Ransomware is the cyber threat that gets the most coverage and causes the most genuine damage to small businesses. It’s also surrounded by either technical jargon or vague advice that amounts to “have good backups.” Both are unhelpful if you’re trying to understand what you’re actually dealing with.
This is a plain walkthrough of what ransomware is, what happens when it hits, and what your real options are at each stage. Not a scare piece — a practical one.
What ransomware actually is
Ransomware is malicious software that encrypts your files — documents, databases, emails, everything it can reach — and then demands payment (usually in cryptocurrency) in exchange for the decryption key. Without that key, your files are unreadable. With it, you can theoretically restore access.
The “theoretically” matters. We’ll come back to that.
Modern ransomware attacks are rarely the work of a lone hacker. The ransomware-as-a-service model means criminal groups develop the software and sell or lease it to “affiliates” who carry out the actual attacks. The methodology has also evolved — many groups now exfiltrate (steal) your data before encrypting it, which means even if you restore from backup, they can still threaten to publish your customer records, financial data, or confidential information. This is called double extortion, and it changes the calculus considerably.
How it gets in
The most common entry points for small businesses:
Phishing email. An employee clicks a link or opens an attachment. The malicious code runs, often silently, and begins spreading across the network before encrypting anything. The delay between infection and encryption is sometimes days — long enough for the ransomware to spread widely and for infected backups to be created.
Remote Desktop Protocol (RDP) exposed to the internet. If your business uses Remote Desktop for remote access and the port is open to the internet with weak credentials, it’s a known target. Attackers scan for exposed RDP endpoints routinely.
Compromised credentials. A password reused from a breached service, purchased on the dark web, or obtained through phishing gives an attacker valid credentials to your systems. They walk in through the front door.
Unpatched software. Known vulnerabilities in unpatched operating systems or applications are exploited. This is why patching matters — not as a theoretical good practice, but because attackers actively scan for and target known unpatched vulnerabilities.
What happens in the first hour
The experience of a ransomware attack for most small business owners starts with something not working. A file that won’t open. A desktop that looks wrong. An employee reporting they can’t access anything on the shared drive.
By the time someone notices, the encryption is usually already running or complete. The ransomware note — a text file or screen takeover explaining what happened and how to pay — appears on affected machines.
What you’re dealing with in the first hour:
- Files across your network are encrypted and inaccessible
- You don’t yet know the scope — how many machines, which systems, whether backups are affected
- Staff are unable to work on any affected system
- You’re in the middle of a potential legal notification obligation if customer data is involved
The most important thing to do in the first hour is isolate affected systems from the network — disconnect them from the internet and from each other — to stop the encryption spreading further. Turn off Wi-Fi, unplug network cables. This feels counterintuitive when you’re in panic mode but it’s the right call.
Your options — and what they actually mean
Option 1: Restore from backup.
This is the right answer if your backups are clean, recent, and tested. You restore your systems from a point before the infection, lose some data (whatever was created between the last clean backup and the attack), and get back to work.
The catches: backups need to be recent enough that the data loss is acceptable. They need to be isolated from your main network so the ransomware didn’t encrypt them too. And they need to have been tested — a backup you’ve never restored from is a backup you can’t be confident in.
If your backups are on a network drive that was connected when the attack hit, they may be encrypted too. If your last tested restore was eight months ago, you don’t actually know if it works.
Option 2: Pay the ransom.
Most law enforcement agencies, including the Australian Federal Police and the ACSC, advise against paying. The reasons are practical, not just moral:
- Payment doesn’t guarantee you’ll get a working decryption key
- It confirms to the attackers that you pay, making you a future target
- It funds further attacks on other businesses
- It doesn’t address the exfiltrated data if double extortion is involved
- In some jurisdictions, paying ransoms to sanctioned groups may have legal implications
That said, some businesses pay. Usually when the alternative is losing years of data with no viable backup. It’s a last resort, not a strategy.
Option 3: Rebuild.
In severe cases where backups are inadequate and paying isn’t viable, the option is rebuilding from scratch — reinstalling operating systems, restoring what data exists, recreating what doesn’t. This is expensive, slow, and disruptive. It’s also sometimes the only viable path.
Option 4: Negotiate or wait.
Some decryption tools become available over time as security researchers crack older ransomware variants. The site nomoreransom.org maintains a database of free decryptors. It won’t help with recent variants, but it’s worth checking.
The realistic business impact
For a small business hit hard by ransomware with poor backups, the realistic picture is:
- Downtime of days to weeks depending on the recovery path
- Data loss ranging from hours to potentially everything, depending on backup quality
- Recovery costs — IT forensics, rebuild labour, hardware replacement if needed — typically $10,000–$50,000+ for a small business
- Ransom demand — these vary enormously, from a few thousand to hundreds of thousands of dollars
- Regulatory obligations — if customer personal data was accessed or exfiltrated, you may have mandatory notification obligations under the Notifiable Data Breaches scheme
- Reputational impact — if notification is required, customers find out
The businesses that recover fastest and cheapest are the ones with clean, recent, tested, offline backups and a documented incident response plan. Neither of those things is expensive to implement. They’re just easy to defer.
What actually reduces your risk
Multi-factor authentication on everything. Especially email, remote access, and any admin accounts. A compromised password is far less useful to an attacker if MFA is in place.
Tested backups, stored offline or in immutable cloud storage. The backup can’t be encrypted if it’s not reachable from your network. Test restores matter — know your backups work before you need them.
Patching. Operating systems and applications kept current. Not glamorous, genuinely effective.
Staff awareness. Most attacks start with a click. Basic training on recognising phishing significantly reduces the likelihood of that click happening.
Least privilege access. Staff should only have access to the systems and files they need for their role. Ransomware spreads using the permissions of the account it compromises — limiting those permissions limits the spread.
None of these individually makes you immune. Together they make you a harder target and dramatically improve your recovery options if an attack does succeed.
If you’re not sure how your business sits against these basics, get in touch. We’ll give you a straight assessment — no scare tactics, no vendor agenda.