Ransomware is malicious software that encrypts your business files and demands payment (a ransom) to unlock them. Small businesses are the most common target because they often lack the security layers that larger companies have, and they are more likely to pay to get their data back quickly.
How Ransomware Works
Ransomware typically enters your network through a phishing email, a compromised website, or an unpatched vulnerability in your software. Once inside, the malware spreads across the infected computer and any connected network drives, encrypting files as it goes. Documents, spreadsheets, databases, images, and backups (if they are accessible on the network) all get locked.
A ransom note then appears on screen demanding payment, usually in cryptocurrency like Bitcoin, in exchange for the decryption key. There is typically a deadline, and the attacker threatens to increase the ransom or permanently delete the key if you do not pay in time.
Modern ransomware attacks frequently use a tactic called double extortion. The attacker steals a copy of your data before encrypting it, then demands two payments: one to decrypt your files and another to prevent them from leaking your data publicly. This means that even if you have good backups and can restore your files without paying, you still face the threat of sensitive data being published.
Typical ransom demands for small businesses range from $10,000 to $250,000 or more, depending on the attacker's assessment of what you can afford.
Why Small Businesses Are Prime Targets
Attackers have figured out the sweet spot: small businesses are big enough to pay meaningful ransoms but small enough to have significant security gaps.
Most small businesses do not have dedicated IT security staff or advanced endpoint protection. Systems are often running outdated software with unpatched vulnerabilities. Backup and recovery plans exist on paper but have never been tested. And when a ransomware attack hits, the pressure to pay is enormous because extended downtime can threaten the survival of the business.
Attackers know all of this. They specifically target small businesses because the return on effort is high. A single phishing email can lead to a six-figure payout.
How Ransomware Gets In (Common Entry Points)
Understanding how ransomware enters your network is the first step to blocking it:
- Phishing emails with malicious attachments or links are the most common entry point. An employee opens a file or clicks a link, and the malware installs silently in the background.
- Remote Desktop Protocol (RDP) exposed to the internet with weak or default credentials. Attackers scan the internet for open RDP ports and brute-force their way in.
- Unpatched vulnerabilities in software, firewalls, or VPN appliances. Known vulnerabilities in widely used products are exploited within days of being disclosed.
- Compromised credentials purchased on the dark web from previous data breaches. If an employee reused a password that was exposed in a breach, attackers buy it and try it against your systems.
- Infected USB drives or personal devices connected to the business network without proper security controls.
Protection Step 1: Implement Strong Email Security
Since phishing is the most common delivery method for ransomware, email security is your first line of defense.
Microsoft Defender for Office 365, included with Microsoft 365 Business Premium, provides Safe Attachments and Safe Links. Safe Attachments opens email attachments in a secure sandbox environment before delivering them to the recipient. If the attachment is malicious, it is blocked before it ever reaches the inbox. Safe Links rewrites URLs in emails and checks them at the moment the user clicks, blocking access to known malicious sites even if the URL was safe when the email was originally sent.
Configure anti-phishing policies in Defender to detect impersonation attempts and flag suspicious emails. These policies catch many ransomware delivery emails before employees ever see them.
Complement your email security with employee training. Even the best filters will miss some phishing emails, so your team needs to know how to recognize them. See our guide on how to recognize a phishing email for practical tips you can share with your staff.
Implement SPF, DKIM, and DMARC on your email domain to prevent attackers from spoofing your domain in phishing campaigns.
Protection Step 2: Keep Everything Patched and Updated
Unpatched software is one of the easiest ways for ransomware to enter your network. Every patch you skip is a known vulnerability that attackers can exploit.
Enable automatic Windows updates on all business PCs. For remote workers who are not on the office network, this is especially important since they may miss updates that a local patch management server would push.
Keep third-party software updated as well. Browsers (Chrome, Edge, Firefox), Adobe Reader, Java, and Zoom all receive regular security patches. Outdated versions of these applications are common entry points.
Patch network equipment firmware including routers, firewalls, and wireless access points. These devices sit at the edge of your network and are often forgotten in patching routines.
Replace end-of-life software and hardware that no longer receives security updates. Running Windows 10 after its end-of-life date, for example, means known vulnerabilities will never be patched, leaving your systems permanently exposed.
If your business uses Microsoft 365 Business Premium, Microsoft Intune can enforce update policies across all enrolled devices, ensuring that patches install automatically even on remote laptops.
