What ransomware actually is
Ransomware is a type of malicious software that encrypts files on a computer or network, making them completely inaccessible. Once the encryption is complete, the attacker displays a ransom note demanding payment — usually in cryptocurrency — in exchange for the decryption key. Without that key, your files are scrambled and unreadable.
Think of it like someone changing every lock in your office overnight, then sliding a note under the door offering to sell you the new keys.
The encryption used in modern ransomware is the same grade used by banks and governments. There is no shortcut to break it. If you do not have a backup and you do not pay, the files are gone permanently.
How ransomware spreads
Ransomware does not appear out of thin air. It enters your environment through one of a few well-documented paths.
Phishing emails
The most common entry point. An employee receives an email that looks legitimate — a fake invoice, a shipping notification, a password reset request. They click a link or open an attachment, and the ransomware begins executing. Modern phishing emails are convincing enough to fool experienced professionals.
Exposed Remote Desktop Protocol (RDP)
Many small businesses use Remote Desktop Protocol to let employees access work computers from home. If the RDP port (3389) is exposed to the internet without proper safeguards, attackers can find it using automated scanning tools and brute-force the login credentials. Once they are in, they deploy the ransomware manually, often after spending days mapping your network.
Supply chain compromise
Sometimes the ransomware comes through a trusted software vendor. A managed service provider or a business application gets compromised, and the attackers push ransomware to every customer connected to that platform. This is how some of the largest ransomware incidents in history have occurred.
Exploited vulnerabilities
Unpatched software with known security flaws is an open invitation. Attackers scan the internet for servers running outdated software and exploit those vulnerabilities to gain access. Once inside, deploying ransomware is straightforward.
What happens during an attack
The attack typically unfolds in stages, not all at once.
Stage 1: Initial access
The attacker gains a foothold — usually through one of the methods described above. At this point, they have access to one machine or one account.
Stage 2: Lateral movement
Before encrypting anything, sophisticated attackers move through your network. They escalate their privileges, access additional systems, and identify your most valuable data. This phase can take hours or weeks depending on the attacker.
Stage 3: Data exfiltration
Many modern ransomware operators steal a copy of your data before encrypting it. This enables a double extortion scheme — even if you restore from backups, they threaten to publish your sensitive data unless you pay.
Stage 4: Encryption
The ransomware executes across every system the attacker can reach. Files are encrypted, backups that are connected to the network are encrypted, and a ransom note appears on every affected machine.
Stage 5: The demand
You receive instructions for payment, typically demanding tens of thousands of dollars in cryptocurrency. There is usually a deadline after which the ransom increases or the decryption key is deleted.
To pay or not to pay
This is the hardest question businesses face during an attack. Here is the reality of both options.
Arguments for paying
Some businesses pay because they cannot afford the downtime. A week of lost operations could cost more than the ransom. In some cases, the attackers do provide a working decryption key.
Arguments against paying
Paying funds criminal organizations and makes you a known payer — increasing the likelihood of being targeted again. The FBI recommends against paying. There is no guarantee the decryption key will work. In some cases, the decryption process is so slow that restoring from backups would have been faster.
The practical answer
The best answer is to never be in a position where paying is your only option. That means having a backup strategy that works even when ransomware has encrypted everything on your network.
The backup strategy that actually works
The gold standard is the 3-2-1 backup rule, and it is not complicated.
Three copies of your data
Your live data plus two backups. If one backup fails or gets encrypted, you still have another.
Two different storage types
Keep backups on at least two different types of media. For example, a local backup drive and a cloud backup service. This protects against a failure that affects one type of storage.
One copy offsite
At least one backup must be physically or logically separated from your network. This is the critical piece. If your backup drive is connected to the same network as your computers, ransomware will encrypt it too.
Air-gapped or immutable backups
The most reliable protection against ransomware is a backup that cannot be modified or deleted from your network. Cloud backup services that offer immutable storage — where backups cannot be altered for a set retention period — provide this protection. An external hard drive that is disconnected after each backup serves the same purpose, though it requires discipline to maintain.
Test your restores
A backup you have never tested is not a backup. Schedule quarterly restore tests where you actually recover files from your backups and verify they work. Many businesses discover their backups are incomplete or corrupted only when they desperately need them.
Why small businesses are targeted more than enterprises
There is a persistent myth that cybercriminals only go after large corporations. The data tells the opposite story. Over 60 percent of ransomware attacks target businesses with fewer than 500 employees. The reasons are straightforward.
Less security infrastructure
Large enterprises have dedicated security teams, intrusion detection systems, and incident response plans. Most small businesses have none of these. The path from initial access to full encryption is shorter and easier.
Higher likelihood of paying
Small businesses often lack the backups and recovery capabilities to restore on their own. They are more likely to pay because the alternative — weeks of downtime or permanent data loss — threatens the survival of the business.
Automated targeting
Modern ransomware operations are industrialized. Attackers use automated tools to scan the internet for vulnerable systems, send phishing emails at scale, and deploy ransomware with minimal manual effort. They are not choosing targets carefully — they are casting a wide net and small businesses make up most of what they catch.
Less likely to involve law enforcement
Small businesses are less likely to report attacks to law enforcement or generate media coverage, which means lower risk for the attacker.
Recovery timeline and costs
The financial impact of a ransomware attack goes far beyond the ransom itself.
Downtime
The average small business experiences 7 to 21 days of significant operational disruption following a ransomware attack. During this time, you may not be able to access client files, process transactions, send emails, or perform core business functions.
Recovery costs
Even if you do not pay the ransom, recovery is expensive. Hiring an incident response firm typically costs between $10,000 and $75,000 for a small business engagement. Rebuilding systems, restoring data, and hardening your environment adds more.
Reputational damage
Clients, patients, and customers lose confidence when their data is compromised. For professional service firms — law offices, accounting practices, medical clinics — the reputational damage can be worse than the financial cost.
Regulatory penalties
Depending on your industry, a ransomware attack that exposes personal data can trigger mandatory breach notifications and regulatory investigations. HIPAA violations can result in fines up to $50,000 per violation.
Prevention checklist
You cannot eliminate the risk of ransomware entirely, but you can reduce it dramatically with straightforward measures.
- Enable multi-factor authentication on every account that supports it, especially email and remote access tools
- Keep all software updated — operating systems, applications, plugins, and firmware
- Close unnecessary ports — RDP (3389) should never be exposed directly to the internet
- Use a password manager and enforce unique passwords for every account
- Train employees on phishing — not with a slide deck once a year, but with realistic simulations that measure click rates
- Implement email authentication — configure SPF, DKIM, and DMARC on your domain
- Segment your network so that a compromised workstation cannot reach your backup server
- Deploy endpoint protection that includes behavioral detection, not just signature-based antivirus
- Maintain tested, air-gapped backups following the 3-2-1 rule
- Create an incident response plan before you need one — document who to call, what to disconnect, and how to communicate with clients
The cost of doing nothing
Ransomware is not slowing down. Attack volumes increase year over year, ransom demands are rising, and the tools attackers use are becoming more accessible. For small businesses, the question is not whether you will be targeted but whether you will be prepared when it happens.
The businesses that survive ransomware attacks are not the ones with the biggest budgets. They are the ones that had working backups, trained employees, and a plan.
Find out where your business is vulnerable before an attacker does. Run a free security assessment to see what is exposed and what to fix first.
