriptions, lab results, and medical reports.
• Postponement of non-urgent surgical procedures.
• Degraded operations for several months.

The hospital did not pay the ransom. The LockBit group followed through on its threats by publishing patient data on the dark web, triggering a crisis of confidence and CNIL notification obligations.

The precise financial cost was not made public, but sector experts estimate the impact at between 7 and 10 million euros (additional operating costs, remediation, lost activity billed to the Assurance Maladie - France's national health insurance system, and security investments). The true cost, impossible to quantify, is the human one: delayed patient care, stressed healthcare workers, eroded patient trust.

The CHSF case sent a shockwave through France. The government announced a 250-million-euro plan for hospital cybersecurity, and ANSSI was tasked with supporting the 135 GHTs (groupements hospitaliers de territoire - regional hospital groups).

Lise Charmel: From Attack to Liquidation

Date: November 2019 Ransomware: not publicly identified Impact: placed in judicial liquidation in February 2020

Lise Charmel, a Lyon-based lingerie brand founded in 1950 with approximately 1,100 employees and 60 million euros in revenue, was hit by ransomware in November 2019. The attack encrypted the entire information system: ERP, email, production files, order history.

The company had no usable backups. It did not pay the ransom. Rebuilding the IT environment took months, during which commercial activity was virtually at a standstill. Cash reserves, already stretched thin, could not withstand the blow.

In February 2020, the Lyon commercial court placed Lise Charmel in judicial liquidation with continued activity. The company was eventually acquired in part (some operations survived), but the episode remains a textbook case: a cyberattack can kill a mid-sized company.

The causes of Lise Charmel's vulnerability were well known: no offline backups, no disaster recovery plan, minimal cybersecurity budget. Investments of a few tens of thousands of euros could have prevented the bankruptcy.

Clestra Hauserman: The Final Blow

Date: May 2022 Ransomware: not publicly identified Impact: placed in receivership in September 2022

Clestra Hauserman, an Alsace-based manufacturer of movable partitions, was already in a fragile financial state when ransomware struck in May 2022. The attack paralyzed production and administrative systems for several weeks.

The company, which employed approximately 400 people and generated 50 million euros in revenue, could not absorb the shock. In September 2022, it was placed in receivership. The company was eventually acquired by Financiere CEL, with a significant reduction in headcount.

Clestra's CEO publicly stated that the cyberattack had been "the final blow" for a company already weakened by COVID and rising raw material costs. The cost of the cyberattack (estimated at several million euros) tipped an already critical situation over the edge.

This case illustrates a point that aggregate statistics do not show: ransomware kills fragile companies. A financially healthy SMB can absorb a shock of 200,000 to 500,000 euros. An SMB with tight cash flow cannot.

The Big Debate: To Pay or Not to Pay

This is the question that divides opinion. And the answer depends on whose perspective you take.

The Official French Position

ANSSI is unequivocal: do not pay. The agency puts forward several arguments:

1. Paying does not guarantee data recovery. The decryption tool provided by attackers is often unreliable.
2. Paying funds organized crime. Every ransom paid finances the next attack.
3. Paying marks you as a target. Criminal groups sell lists of "good payers" to other groups.
4. Paying does not prevent publication of stolen data. Several groups have published data even after receiving payment.

Cybermalveillance.gouv.fr (France's public assistance platform for cyber victims) echoes the same position and offers a free guide on what to do in case of ransomware.

Business Reality

In practice, the decision is more complex. When a manufacturing SMB is at a total standstill, the ransom demand is 100,000 euros, and the estimated rebuilding cost is 500,000 euros plus 4 weeks of downtime, the pure economic calculus argues for payment.

This is, in fact, what the LOPMI law implicitly acknowledges: by making insurance indemnification conditional on filing a police report (rather than banning payment outright), lawmakers chose not to prohibit payment while making it traceable.

Insurers have taken shifting positions. AXA France announced in 2022 that it would no longer cover ransom payments, before partially reversing course. Today, some cyber insurance policies cover ransom payment (subject to the LOPMI police report requirement), while others exclude it explicitly.

