Your business runs on data. Your client records, your financial systems, your email, your proposals, your payroll. Ransomware is the threat that locks all of it away and demands payment to give it back. This guide explains how it works, why your business is a target, and what you can do about it today.
Ransomware is a type of malicious software that encrypts your files so you can't open them. Every document, spreadsheet, database, and photo on your network becomes unreadable. Then a message appears on your screen demanding payment, usually in cryptocurrency, in exchange for the key to unlock your data.
Think of it this way. Someone breaks into your office overnight, puts every filing cabinet, every computer, and every backup drive into a vault, changes the combination, and leaves a note on your desk: "Pay $50,000 within 72 hours or everything gets destroyed."
That's ransomware. Except it happens digitally, it happens fast, and it can hit every computer in your network at once.
Modern ransomware doesn't just encrypt your files. It often steals your data first, then threatens to publish it online if you don't pay. This is called "double extortion," and it's now the standard playbook. Even if you have backups, the attackers still hold your sensitive data hostage.
Here's the part most business owners get wrong. You assume criminals go after big companies with big money. They don't. They go after easy targets with weak defenses. That's you.
Large companies have dedicated security teams, 24/7 monitoring, and million-dollar budgets. Most small businesses have a firewall they set up three years ago and antivirus that may or may not be current. Attackers know this. They scan for weak points, and small businesses light up like beacons.
A Fortune 500 company can survive a week of downtime. You can't. When your systems go down and every hour costs you revenue, the pressure to pay the ransom is enormous. Attackers count on that urgency. They set the price just low enough that paying feels easier than fighting.
Your client data, financial records, employee Social Security numbers, healthcare information, and banking details are all valuable on the black market. A single small business breach can yield thousands of records worth $10 to $50 each. The data you protect is worth far more than you realize.
If you work with larger companies, your network is a door into theirs. Attackers compromise small vendors and use that access to reach bigger, more lucrative targets. Some of the largest breaches in history started with a small business that didn't have its defenses in order.
According to Verizon's Data Breach Investigations Report, 46% of all cyber breaches hit businesses with fewer than 1,000 employees. The Hiscox Cyber Readiness Report found that 41% of small businesses experienced a cyberattack in the past year. This isn't a distant threat. It's happening to businesses your size, in your region, right now.
Ransomware doesn't break through locked doors. It walks through the ones you left open. These are the four most common entry points.
This is how most attacks start. An employee receives an email that looks legitimate: an invoice from a vendor, a shipping notification, a message from the CEO. They click a link or open an attachment, and malicious software installs silently in the background.
Responsible for over 90% of successful cyberattacks
Modern phishing emails are convincing. They use your company name, your vendors' logos, even your colleagues' email addresses. The days of obvious scam emails with bad grammar are behind us. Today's phishing is targeted, professional, and effective.
Remote Desktop Protocol lets your team connect to office computers from home. When it's exposed to the internet without proper protection, attackers can find it, guess passwords, and walk right into your network.
Second most common ransomware entry point
Thousands of businesses still have RDP open to the internet with nothing more than a username and password protecting it. Attackers use automated tools that try millions of password combinations. Without multi-factor authentication and network-level restrictions, it's only a matter of time.
When software vendors release updates, they're usually fixing known security holes. Every day you delay those updates, you're leaving a documented vulnerability open for attackers to walk through.
60% of breaches involve vulnerabilities where a patch was available but not applied
This includes operating systems, browsers, VPN software, firewalls, and every application your team uses. Attackers scan the internet constantly for systems running outdated software with known vulnerabilities. Patching isn't glamorous, but it closes the doors attackers are actively looking for.
Your software vendors, your IT providers, your cloud services: if any of them get compromised, the attackers can push malicious updates directly to your systems. You didn't do anything wrong. But you're still infected.
Supply chain attacks increased 742% between 2019 and 2024
The SolarWinds and Kaseya attacks showed how devastating this vector can be. One compromised software update infected thousands of businesses simultaneously. You can't control your vendors' security, but you can verify their practices and limit the access they have to your network.
