Ransomware and Small Businesses: What Actually Happens and How to Protect Yourself

Ransomware works like this: an attacker gains access to your network or devices, silently spreads to as many systems as possible, then encrypts your files and demands payment for the decryption key. If you haven't paid within a deadline, the attackers often threaten to publish your data publicly.

The attack doesn't start with encryption. It starts weeks or months earlier with initial access — usually a phishing email that tricks an employee into clicking a link or opening an attachment, or an unprotected remote access service with a weak password. Once inside, attackers move quietly: escalating privileges, mapping your environment, identifying your backup systems (to destroy them), and staging the encryption payload.

By the time files start getting encrypted, the attacker has already been in your network for a while. The encryption event is the end of a long infiltration process, not the beginning.

Small businesses are not beneath the notice of ransomware operators. They're often preferred targets. The economics are favorable: small businesses have less security, less incident response capability, more pressure to restore operations quickly, and are more likely to pay a ransom in the $10,000–$100,000 range than to spend weeks rebuilding.

Industries that are frequently targeted include medical and dental offices (patient data, compliance pressure, operational urgency), financial services (sensitive client data), legal practices (confidentiality obligations), real estate offices, and construction companies (time-sensitive projects). If your business cannot function without access to your files, you are a viable ransomware target.

The rise of Ransomware-as-a-Service has lowered the technical barrier for attackers. Criminal groups now sell or lease ransomware toolkits to affiliate operators who handle the targeting and initial access. This industrialization has dramatically increased the volume of attacks against smaller targets.

Offline or immutable backups. The most important ransomware defense is a backup that cannot be encrypted or deleted by an attacker who has compromised your network. This means backup copies that are either fully offline (not connected to your network), air-gapped, or stored in a cloud backup service with immutable retention. Microsoft 365's built-in retention is not a ransomware backup. If your backup is accessible from your network, a sophisticated attacker will encrypt or delete it.

Endpoint detection and response (EDR). Traditional antivirus catches known malware by signature. EDR tools like Huntress or Microsoft Defender for Business detect suspicious behavior — processes that are encrypting files, lateral movement across the network, privilege escalation — even when the specific malware is new or modified. EDR is now practical and affordable for small businesses.

MFA on everything that matters. Remote access services (VPN, RDP, remote desktop) without MFA are among the most common ransomware entry points. MFA should be required for Microsoft 365, your remote access solution, and any business application accessible from the internet.

Patching and vulnerability management. Unpatched software is the second most common initial access vector after phishing. Windows updates, third-party application patches, and firmware updates should be applied consistently — not deferred indefinitely.

If ransomware is actively encrypting files on your systems, the immediate priority is containment: disconnect affected systems from the network (unplug the ethernet cable or disable Wi-Fi) before the encryption spreads further. Do not turn the machine off — some forensic evidence and potentially unencrypted files may be recoverable from memory.

Contact your IT provider immediately. Do not pay the ransom without consulting legal counsel and your IT provider first — payment does not guarantee decryption, and some ransomware groups are subject to government sanctions that make payment legally risky.

Report the incident. The FBI's IC3, CISA, and your cyber insurance carrier (if you have one) should all be notified. Law enforcement may have decryption tools for some ransomware variants from previous takedowns.

The best position to be in is one where you never have to make the payment decision — because your backups are intact, tested, and accessible. That's what good ransomware preparation looks like.

You don't need an enterprise security program to be meaningfully protected against ransomware. You need: endpoint protection with behavioral detection on every device, MFA on every account and remote access tool, a tested backup strategy with at least one offline or immutable copy, patching that's consistently applied, and basic phishing awareness training for your staff.

Most small businesses are missing at least two of these. A security review identifies the specific gaps in your environment and gives you a prioritized remediation list — starting with the controls that would have the most impact on your ransomware exposure. Intragreat offers a free security review that covers all of these areas.