My Take

As a CISSP-certified consultant who has supported companies through these situations, I believe the "pay or don't pay" debate is often a false dilemma. The real issue is preparedness.

If you have offline backups that are tested and a disaster recovery plan that has been rehearsed, the payment question does not arise: you restore. Recovery takes days, not weeks. The total cost is a fraction of what it would be without preparation.

If you have no backups, no plan, and no network segmentation, the payment question becomes an impossible dilemma. You are in Lise Charmel's position, and there is no good answer.

The only recommendation that holds up: invest before the attack so the dilemma never arises. Which brings us to the cost of prevention.

Cyber Insurance: What It Actually Covers

The French cyber insurance market reached 317 million euros in collected premiums in 2024 (AMRAE LUCY 2025 report). But what does a cyber insurance policy actually cover in the event of ransomware?

What Is Generally Covered

• Incident response costs: forensic investigation, crisis management provider, legal counsel.
• Notification costs: CNIL notification, individual notifications to affected persons, setting up a hotline.
• Business interruption: indemnification of lost gross margin during the interruption period, with a deductible (number of non-indemnified days) and a cap.
• Data and system restoration costs: within certain limits.
• Ransom: covered by some policies (subject to the LOPMI police report requirement), excluded by others.

What Is Never Covered

• CNIL fines: under French law, administrative fines are not insurable (non-insurability of penalties principle).
• Loss of intellectual property: if your designs, patents, or trade secrets are published, no insurance compensates for the loss in value.
• Long-term reputational damage: insurers cover only immediate crisis communication costs, not 12 to 24 months of customer attrition.
• Gross negligence: if the insurer demonstrates that the company had not implemented minimum security measures (MFA, backups, patching), it can deny the claim.

The Reality of Deductibles and Caps

For an SMB, typical cyber insurance contracts include:

• Deductible: 15,000 to 100,000 euros (the amount the company pays out of pocket).
• Coverage cap: 500,000 to 5 million euros.
• Business interruption deductible: 3 to 10 days (losses during the initial days are not indemnified).

In practice, an SMB that suffers a ransomware attack costing 400,000 euros with a 30,000-euro deductible and a 500,000-euro cap will be covered for a good portion. But if the cost exceeds the cap (which happens in serious cases), the difference comes out of its own pocket.

The Post-Claim Vicious Cycle

After a ransomware claim, the company faces a vicious cycle:

1. It needs its insurance to absorb the financial shock.
2. The insurer raises the premium (or refuses to renew).
3. The company must invest heavily in security to obtain a new policy at acceptable terms.
4. These investments add to the incident's total bill.

This is why insurers increasingly demand evidence of prevention before the incident, not just corrective measures after. A documented phishing awareness program with measurable results is among the underwriting criteria of most French insurers.

Prevention vs. Attack Cost: The Numbers Speak for Themselves

Let's put the figures side by side. For an SMB of 100 employees with 15 million euros in annual revenue.

Annual Prevention Program Cost

Measure	Annual Cost
Offline backups (3-2-1 rule)	3,000 - 8,000 euros
EDR on all endpoints	4,000 - 10,000 euros
MFA on all access points	2,000 - 5,000 euros
Next-generation firewall	3,000 - 8,000 euros
Phishing awareness (platform + simulations)	2,400 - 6,000 euros
Annual security audit	8,000 - 20,000 euros
Cyber insurance	3,000 - 8,000 euros
Disaster recovery plan (setup + annual test)	5,000 - 15,000 euros
Total	30,400 - 80,000 euros

Ransomware Attack Cost (Median Scenario)

Item	Estimated Cost
Forensic investigation	50,000 - 120,000 euros
Incident response	30,000 - 80,000 euros
Business downtime (15 days)	300,000 - 600,000 euros
System rebuilding	80,000 - 200,000 euros
Legal fees (CNIL notification, counsel)	20,000 - 60,000 euros
Crisis communications	10,000 - 30,000 euros
Customer loss (12 months)	50,000 - 200,000 euros
Insurance premium increase (3 years)	15,000 - 50,000 euros
Post-incident security investments	80,000 - 200,000 euros
Total	635,000 - 1,540,000 euros

The ratio is clear: the cost of prevention represents 2 to 12% of the cost of an attack. Even taking the most favorable assumptions for the attack and the least favorable for prevention, investing in security costs between 5 and 20 times less than suffering a ransomware attack.