Protection Step 3: Use Endpoint Protection (Not Just Antivirus)
Traditional antivirus works by scanning files against a database of known malware signatures. Modern ransomware is specifically designed to evade signature-based detection. It changes its code with every attack, encrypts itself to avoid detection, and uses legitimate system tools to carry out malicious actions.
Endpoint Detection and Response (EDR) takes a fundamentally different approach. Instead of just checking files against a list, EDR monitors the behavior of processes running on your computer. If a process starts encrypting files rapidly, disabling backups, or communicating with known command-and-control servers, EDR detects and stops it.
Athencia deploys Microsoft Defender for Business as the endpoint protection foundation on every managed device, then layers Huntress on top to provide a 24/7 SOC with human threat hunters who actively investigate and respond to alerts. Defender handles real-time protection and automated responses; Huntress adds persistent foothold detection, SIEM log analysis, and human-led investigations that catch threats automated tools miss. Other EDR options in the SMB space include SentinelOne and CrowdStrike.
The key point: you need both automated detection and human monitoring. Automated tools catch the obvious threats; human analysts catch the sophisticated ones that know how to blend in.
Protection Step 4: Maintain Tested Backups
Backups are your last line of defense against ransomware. If everything else fails, a clean, recent backup means you can restore your data without paying the ransom.
Follow the 3-2-1 backup rule: maintain 3 copies of your data, on 2 different types of media, with 1 copy stored offsite or in the cloud.
At least one backup must be air-gapped or immutable. An air-gapped backup is physically disconnected from your network, so ransomware cannot reach it. An immutable backup cannot be modified or deleted once written, even by an administrator. This is critical because modern ransomware specifically targets and encrypts backup files that are accessible on the network.
Dropsuite provides cloud backup for Microsoft 365 email, OneDrive, and SharePoint, giving you an independent copy of your data that lives outside your Microsoft 365 environment. If ransomware compromises your tenant or an attacker deletes data, Dropsuite lets you restore from a clean backup.
Test your backup restoration regularly. A backup you have never tested is not a backup. At least quarterly, restore a sample of files from your backup to verify that the process works, the data is intact, and you know how long recovery actually takes. Knowing your recovery time objective (RTO) before a crisis hits is far better than discovering it during one.
Protection Step 5: Limit Access and Privileges
Ransomware spreads faster and does more damage when the infected account has broad access to files and systems. Limiting privileges reduces the blast radius of an attack.
Remove local admin rights from everyday user accounts. Employees do not need admin privileges for their daily work, and removing those privileges prevents ransomware from making system-level changes on the infected computer.
Apply the principle of least privilege for file share and application access. Users should only have access to the files and systems they need for their job, nothing more.
Segment your network so that an infection on one computer cannot spread to every shared drive and system on your network. At minimum, separate guest Wi-Fi from your business network and isolate critical systems like accounting and HR databases.
Disable Remote Desktop Protocol (RDP) unless it is absolutely necessary. If RDP must be used, protect it with a VPN and require MFA to connect. Exposed RDP is one of the most exploited entry points for ransomware.
What to Do If You Are Hit by Ransomware
If ransomware hits your business, speed and containment are critical. Here is what to do:
- Disconnect infected computers from the network immediately. Unplug the Ethernet cable and disable Wi-Fi. The goal is to stop the ransomware from spreading to other devices and network drives.
- Do not pay the ransom. Payment does not guarantee you will get your data back. It funds future attacks and marks your business as willing to pay, making you a target for repeat attacks.
- Contact your IT provider or MSP immediately. Ransomware response requires expertise in containment, forensics, and recovery. Do not try to handle it alone.
- Report the incident to the FBI's IC3 at ic3.gov and your cyber insurance carrier. Most insurance policies have specific timelines for reporting incidents.
- Begin recovery from clean backups once the infection vector has been identified and contained. Restoring before you know how the ransomware got in risks reinfection.
The best time to prepare for a ransomware attack is before it happens. Having endpoint protection, tested backups, and a basic incident response plan in place turns a potential disaster into a recoverable event.
Need Help?
Ransomware protection requires layers: email security, endpoint protection, backups, patching, and access controls all working together. If you want help assessing your current defenses or building a protection plan for your business, contact Athencia. We help small businesses put the right layers in place before an attack happens.
