The company arrived at this figure based on an estimate from the Aberdeen Group, a consultancy, that an hour of inactivity costs small companies an average of $8,581 per hour. By comparison, Datto’s survey indicated that about three-quarters of the IT professionals said the ransoms paid were somewhere between $100 and $2,000. Overall, Datto estimates that $375 million has been paid out in ransoms in the past year, making lost productivity the much bigger concern.

Joe Gleinser, the president of GCS Technologies, an Austin-based IT support and services company, walked me through just how time-consuming it is for companies to deal with ransomware attacks, which generally starts with the appearance of “unusually named files” or files that suddenly can’t be accessed. “Locking the network down”—freezing some or all of a company’s systems—is typically the first step after the attack is recognized, in an effort to stop the damage and look for fixes.

“So that’s productivity hit number one,” he said. For a small business, that can mean an entire operation; for a larger one, it could mean a section or a division. “Obviously in certain industries that’s a lot more painful,” Gleinser added. “In health care, that can mean patients going untreated. If you don’t have that information, you don’t know what drugs were prescribed and sometimes it’s tough to make decisions.” Earlier this year, operations at a Los Angeles hospital came to a near halt, leaving staff to use faxes and paper notes to communicate before a $17,000 ransom was paid.

If a business has a well-maintained back-up system in place, data may be restored with only some small delays and limited expense. Should a sufficient back-up not be possible and should the inaccessible files be deemed important enough, the second step is paying the ransom, a practice that the FBI discourages, but says is not illegal under most circumstances.

“Paying the ransom is tricky business,” said Gleinser. “You’re dealing with criminals.” While many ransomers operate quickly, even attentively, that is not always the case. Datto’s survey found that 7 percent of IT professionals reported incidents where data was not restored even after a ransom was paid.

But even paying the ransom can be tricky. “If you don’t have Bitcoin right now, you’re probably not going to get it before the timer expires on the infection,” Gleinser said. “Many of these infections, as soon as you start the process to engage with the ransomer … you have about 48 hours before the data is non-recoverable to encourage you to move quickly.”

As one cybersecurity company executive told Business Insider last month, banks have started to keep tens of thousands of dollars in Bitcoin ready in case of an attack. “Buying bitcoin on any one of the U.S. exchanges is a three-to-five day wait time, so we’ve been forced into the position of having to stock bitcoin as if it were computer equipment and have it ready for our use,” Gleinser added. And even if a company is prepared to pay, when the deadline arrives, the price can jump, sometime double, triple, or even quadruple, or the data can be rendered permanently unrecoverable. “We’ve seen some clients who had paid the ransom and then immediately get attacked again,” he added.