What Is Ransomware and How Do Small Businesses Actually Stop It?

If you run a small business and you think ransomware is something that only happens to hospitals and big corporations, you're wrong — and that misconception is what attackers count on.

Small businesses now make up roughly 43% of ransomware targets. The reasons are straightforward: they have money, they have data worth encrypting, and they typically have far weaker defenses than enterprise organizations. A successful attack on a small business is easier and faster than attacking a company with a dedicated security team.

What ransomware actually is

Ransomware is a type of malware that encrypts your files — making them completely unreadable — and then demands payment (usually in cryptocurrency) in exchange for the decryption key.

The attack typically goes like this:

1. An attacker gets a foothold in your network (usually through a phishing email, exposed remote desktop, or an unpatched vulnerability)
2. They spend days or weeks moving quietly through your systems, escalating their access
3. When they're ready, they deploy the ransomware — which encrypts everything it can reach: files, databases, backups if they're accessible
4. You arrive at work one morning and see a ransom note where your files used to be

Modern ransomware groups also exfiltrate (steal) your data before encrypting it, so they have a second lever: “Pay us, or we publish your client data online.”

How it gets in — the three most common entry points

1. Phishing emails

The most common entry point by far. An employee receives an email that looks legitimate — a DocuSign notification, a shipping update, an invoice from a familiar vendor — and either clicks a malicious link or opens an attachment that drops malware.

Modern phishing is convincing. The emails are well-written, the sender addresses look right, and the landing pages look real. You cannot train your way to zero risk, but you can reduce it significantly.

2. Remote Desktop Protocol (RDP) exposed to the internet

A shocking number of small businesses have Windows RDP (port 3389) open directly to the internet, often because an IT person or ISP technician turned it on for remote access and never secured it properly.

Attackers scan the entire internet constantly for open RDP ports. When they find one, they try credential-stuffing attacks until something works — especially if the username is “Administrator” and the password is weak.

3. Unpatched software vulnerabilities

Software companies regularly patch security vulnerabilities. When patches come out, attackers immediately start scanning for systems that haven't applied them yet. Routers with outdated firmware, unpatched Windows systems, old VPN appliances — all are active targets.

What actually stops ransomware

There's no single silver bullet, but the following controls, implemented together, dramatically reduce your risk:

Backups — the only true recovery option

A working, tested, offline or cloud backup is the difference between a ransomware attack being a catastrophe and being a bad week. Key requirements:

• 3-2-1 rule: 3 copies of your data, on 2 different media, with 1 offsite or cloud
• Tested regularly: A backup that you've never tried to restore from is a guess, not a backup. Test a full restore at least twice a year.
• Isolated: If your backup drive is always connected to your network, ransomware will encrypt that too. Cloud backups with versioning (Google Workspace, Backblaze) are harder to destroy.

Multi-factor authentication on everything

MFA means that even if an attacker has your password, they can't log in without the second factor. Enable it on email, cloud storage, your VPN, your admin accounts — everywhere.

Patch management

Keep Windows updated. Keep your router firmware updated. Keep your business software updated. Most small businesses don't have a formal patch process — set a monthly calendar reminder to check and apply updates.

Close unnecessary network exposure

If you have RDP open to the internet, close it. Use a VPN for remote access instead. Run a port scan on your network to see what you're exposing — we can do this as part of a security audit.

Endpoint protection

Modern endpoint detection and response (EDR) tools are far more effective than traditional antivirus at catching ransomware behavior. Products like Microsoft Defender for Business (reasonable for small teams), Malwarebytes, or SentinelOne provide meaningful protection.

Staff training — but realistic training

Phishing simulations and security awareness training reduce click rates on phishing emails. But don't rely on it exclusively — assume someone will eventually click something they shouldn't, and make sure your other controls catch it.

If you get hit — what to do

1. Disconnect from the network immediately. Pull the ethernet cable. Disable WiFi. Stop the spread.
2. Don't pay the ransom — unless your business will literally close without those files and you have no other options. Paying doesn't guarantee you get your files back, and it funds the next attack.
3. Call a professional before clicking anything. Ransomware recovery requires careful forensics to understand how the attacker got in and what was affected.
4. Report to the FBI via the IC3 (ic3.gov). You may think it won't help, but the data helps law enforcement track and eventually disrupt these groups.

Where to start this week

If you're not sure where your business stands, start here:

1. Verify your backups are running and test one restore
2. Enable MFA on your email — this alone stops a huge percentage of attacks
3. Check your router firmware version and update it if needed
4. Run a port scan on your network to see what's exposed

If that sounds overwhelming, a half-day security audit will identify exactly where your exposure is and prioritize what to fix. It's a lot cheaper than a ransomware recovery.