Ransomware is no longer a problem for large enterprises and hospitals. If anything, it's become a small business problem — precisely because small businesses have valuable data, weaker defences, and less capacity to absorb a prolonged outage. Attackers have adjusted their targeting accordingly.
According to the Verizon Data Breach Investigations Report, ransomware features in nearly a quarter of all breach incidents — making it consistently one of the most prevalent attack types year over year. And small-to-medium businesses are far from exempt. The FBI's Internet Crime Complaint Center reports billions of dollars in ransomware-related losses annually, with a significant portion attributed to businesses with fewer than 100 employees.
What ransomware actually does
Ransomware is malware that encrypts your files — documents, databases, photos, email archives, accounting records — and then demands a payment (the ransom) to provide the decryption key needed to restore them. Until you pay, those files are locked. Without the key, the encryption is effectively unbreakable.
Modern ransomware operations are sophisticated. Many use a model called Ransomware-as-a-Service (RaaS), where a criminal group develops the malware and rents it out to affiliates who carry out the attacks in exchange for a revenue share. This has commoditised ransomware — reducing the technical skill required to launch an attack — and dramatically increased the volume of incidents globally.
A more recent development is double extortion: attackers not only encrypt your data but exfiltrate it first. They then threaten to publish it publicly or sell it to competitors if you don't pay. This applies even if you have backups — a threat to expose client data, financial records, or personal information creates pressure independent of whether you can restore your systems.
The real cost isn't just the ransom. The average ransom demand for SMBs ranges from tens of thousands to hundreds of thousands of dollars. But research consistently shows that downtime, recovery costs, and reputational damage typically exceed the ransom itself. IBM's Cost of a Data Breach Report has found average total breach costs for small businesses reaching into the hundreds of thousands of dollars — often enough to threaten business continuity.
How ransomware gets in
Understanding the entry vectors is the most practical starting point for prevention. The three most common are:
Phishing emails
The most common initial access method. A staff member opens an email attachment or clicks a link that installs the ransomware payload or a dropper that downloads it. The email might impersonate a supplier, a courier, IRD, or even a colleague. New Zealand's NCSC consistently identifies phishing as the primary delivery mechanism for ransomware incidents in New Zealand organisations.
Exposed Remote Desktop Protocol (RDP)
RDP is Windows' built-in remote access tool. Businesses that leave RDP exposed to the internet — particularly on the default port 3389 — are constantly being probed by automated scanners. Attackers who find an RDP endpoint will run credential-stuffing or brute-force attacks against it. If a weak password is found, they're inside your network with legitimate credentials. From there, deploying ransomware is straightforward.
Unpatched software vulnerabilities
Known vulnerabilities in operating systems, browsers, and applications are actively exploited. WannaCry — the 2017 ransomware outbreak that shut down parts of the NHS and affected organisations in 150 countries — exploited a vulnerability in Windows SMB that Microsoft had actually patched two months earlier. Organisations that hadn't applied the update were exposed. This pattern repeats constantly.
Should you pay the ransom?
This is the question everyone asks after an attack, and the answer is: not if you can avoid it.
Paying the ransom does not guarantee file recovery. Decryption keys provided by attackers are sometimes buggy or incomplete. More importantly, paying confirms to the attacker (and any others monitoring) that you're a paying target — increasing the likelihood of future attacks. Some ransomware groups have been sanctioned by governments, making payment technically illegal depending on your jurisdiction and who they are.
Law enforcement guidance from both CISA and the FBI consistently recommends against paying. The practical reality is that businesses without viable backups sometimes pay because the alternative — losing everything — is worse. That's the argument for having backups. Not "we'll deal with it if it happens."
Prevention checklist
These are the controls that actually stop ransomware or contain the damage:
- Maintain offline, tested backups. The 3-2-1 rule: three copies of your data, on two different media types, with one offsite or offline. "Offline" matters because many ransomware variants specifically hunt for and encrypt connected backup drives. A backup that's network-accessible when the ransomware runs may as well not exist. Test recovery regularly — backups you've never restored are theoretical backups.
- Patch everything, on a schedule. Operating systems, applications, and firmware. Set security updates to install automatically where possible. Don't delay patches for OS, browsers, or critical applications — vulnerabilities get weaponised fast.
- Disable or restrict RDP. If you don't need RDP exposed externally, disable it. If you do need remote access, put it behind a VPN — so it's not directly reachable from the internet — and enforce 2FA.
- Use multi-factor authentication everywhere. Especially on email, remote access tools, cloud storage, and any admin account. Stolen credentials plus 2FA is still a blocked attack.
- Apply least-privilege access. Staff should only have access to the data and systems they need. Ransomware can only encrypt what the compromised account has access to — a user account with limited permissions contains the blast radius.
- Filter email at the gateway. Modern email security solutions filter out malicious attachments and URLs before they reach staff inboxes. Microsoft 365 Defender and Google Workspace both have built-in protections; third-party solutions add more.
- Train your team to recognise phishing. One click by one staff member can start an incident. Regular, practical awareness training — including simulated phishing — reduces that risk significantly.
Isolate affected machines immediately — disconnect from the network to stop lateral spread. Do not restart affected machines (some encryption can be interrupted in memory, and forensics become harder after a restart). Report to NZ's NCSC or your country's equivalent. Engage an incident response specialist before making any decisions about paying. Check whether free decryption tools exist via No More Ransom — for older or less sophisticated ransomware strains, they sometimes do.
What this looks like in practice
The businesses that come through ransomware incidents with the least damage share a common characteristic: they had tested, offline backups. That's it. That's the single variable with the most impact on outcome. Not the most sophisticated security stack. Not the most expensive tools. Good backups, tested regularly, stored somewhere the ransomware can't reach.
Everything else on the prevention checklist reduces the probability of an incident. Backups determine whether an incident becomes a bad day or an existential event. Do both. But if you can only do one thing this week — sort your backups.
Your website is an attack surface too. GhostRoutine builds sites that are secure by design — minimal footprint, no unnecessary plugins, built to be defensible. If you're worried about your digital security posture, let's talk.
Book a free call →