And this calculation does not factor in the cost of bankruptcy (Lise Charmel, Clestra), which makes the ratio effectively infinite.

The Financial Anatomy of an Attack: Where the Money Goes

To understand why the numbers are so high, it helps to walk through how a ransomware attack unfolds and when each cost line materializes.

Phase 1: Intrusion (Day -30 to Day 0)

The attacker is often present in the network for several weeks before triggering encryption. During this "dwell time" phase, they map the network, escalate privileges, identify backups (to delete them), exfiltrate data, and prepare the ransomware deployment.

Cost at this stage: zero euros for the company (it does not yet know it has been compromised). But this is the phase where the coming damage is being set up. A properly configured EDR or an attentive SOC could have detected the intrusion and stopped it before encryption.

Phase 2: Detonation (Day 0)

The ransomware is triggered, often on a Friday evening or weekend to maximize the window of action before detection. Within hours, hundreds or thousands of machines are encrypted. The ransom note appears.

Immediate costs: emergency IT callout, leadership mobilization, engagement of an incident response provider. The first 48 hours cost between 20,000 and 80,000 euros in emergency services alone.

Phase 3: Containment (Day 1 to Day 5)

The company isolates compromised systems, cuts network access, and activates (if it has one) its business continuity plan. Commercial activity is at a standstill or severely reduced.

Costs: full-rate revenue loss (daily revenue x number of days), IT overtime, initial provider fees.

Phase 4: Investigation (Day 5 to Day 20)

The forensic investigation establishes the entry vector, the extent of the compromise, and the volume of exfiltrated data. This is also the CNIL notification phase (72 hours after "discovery of the breach").

Costs: forensics (30,000 - 150,000 euros), legal counsel, CNIL notification, initial contact with affected individuals.

Phase 5: Rebuilding (Day 10 to Day 60)

IT rebuilding begins in parallel with the investigation. New servers, new Active Directory, workstation reinstallation, data restoration from backups (if available).

Costs: hardware, licenses, rebuilding contractors, IT overtime. This is the longest and most labor-intensive phase.

Phase 6: Return to Normal (Day 30 to Day 180)

The company gradually resumes normal operations, but the aftereffects linger: lost data, customers to win back, insurance premiums to renegotiate, security investments to make.

Costs: customer attrition, premium increases, security investments, ongoing legal costs, productivity impact.

The Human Factor: Primary Vector, Best Defense

More than 55% of ransomware attacks start with a phishing email (CESIN 2025). An employee clicks a link, opens an attachment, or enters credentials on a fake site. From that point, the attacker has a foothold in the network.

This is both the bad news and the good news. The bad: your security depends on every employee's behavior, every day. The good: it is the vector over which you have the most control with the best cost-to-impact ratio.

What the Data Says About Awareness Training

The Hiscox Cyber Readiness Report 2025 indicates that companies with a documented awareness program experience 32% fewer incidents than those without one. The report also notes that companies classified as "experts" in cybersecurity spend an average of 24% of their IT budget on security, compared to 14% for those classified as "novices."

Data from KnowBe4 (Phishing Industry Benchmarking Report 2025) shows that the average click rate on phishing simulations drops from 34% before training to 4.6% after 12 months of a program - an 86% reduction. For sector-by-sector benchmarks: Phishing Click Rate: Industry Benchmarks.

The Cost of Awareness Training: Trivial Compared to the Risk

A phishing simulation platform costs between 2 and 5 euros per employee per month. For a 100-employee company, that is 2,400 to 6,000 euros per year.

