threat level: human

~ / ransomware basics for small business

man ransomware-red-flags

Ransomware Basics for Small Business

How ransomware gets in, and the three controls that stop or survive most of it.

48% of breaches involved ransomware in 2025 (Verizon DBIR, 2026).

By the numbers

  • 48% of breaches involved ransomware in 2025 (Verizon DBIR, 2026)
  • $1.53M average ransomware recovery cost (Sophos, 2025)
  • 62% of breaches involve the human element (Verizon DBIR, 2026)

How it gets in

  • Phishing and malicious attachments. One staff click on a lure is a leading way ransomware lands.
  • Exposed remote access. Open RDP or VPN with weak or reused credentials and no MFA.
  • Unpatched, internet-facing systems. Known vulnerabilities left open long after a fix exists.

Limit the damage before it happens

  • Tested, offline backups. Backups that are offline or immutable, and that you have actually restored.
  • MFA on every remote login. Multi-factor on email, VPN, and admin accounts closes the easy door.
  • A plan you have rehearsed. Know who to call and how to isolate systems before the day you need it.

Early warning signs

  • Security tools disabled or alerting. Antivirus turned off, mass file changes, or odd admin logins.
  • New accounts or tools appearing. Unexpected admin accounts, remote-access tools, or scheduled tasks.
  • Files renamed or unreadable. Documents with strange extensions and a ransom note dropped in folders.

Do and don't

Do

  • Keep offline or immutable backups, and test a real restore.
  • Put MFA on email, VPN, and every admin account.
  • Patch internet-facing systems quickly and close unused remote access.
  • Segment the network and limit admin rights to who truly needs them.
  • Write and rehearse an incident plan with named contacts.

Don't

  • Do not expose RDP or VPN without MFA.
  • Do not run day-to-day on accounts that have admin rights.
  • Do not pay the ransom before contacting law enforcement. Payment guarantees nothing.
  • Do not wipe systems before preserving evidence for investigators.

The one move

Keep offline, tested backups, put MFA on every remote and admin login, and patch internet-facing systems fast. Those three controls stop or survive most ransomware. Report incidents to CISA and the FBI.

If it happens

  1. Isolate affected systems: disconnect from the network, but do not power down yet.
  2. Activate your incident plan and contact your IT team or a response firm.
  3. Report to CISA (cisa.gov) and the FBI at ic3.gov.
  4. Restore from clean, offline backups only after the cause is found and closed.

Go deeper

For the bigger picture, read what is social engineering and how to spot a phishing email. See these warning signs in real cases in the weekly briefings.

Frequently asked questions

// guides/ransomware-red-flags --help
What are the red flags of ransomware basics for small business?

Watch for phishing and malicious attachments, exposed remote access, unpatched, internet-facing systems, tested, offline backups, plus any pressure to act fast, skip a check, or keep it secret.

What is the one move that stops it?

Keep offline, tested backups, put MFA on every remote and admin login, and patch internet-facing systems fast. Those three controls stop or survive most ransomware. Report incidents to CISA and the FBI.

What should I do if it already happened?

Isolate affected systems: disconnect from the network, but do not power down yet. Activate your incident plan and contact your IT team or a response firm. Report to CISA (cisa.gov) and the FBI at ic3.gov. Restore from clean, offline backups only after the cause is found and closed.

get the weekly briefing watch the briefings see what your visit reveals ->