When businesses are hit with ransomware, it’s not just the ransom amount that could financially hurt. The time spent trying to get systems back online and potential revenue lost in the meantime makes a lasting impact, too.

Major cyberattacks like WannaCry have put ransomware — known as malware that locks down computers until money is sent — top of mind for businesses. But smaller, more targeted ransomware attacks can also do considerable damage to small businesses.

According to report from Osterman Research — conducted in June among more than 1,00 small and medium businesses and released this week — about 22% of businesses with less than 1,000 employees that experienced a ransomware attack in the last year had to stop business operations immediately. About 15% lost revenue.

On average, small companies lost over $100,000 per ransomware incident due to downtime. For one in six organizations, these attacks caused 25 hours or more of downtime.

Related: How to protect yourself from the massive ransomware attack

Adam Kujawa, head of malware intelligence at security firm Malwarebytes, which sponsored the report, said small businesses are particularly impacted by these events.

“A large organization like Target could bounce back from a ransomware attack, but for a very small one, where all the information is lost, it’s a lot harder for them to [rebound],” Kujawa said.

Personal information from customers and financial data stored on computers that aren’t backed up can be lost when ransomware strikes.

Some companies also face fines from the government if data is breached and leaked online. Adobe was fined $1 million for a 2013 data breach last year.

Large corporations experienced financial loss in the wake of the global WannaCry and NotPetya cyberattacks, too. For example, FedEx’s TNT shipping unit was hit with NotPetya malware in July. FedEx said the impact of the cyberattack “will likely be material,” indicating it will have a financial impact on its bottom line. The company said it won’t be able to fully restore all systems impacted by the virus.

Ransomware can get on people’s computers in different ways such as clicking on a bad link in an email or downloading something with a malicious code.

“Our operating systems and our computer technology has evolved a lot over the last 10 years,” Kujawa said. “The attacks aren’t necessarily against computer vs computer anymore; it’s the cybercriminals versus the user. And human vulnerabilities are something you can’t patch.”

To protect themselves from ransomware, companies should ensure systems are up to date, run anti-virus software and are frequently backed up. Employees should also know how to identify suspicious emails or links and report them to IT departments.