Ransomware Protection: What Small Businesses Need to Know in 2026
Ransomware can lock your files, halt your operations, and demand thousands of dollars. Here is exactly how to prevent it, prepare for it, and recover if it happens.
The Reality
A ransomware attack occurs every 11 seconds. 60% of small businesses that suffer a major data loss close within six months. The average ransom demand is increasing year over year. Paying the ransom does not guarantee you will get your data back. But here is what matters: ransomware is almost entirely preventable with the right backups and basic security hygiene.
How Ransomware Actually Works
Understanding the attack chain helps you defend against it. Ransomware typically gets in through one of these paths:
- Phishing email with a malicious attachment (most common) — Employee opens what looks like an invoice PDF but is actually a malicious file that runs ransomware.
- Phishing email with a link to a malicious website — Employee clicks a link, the site exploits a browser vulnerability, ransomware downloads.
- Remote Desktop Protocol (RDP) exposed to the internet — If you have RDP (remote desktop) accessible from the internet with a weak password, attackers scan for and find these within hours.
- Unpatched software vulnerability — Attackers exploit a known vulnerability in software that hasn't been updated.
Once the ransomware runs, it encrypts every file it can reach — local files, network shares, cloud storage folders synced to the computer — and displays a ransom note demanding payment (usually in Bitcoin) in exchange for the decryption key.
Prevention: Stop Ransomware Before It Runs
1. The 3-2-1 Backup Rule Is Non-Negotiable
Backups are your ransomware insurance policy. If you have clean, recent, offline backups, ransomware becomes an inconvenience rather than a disaster. The rule:
- 3 copies of your data
- 2 different media types (e.g., cloud + external hard drive)
- 1 copy offsite (cloud or physical drive stored elsewhere)
But not all backups are equal. Ransomware actively seeks out and encrypts connected backups. A backup drive that is permanently plugged in will be encrypted along with everything else. This is why immutable backups — backups that cannot be modified or deleted once written — are critical. Veeam Community Edition (free for up to 10 workloads) supports immutable backups. Backblaze B2 and Wasabi (cloud storage) also support object lock for immutability.
Test your backups. A backup you have never restored from is a hope, not a backup. Once a quarter, actually restore a file from backup to verify it works.
2. Block the Attack Vectors
- Email: Enable advanced phishing protection in Google Workspace or Microsoft 365. Configure DMARC, SPF, and DKIM for your domain. Block executable attachments (.exe, .scr, .js, .vbs) at the email gateway.
- RDP: Never expose RDP (port 3389) directly to the internet. If remote desktop access is needed, put it behind a VPN or zero-trust proxy.
- Software: Enable automatic updates on everything. The WannaCry ransomware in 2017 exploited a vulnerability that had been patched months earlier — victims were simply unpatched.
3. Principle of Least Privilege
Each employee should only have access to the files and systems they actually need for their job. If the marketing intern's computer gets infected, the ransomware can only encrypt files the intern had access to — not the entire company file server. This is built into Google Workspace and M365: create shared drives with specific access permissions rather than giving everyone access to everything.
4. Application Whitelisting (for High-Risk Roles)
For employees in finance, HR, or executive roles — the most targeted positions — consider application whitelisting. Windows AppLocker (built into Windows Pro and Enterprise) allows only approved applications to run. If ransomware tries to execute, it is blocked regardless of whether the antivirus recognizes it.
Response: What to Do If You Are Attacked
Immediate Actions (First 30 Minutes)
- Isolate the infected computer: Disconnect it from the network immediately (Wi-Fi off, Ethernet cable unplugged). Do not shut it down yet — there may be forensic evidence in memory.
- Identify the scope: Check other computers and file shares. Is it one machine or multiple?
- Disconnect your backups: Physically unplug backup drives and revoke cloud backup access tokens to prevent the ransomware from reaching them. This should be your highest priority after isolation.
- Change all privileged account passwords from a clean device — domain admin, cloud admin, email admin.
Should You Pay the Ransom?
The official guidance from law enforcement (FBI, CISA, Europol) is: do not pay. Reasons:
- Paying funds further criminal activity and encourages more attacks
- There is no guarantee you will get your data back — about 40% of victims who pay never receive working decryption keys
- Even if you get the key, decryption is often slow and imperfect
- You may be targeted again — attackers share lists of "payers"
The only scenario where paying might make sense: your backups have failed, the ransom is less than the cost of rebuilding from scratch, and you have exhausted all other recovery options. Even then, consult with a professional incident response firm and law enforcement first.
Recovery
- Wipe and rebuild infected machines from scratch. Do not try to clean them — you can never be sure the malware is completely gone.
- Restore from clean backups. Verify that your backups are clean before restoring (some ransomware lies dormant for weeks before activating, meaning your backups may contain the malware).
- Conduct a post-incident review. How did it get in? What failed? What needs to change?
- Notify affected parties. Depending on your jurisdiction and the type of data affected, you may be legally required to notify customers, regulators, or law enforcement.
Your Ransomware Preparedness Checklist
- ✅ 3-2-1 backup strategy implemented and tested quarterly
- ✅ Immutable backups configured (cannot be modified by ransomware)
- ✅ Phishing protection enabled on email (DMARC, SPF, DKIM)
- ✅ RDP not exposed to the internet
- ✅ Automatic updates enabled on all systems
- ✅ Principle of least privilege applied to file access
- ✅ Incident response plan documented and accessible offline
- ✅ Cyber insurance coverage reviewed (does it cover ransomware?)
- ✅ Offline copy of critical contact information (IT support, insurance, legal)
The Bottom Line
Ransomware is not some exotic threat that only happens to other people. It is a commodity criminal enterprise that targets small businesses specifically because they tend to have weaker defenses. But the defense is straightforward: backups, patching, phishing training, and least-privilege access. These four things prevent the vast majority of ransomware attacks. If your backup strategy is solid, ransomware is a cleanup job, not a catastrophe.