In the summer of 2021, a small accountancy firm arrived at work on a Monday morning to find every file on their server encrypted. Their client records, tax submissions, payroll data — all inaccessible. A message on the screen demanded payment in cryptocurrency within 72 hours. They had no backup. They had no incident plan. And they had no idea this was coming.
That firm is one of thousands of small businesses that discover what ransomware is in the worst possible way: by experiencing it.
What Ransomware Actually Does
Ransomware is malicious software designed to encrypt your files and demand payment in exchange for the decryption key. Once it’s on your system, it typically spreads rapidly across connected devices and network shares before revealing itself.
The encryption is genuine. Without the key, your files are unreadable. And the operators of these attacks are often sophisticated criminal organisations running what amounts to a customer service operation — they have support lines, negotiation processes, and in many cases, a track record of actually providing decryption keys to those who pay.
The problem, of course, is that paying does not guarantee recovery, encourages further attacks, and in some jurisdictions may create legal liability. The FBI explicitly recommends against paying ransoms.
The Scale of the Problem for SMBs
The Sophos State of Ransomware 2024 report found that average ransom demands reached $2 million in 2024. But the ransom is only part of the picture. When you factor in downtime, IT recovery, staff time, lost business, and reputational damage, the average total recovery cost is $2.73 million.
More alarming still: Coveware data shows the average ransomware attack causes 24 days of operational downtime. Nearly four weeks of being unable to run your business.
Research consistently finds that 75% of SMBs say they cannot continue operating while under a ransomware attack. For many, it is not a financial crisis — it is the end of the business entirely.
How Ransomware Gets In
Understanding the entry points is the first step to reducing your risk. The most common routes are:
Phishing emails. An employee receives a convincing email with a malicious attachment or link. One click is enough. Phishing is responsible for the majority of ransomware infections.
Remote desktop vulnerabilities. If your business uses Remote Desktop Protocol (RDP) — common for remote working setups — and it’s exposed to the internet with weak credentials, attackers can brute-force their way in.
Unpatched software. Known vulnerabilities in unpatched operating systems, applications, or network equipment are routinely exploited. Many successful attacks use vulnerabilities that have had patches available for months.
Compromised credentials. Passwords leaked in other data breaches are sold on criminal marketplaces and used to access business systems directly.
What Happens if You’re Hit
The sequence typically unfolds like this: initial access, lateral movement across your network, data exfiltration in some cases, then encryption. The ransom note appears. The clock starts.
In parallel, you may find yourself dealing with:
- Complete loss of access to business data
- Inability to process payments or access financial systems
- Customer and supplier communication failures
- Potential regulatory notification obligations if customer data was accessed
- Media or public attention if the breach becomes known
- Insurance complications if coverage requirements weren’t met
The psychological pressure is significant. Attackers are experienced at exploiting the urgency and panic of the first hours.
What Actually Protects You
The good news is that ransomware, for all its impact, is not inevitable. Businesses that have taken even basic precautions are dramatically less vulnerable.
Reliable, tested backups. The single most important protection. If you have clean, recent backups that are isolated from your network, ransomware becomes a serious inconvenience rather than a catastrophe. The key word is tested — backups that have never been restored are backups you cannot trust.
Network monitoring. Many ransomware attacks take hours or days to complete their spread before triggering. Active monitoring can detect unusual behaviour and trigger a response before the encryption phase.
Patching and updates. Keeping software and systems current removes a significant proportion of the attack surface.
Staff awareness. Since phishing is the most common entry point, staff who can recognise suspicious emails are a genuine defence.
Incident response planning. Knowing in advance what you will do if you are attacked — who you call, what you isolate, how you communicate — dramatically reduces the damage.
W3IT works with small businesses to implement practical protections that fit real-world budgets and operations. Our Sentinel monitoring service watches your network continuously, providing early warning of the kind of unusual activity that often precedes a ransomware deployment.
If you haven’t thought through what you would do if ransomware hit your business tomorrow, that’s the conversation worth having today.