Compare this with the cost of the attack vector this measure helps block: ransomware that enters via phishing costs between 250,000 and several million euros. The ratio is at least 1 to 100.

Awareness training does not make a company invulnerable. No single security measure does. But reducing the click rate from 34% to 5% divides the probability of a phishing email leading to compromise by seven. It is the measure with the best cost-to-risk-reduction ratio available on the market.

ANSSI Recommendations for Ransomware Protection

ANSSI publishes a best-practice guide specifically dedicated to ransomware, available at cyber.gouv.fr. Here are the priority measures, with approximate costs for an SMB.

The 10 Priority Measures

1. Tested offline backups: the 3-2-1 rule (3 copies, 2 media types, 1 offsite). Test restoration at least once per quarter. Cost: 3,000 - 8,000 euros/year.

2. Security patches within 72 hours for critical vulnerabilities. Ransomware exploits known, patched flaws. The window between patch release and exploitation is shrinking (sometimes to 48 hours). Cost: internal time.

3. Multi-factor authentication on all remote access (VPN, webmail, cloud applications). MFA blocks over 99% of credential compromise attacks. Cost: 2,000 - 5,000 euros/year.

4. Network segmentation: separating environments (production, office, backups) to limit lateral movement. Cost: 10,000 - 50,000 euros (setup) + maintenance.

5. EDR on all endpoints: traditional antivirus is no longer sufficient. EDR detects suspicious behavior, not just known signatures. Cost: 4,000 - 10,000 euros/year for 100 endpoints.

6. Employee awareness training: regular phishing simulations, micro-learning modules, reporting procedures. Cost: 2,400 - 6,000 euros/year for 100 employees.

7. Documented incident response plan: who does what, when, and how. Tested at least once per year via a tabletop exercise. Cost: 5,000 - 15,000 euros (drafting + annual test).

8. Privileged access management: limit the number of admin accounts, secure admin access with dedicated accounts and enhanced MFA. Cost: 5,000 - 20,000 euros/year.

9. Email filtering: anti-spam and anti-phishing solution on the mail system. Cost: 2 - 5 euros/user/month.

10. Vulnerability monitoring: subscribe to ANSSI bulletins (CERT-FR) to stay informed about new threats. Cost: free.

Total Prevention Cost

Adding up all 10 measures, the annual prevention budget for a 100-employee SMB falls between 40,000 and 120,000 euros in the first year (including setup investments) and between 25,000 and 70,000 euros in subsequent years (recurring costs).

That is between 3 and 8% of the median cost of a ransomware attack. Or between 0.2 and 0.8% of revenue for an SMB generating 15 million euros. An investment any CFO should consider reasonable given the risk. To build the business case: Cybersecurity Awareness ROI: How to Convince Your Management.

Most Targeted Sectors in France

Every sector is affected by ransomware, but some are overrepresented in French statistics.

Healthcare

The healthcare sector accounts for a disproportionate share of ransomware attacks in France. ANSSI recorded 10 major healthcare facilities victimized by ransomware in 2022 (compared to 3 in 2020). CHSF Corbeil-Essonnes, the CHU de Versailles, the hospital in Dax, the CH de Villefranche-sur-Saone - the list is long.

The reasons: aging IT systems, limited IT budgets (1 to 2% of the overall budget, compared to 5 to 8% in the private sector), mission-critical operations (a hospital cannot "close" during a crisis), and health data that commands high prices on the black market.

Local Government

Local authorities are the second primary target. The city of Angers, the city of Chalon-sur-Saone, the Castres-Mazamet metropolitan area, the Sarthe departmental council - every year, French local governments are hit.

The same vulnerability factors as in healthcare: heterogeneous systems, constrained budgets, undertrained staff, and a broad attack surface (public websites, online public services).

Manufacturing SMBs

Manufacturing SMBs are targeted for two reasons: they are heavily dependent on their information systems (ERP, production management, industrial control) and they rarely have a dedicated cybersecurity team. A production shutdown has an immediate and measurable financial impact.