The ransom payment is the number that makes the headlines. But it's the smallest part of the total cost. Here's where the money really goes.
| Cost Category | Typical Range | What It Covers |
|---|---|---|
| Ransom payment | $50,000 to $500,000 | The demand itself (paying doesn't guarantee recovery) |
| Downtime | $8,000+ per hour | Lost revenue, idle employees, missed deadlines |
| Recovery and remediation | $50,000 to $200,000 | Forensics, system rebuilds, data restoration |
| Legal and regulatory | $25,000 to $100,000+ | Breach notification, legal counsel, regulatory fines |
| Reputation damage | Hard to quantify | Lost clients, damaged trust, reduced new business |
| Increased insurance premiums | 50% to 200% increase | Higher rates or loss of coverage after a claim |
The average total cost of a ransomware attack on a small business is between $120,000 and $1.24 million. The average downtime after an attack is 22 days. That's 22 days of your business operating at reduced capacity, or not operating at all.
60% of small businesses that suffer a significant cyberattack close within six months. Not because the ransom was too expensive. Because the combination of downtime, recovery costs, lost clients, and damaged reputation was more than the business could absorb. The businesses that survive are the ones that prepared before the attack, not after.
Ransomware attacks don't happen all at once. They unfold over days or weeks, following a predictable pattern. Understanding the timeline helps you understand where defenses can stop an attack before the worst happens.
An employee clicks a phishing link, or an attacker finds exposed remote access. Malicious software installs on a single computer. At this point, nothing visible has happened. No files are encrypted. No alarms have gone off. The attacker has a foothold, and they're being patient.
The attacker explores your network quietly. They identify your servers, your backup systems, your most valuable data. They move from computer to computer, escalating their access privileges. They're looking for domain admin credentials, the keys that unlock everything. Good endpoint detection catches this activity. Basic antivirus does not.
Before encrypting anything, the attacker copies your most sensitive data to their own servers. Client records, financial data, employee information, trade secrets. This is called "double extortion." Even if you recover from the encryption, they still have your data and will threaten to publish it unless you pay.
The attacker disables your antivirus, deletes your shadow copies (Windows' built-in backup snapshots), and targets your backup systems. If your backups are connected to the network, they encrypt or delete those too. This is why offline backups matter. If every backup is reachable from your network, the attacker can destroy them all.
The ransomware deploys across every system simultaneously, usually in the middle of the night or on a weekend when nobody is watching. Within minutes, every file on every affected computer is encrypted. When your team arrives Monday morning, they find ransom notes on every screen. The clock starts ticking on the payment deadline.
The entire process, from first click to ransom note, takes an average of 9 to 21 days. That's 9 to 21 days where the right monitoring tools and security practices could have detected and stopped the attack. Every stage of this timeline is a chance to intervene. The question is whether you have the tools and visibility to see it happening.
You don't need a Fortune 500 budget to defend against ransomware. You need the right fundamentals, applied consistently. These six measures stop the vast majority of attacks.
Your backups are your last line of defense. If ransomware encrypts your systems but you have clean, recent backups stored offline or in immutable cloud storage, you can recover without paying. The key word is "offline." Backups connected to your network get encrypted too. Follow the 3-2-1 rule: three copies, two different media types, one offsite.
Traditional antivirus looks for known threats. EDR watches for suspicious behavior: a program trying to encrypt files rapidly, an account accessing systems it's never touched before, a process disabling security tools. EDR catches the activity that happens between initial access and encryption, the days where an attack can still be stopped.
60% of breaches involve unpatched vulnerabilities. Keeping your operating systems, applications, and firmware updated closes the doors attackers are actively scanning for. This isn't optional maintenance. It's a core security practice. Automated patch management ensures updates happen consistently, not just when someone remembers.
Since phishing is the number one attack vector, your email security has to be better than basic spam filtering. Advanced email security scans attachments in sandboxes, checks links in real time, and flags messages that impersonate your colleagues or vendors. Combine this with regular phishing awareness training for your team.
MFA requires a second form of verification beyond a password: a code from your phone, a push notification, or a physical security key. Even if an attacker steals a password, they can't get in without the second factor. MFA should be on every account: email, VPN, remote access, cloud services, and admin tools. No exceptions.
When an attack happens, panic wastes time and time costs money. An incident response plan tells your team exactly what to do: who to call, what to disconnect, how to communicate, and what steps to follow. Write it down, print it out (your network will be down), and practice it at least once a year. The businesses that recover fastest are the ones that rehearsed.
