Most small business owners picture ransomware as a sudden explosion — everything goes down at once and a skull appears on the screen. The reality is slower and more calculated, which makes it more dangerous. By the time files start encrypting, attackers have often been inside your network for days or weeks.
01 The attack timeline: what actually happens
Initial access
A phishing email gets clicked, a remote desktop port is exposed, or credentials from a previous breach get used. The attacker gains a foothold — usually a single compromised endpoint or user account.
Reconnaissance and lateral movement
The attacker spends time quietly mapping your network — what systems exist, who has admin rights, where the valuable data lives, and how backups are configured. This phase can last days or weeks undetected.
Data exfiltration
Before encrypting anything, modern ransomware groups steal your data first. This enables double extortion — even if you restore from backup, they threaten to publish your client records, financial data, or legal documents publicly.
Encryption and ransom demand
Files across your network are encrypted simultaneously. A ransom note appears demanding payment — typically $10,000–$50,000 for a small business — in cryptocurrency, usually with a countdown timer.
The number that matters: Average downtime for a small business ransomware attack is 21 days. That's three weeks with limited or no operations — often more damaging than the ransom itself.
02 Why paying the ransom doesn't solve it
There are three reasons cybersecurity professionals advise against paying. First, there's no guarantee you get your data back — roughly 1 in 5 businesses that pay don't receive a working decryption key. Second, payment marks you as a willing payer and targets you for repeat attacks — often from the same group with a different strain. Third, if attackers already exfiltrated your data, the ransom only prevents encryption — the stolen data can still be sold or leaked.
The FBI recommends not paying and reporting ransomware attacks to the Internet Crime Complaint Center (IC3). Payment also funds criminal organizations that use those funds to develop more sophisticated attacks.
If you're hit right now: Disconnect affected machines from the network immediately — do not shut them down. Call your IT provider and do not pay anything until you've assessed what's actually been compromised. Time matters, but panic is your enemy.
03 The three controls that stop most ransomware
Ransomware protection isn't complicated — it's a handful of well-implemented controls. Most small businesses that get hit were missing at least two of these three.
Offline backups
Backups disconnected from your network that ransomware can't reach or encrypt. Tested regularly. The single most important recovery control.
MFA everywhere
Multi-factor authentication on email, remote access, and admin accounts. Stops credential-based initial access — the most common entry point.
Endpoint detection
Modern EDR software that detects ransomware behavior before encryption completes, not just signature-based antivirus that reacts too late.
04 Your ransomware readiness checklist
- 3-2-1 backup rule — 3 copies of data, on 2 different media types, with 1 stored offsite or offline. Test restores quarterly.
- MFA on all remote access — RDP, VPN, and cloud applications are the most targeted entry points. No exceptions.
- Patch within 14 days — the majority of ransomware exploits known vulnerabilities that have available patches. Timely patching closes most of the attack surface.
- Least privilege access — employees should only have access to the systems and data they need. Admin rights should be restricted to the handful of people who genuinely require them.
- Incident response plan — a written document that answers: who do we call, what do we disconnect, what do we preserve for forensics, and what do we tell clients? Written before you need it.
- Cyber insurance review — understand what your policy covers before an incident, not after. Many policies have exclusions for unpatched systems or missing MFA.
The businesses that recover quickly from ransomware aren't the ones who paid — they're the ones who had clean, tested backups and could restore operations within hours instead of weeks. That preparation happens before the attack, not during it.