Financial and Legal Services

Accounting firms, law firms, and asset management companies handle financial and personal data of high value. A ransomware attack with data exfiltration in these sectors can have devastating regulatory and reputational consequences.

Building a Realistic Cybersecurity Budget

The figures presented in this article provide the foundation for a solid business case for a cybersecurity budget. Here is how to structure the request.

The Reference Framework

• Recommended cybersecurity budget: 5 to 10% of the IT budget (source: Gartner). For an SMB whose IT budget represents 3 to 5% of revenue, that means 0.15 to 0.5% of revenue.
• Median cybersecurity budget in France: 6.1% of the IT budget according to the CESIN 2025 barometer. Companies classified as "experts" by Hiscox allocate 24%.
• Average ransomware cost: between 250,000 and 4.7 million euros depending on company size and attack severity.

The Prioritization Matrix

Not all measures deliver the same cost-to-effectiveness ratio. Here is how to prioritize based on available budget.

Minimum budget (20,000 - 30,000 euros/year):

• Tested offline backups
• MFA on all remote access
• Security patches within 72 hours
• Basic phishing awareness

Intermediate budget (40,000 - 80,000 euros/year):

• Everything in the minimum budget, plus:
• EDR on all endpoints
• Cyber insurance
• Annual security audit
• Monthly phishing simulations

Full budget (80,000 - 150,000 euros/year):

• Everything in the intermediate budget, plus:
• Outsourced SOC or managed detection service
• Network segmentation
• Tested disaster recovery plan
• Annual crisis exercise

The Argument That Works in the Boardroom

Do not present cybersecurity as a cost. Present it as insurance backed by data. Show the average ransomware cost for a company your size. Show the probability of being hit (57% of SMBs within 12 months according to Hiscox 2025). Multiply the two. Compare with the budget you are requesting.

If your SMB generates 15 million euros in revenue, the attack probability is 57%, and the median cost is 400,000 euros, the expected loss is 228,000 euros per year. A prevention budget of 50,000 euros that reduces this probability by 60% (via concrete measures) delivers an ROI of 174%. No need to round the numbers - they hold up on their own.

What Ransomware Has Cost France: An Attempted National Estimate

Nobody knows the total cost of ransomware to the French economy. ANSSI does not publish an aggregate figure. CESIN surveys its members but cannot extrapolate to the entire economy. Insurers report only declared claims (and many companies are not insured).

Some framing data points:

• 330,000 attacks targeted French SMBs in 2024 (Cybermalveillance.gouv.fr estimate).
• If 10% of these attacks involve ransomware (CESIN proportion), that gives 33,000 ransomware incidents per year.
• With a median cost of 250,000 euros per incident for an SMB, the total cost would be in the range of 8 billion euros per year.

This is a rough estimate, but it provides an order of magnitude. For comparison, the French cybersecurity market (products and services sold) represents approximately 5 billion euros in 2025. The French economy may well be spending more on suffering attacks than on defending against them.

What Is Changing in 2026: NIS2, DORA, and the Regulatory Tightening

The regulatory framework is tightening, which will mechanically increase costs for non-compliant companies that suffer a ransomware attack.

NIS2

The NIS2 directive, transposed into French law, extends cybersecurity obligations to a much broader set of companies. "Essential entities" and "important entities" (defined by sector and size) must:

• Implement cybersecurity risk management measures.
• Notify ANSSI of incidents within 24 hours (alert) and 72 hours (full report).
• Secure their supply chain.
• Train their personnel.

Penalties for non-compliance can reach 10 million euros or 2% of global revenue for essential entities, and 7 million euros or 1.4% of revenue for important entities.

For a company hit by ransomware that had not implemented NIS2 measures, regulatory penalties stack on top of the incident costs. The combined GDPR + NIS2 exposure can exceed the cost of the attack itself.

DORA

The DORA regulation (Digital Operational Resilience Act), in force since January 2025, imposes digital resilience obligations on the financial sector. Banks, insurers, asset managers, and their critical IT providers must test their ability to withstand cyberattacks (including through advanced penetration testing).