Every measure on this list is now required by most cyber insurance carriers. MFA, EDR, offline backups, patch management, email security, and a documented incident response plan. If you don't have these in place, you may not be able to get coverage. And if you do have coverage, failing to maintain these controls could void your policy when you need it most.
The first 60 minutes after discovering a ransomware attack determine how bad it gets. What you do matters. What you don't do matters even more.
Your instinct will be to pay and make the problem go away. Resist it. Only 65% of businesses that pay actually get their data back. And paying funds the criminals to attack more businesses, including yours again. Payment should be a last resort, not a first reaction. Give yourself time to assess the situation before making a decision you can't undo.
Disconnect infected computers from the network. Unplug ethernet cables. Disable Wi-Fi. The goal is to stop the ransomware from spreading to systems that haven't been encrypted yet. Don't shut the computers down; forensic investigators may need the data in memory. Just disconnect them from everything.
If you have cyber insurance, call them before you do anything else significant. Your policy likely requires specific steps and approved vendors. Taking actions outside that process could jeopardize your coverage. Your carrier will assign a breach coach, a forensics firm, and legal counsel. Let them coordinate the response.
Unless your IT provider has specific ransomware response experience, you need a specialized incident response firm. They'll determine how the attacker got in, how far they spread, what data was compromised, and whether your backups are clean. This isn't a job for general IT support. It requires forensic expertise and experience with active threat actors.
Take photos of ransom notes. Save copies of ransom emails. Log every action taken and when it happened. This evidence matters for insurance claims, law enforcement, and regulatory compliance. Report the attack to the FBI's Internet Crime Complaint Center (IC3) and your local FBI field office.
Don't use your compromised email system to discuss the breach. The attacker may still be reading your messages. Use phone calls, personal email, or an out-of-band communication channel. Notify affected employees and clients only after your legal counsel advises you on timing, content, and regulatory requirements.
When ransomware hits, your network is down. Your files are encrypted. You can't access your cloud documents or email. Print these steps and keep a physical copy in your office. The time to figure out your response isn't during the crisis. It's right now.
The FBI advises against paying. Only about 65% of businesses that pay get their data back, and paying marks you as a willing target for future attacks. That said, every situation is different. If your backups are destroyed and the survival of your business depends on recovering the data, it becomes a business decision, not just a security one. Work with your insurance carrier and legal counsel before making that call.
Traditional antivirus catches known threats by matching files against a database of signatures. Ransomware evolves constantly, so new variants slip past antivirus before signatures exist. Endpoint detection and response (EDR) is far more effective because it watches for suspicious behavior, like a process encrypting hundreds of files per second, rather than looking for a specific known file. If your security relies solely on antivirus, you have a significant gap.
Most cyber insurance policies cover ransomware, including the ransom payment (if approved), forensic investigation, legal costs, business interruption losses, and breach notification expenses. However, coverage depends on meeting the policy's security requirements. If you didn't have MFA enabled or your backups weren't properly maintained, your carrier may deny the claim. Read your policy carefully and make sure you're meeting every requirement, not just the ones that are convenient.
The average downtime after a ransomware attack is 22 days. Full recovery, including forensic investigation, system rebuilds, data restoration, and security improvements, typically takes 1 to 3 months. Businesses with tested backups and an incident response plan recover significantly faster. Businesses without them sometimes never fully recover.
Cloud services like Microsoft 365 and Google Workspace have built-in protections, but they're not immune. If an attacker compromises an employee's cloud credentials, they can encrypt or delete cloud-hosted files. Ransomware can also spread through synced folders: if a local computer encrypts files in a synced OneDrive folder, those encrypted files sync to the cloud. Cloud services add a layer of resilience, but they don't eliminate the need for backups, MFA, and endpoint security.
Five things, in order of priority. First, enable multi-factor authentication on every account, especially email and remote access. Second, make sure you have offline or immutable backups that are tested regularly. Third, replace traditional antivirus with endpoint detection and response. Fourth, keep all software updated with automated patch management. Fifth, write a basic incident response plan and print it out. These five steps won't make you invincible, but they'll protect you against the vast majority of ransomware attacks targeting small businesses.
We believe every business deserves to know where it stands. Our free security assessment measures your current defenses against the threats described on this page and gives you an honest score. No pressure. No sales pitch. Just a clear picture of your risk.