For SMBs that serve the financial sector, DORA means reinforced security requirements imposed by their clients. Failing to meet them means losing contracts.

FAQ

What is the average cost of a ransomware attack in France?

The average cost ranges from 250,000 to 4.7 million euros depending on company size. For an SMB of 50 to 250 employees, the typical range is 250,000 to 800,000 euros including business downtime, forensic fees, restoration, and legal consequences. The IBM Cost of a Data Breach 2025 report puts the global average cost of a ransomware incident at $5.08 million. Published French cases range from 7-10 million euros for CHSF to 220 million euros for Saint-Gobain.

Should you pay the ransom during a ransomware attack?

ANSSI (France's national cybersecurity agency) strongly advises against payment. According to Coveware, 20 to 30% of companies that pay never recover all their data. The Verizon DBIR 2025 indicates that 64% of victims now refuse to pay. Payment funds criminal groups and marks you as a willing payer. The LOPMI law does not prohibit payment but makes it conditional on filing a police report within 72 hours. The strongest position is to invest in tested offline backups so the question never arises.

How long does it take to recover from a ransomware attack?

The average recovery time is 23 days according to Coveware, but disparities are wide. Manutan took 10 days for basic order access and several months for full rebuilding. CHSF Corbeil-Essonnes operated in degraded mode for several months. For SMBs with a tested recovery plan and offline backups, recovery can shrink to 3-5 days. Without preparation, expect 4 to 8 weeks.

Does cyber insurance cover ransomware attacks?

Partially. Incident response, notification, and restoration costs are generally covered, with deductibles of 15,000 to 100,000 euros for SMBs. Ransom payment coverage depends on the policy (some include it under the LOPMI condition, others exclude it). CNIL fines are never insurable. Gross negligence (no MFA, untested backups) can result in claim denial. The French market represents 317 million euros in premiums in 2024 (AMRAE LUCY 2025 report).

How can an SMB reduce its ransomware risk?

Five priority measures: (1) tested offline backups on a quarterly basis, (2) MFA on all remote access, (3) security patches within 72 hours for critical vulnerabilities, (4) phishing awareness training with regular simulations (phishing is the initial vector in over 55% of cases), (5) a tested incident response plan. The total budget for these 5 measures falls between 20,000 and 50,000 euros per year for a 100-employee SMB, or 3 to 8% of the median ransomware cost.

Which French companies have been hit by ransomware?

The most well-documented public cases in France: Saint-Gobain (220M euros in lost revenue from NotPetya, 2017), Sopra Steria (50M euros in impact from Ryuk, 2020), Manutan (20M euros total cost from DarkSide, 2021), CHSF Corbeil-Essonnes (months of degraded operations from LockBit, 2022), Lise Charmel (judicial liquidation following the attack, 2019-2020), Clestra Hauserman (receivership, 2022). In addition to these, hundreds of SMBs whose cases are never made public.

Conclusion: The Cost of Inaction Always Exceeds the Cost of Prevention

The figures in this article converge on a simple reality: ransomware costs hundreds of thousands of euros for an SMB and tens of millions for a large corporation. The ransom itself is only the visible tip. Business downtime, system rebuilding, legal fees, customer loss, and team burnout make up the bulk of the bill.

The cases of Lise Charmel and Clestra show that ransomware can kill a company. Not because the ransom was too high, but because the company could not hold out during the weeks of rebuilding. Tested backups, a recovery plan, an awareness program - these measures would have cost a fraction of the final bill.

The math is laid out. A full prevention program costs between 30,000 and 80,000 euros per year for a 100-employee SMB. A ransomware attack costs between 250,000 and 1.5 million euros. The ratio is 1 to 5 at minimum, 1 to 50 in serious cases.

This is not a question of budget. It is a question of priorities. And the French companies that survive ransomware are the ones that invested before the attack - not those that spend after.

To start with the measure offering the best cost-to-impact ratio, assess your phishing exposure with an initial simulation campaign. It is the number one entry vector for ransomware, and it is the factor over which you have the most control.