Cybersecurity

What is ransomware and how do I protect my business?

Plain-English explanation of ransomware, how attacks happen, and the practical steps to protect your business and recover if attacked.

centrexIT Team 8 min read

Ransomware is probably the biggest cyber threat facing businesses today. Let’s break down what it is, how it works, and - most importantly - how to protect yourself.

What Is Ransomware?

Ransomware is malicious software that encrypts your files and demands payment to unlock them.

Think of it like someone changing all the locks in your office and demanding money for the new keys. Except it’s your computer files - documents, databases, photos, everything.

The typical ransomware attack:

  1. Ransomware gets into your system (usually through email or weak security)
  2. It spreads across your network
  3. It encrypts every file it can reach
  4. You see a message demanding payment (usually in cryptocurrency)
  5. If you pay, you might get your files back
  6. If you don’t pay, your data stays encrypted forever

How Bad Is It Really?

2024 statistics:

  • Average ransom payment: $1.5 million (for those who pay)
  • Average downtime: 22 days
  • 73% of ransomware attacks successfully encrypt data
  • Only 8% who pay get all their data back

The ransom is often the smallest cost. Add in:

  • Business downtime
  • Recovery costs
  • Reputation damage
  • Potential regulatory fines
  • Lost customers

Real example: A 25-person accounting firm hit by ransomware during tax season. Ransom demand: $75,000. They paid. Got 60% of files back (corrupted). Total cost including recovery, lost business, and overtime: over $300,000.

How Does Ransomware Get In?

#1: Phishing Emails (67% of attacks)

Someone opens an attachment or clicks a link in a malicious email. The email looks legitimate - maybe an invoice, a shipping notification, or a message from “IT support.”

#2: Compromised Credentials (18%)

Stolen or weak passwords give attackers direct access. Remote Desktop Protocol (RDP) exposed to the internet is a favorite target.

#3: Software Vulnerabilities (10%)

Unpatched systems have known security holes that attackers exploit.

#4: Supply Chain (5%)

Attackers compromise software you use to get into your systems (like the Kaseya attack that hit thousands of businesses).

How to Protect Your Business

The 3-2-1 Backup Rule (Your Last Line of Defense)

Even with perfect security, ransomware might get through. Backups are your recovery plan.

3-2-1 Rule:

  • 3 copies of your data
  • 2 different types of media
  • 1 copy offsite (and offline)

Critical: Test your backups regularly. Backups that don’t restore are worthless.

Air-gapped backups: At least one backup should be disconnected from your network. Ransomware can’t encrypt what it can’t reach.

Multi-Factor Authentication (MFA)

MFA stops attackers even if they have your password. This single control prevents the majority of account compromises.

Where to enable MFA:

  • Email (Microsoft 365, Google Workspace)
  • VPN access
  • Remote desktop
  • Admin accounts everywhere
  • Banking

Endpoint Detection and Response (EDR)

Traditional antivirus isn’t enough anymore. EDR provides:

  • Behavioral detection (catches unknown threats)
  • Ransomware-specific protections
  • Automated response
  • Professional monitoring

Email Security

Since most ransomware comes through email:

  • Advanced spam filtering
  • Link scanning (checks URLs in real-time)
  • Attachment sandboxing (opens files safely first)
  • Impersonation protection

Employee Training

Your employees are your first line of defense AND your biggest vulnerability.

Train them to:

  • Spot phishing emails
  • Not open unexpected attachments
  • Report suspicious messages
  • Verify requests for money or sensitive info

Patch Management

Keep everything updated:

  • Operating systems (Windows, Mac)
  • Applications (Office, browsers, Adobe)
  • Firmware (firewalls, routers)
  • Server software

Attackers love known vulnerabilities in unpatched systems.

Network Segmentation

Don’t let ransomware spread everywhere:

  • Separate your network into segments
  • Limit admin access
  • Use least-privilege principles

Limit Remote Access

  • No RDP exposed directly to internet
  • Use VPN with MFA for remote access
  • Consider zero-trust remote access solutions

What to Do If You’re Attacked

If you wake up to ransom notes on your screens:

Immediate Steps (First Hour)

  1. Disconnect affected systems from the network - Unplug ethernet cables, disable WiFi. Don’t turn off computers yet.

  2. Document everything - Take photos of ransom notes. Note which systems are affected.

  3. Call your IT provider/security team - This is not DIY time.

  4. Don’t pay the ransom immediately - You have time. Evaluate your options.

  5. Report to authorities - FBI (ic3.gov), CISA, local law enforcement.

Recovery Decision

You have two paths:

Path A: Recover from Backups

  • Validate backup integrity
  • Wipe affected systems
  • Restore from clean backups
  • Verify no ransomware remains

Path B: Consider Paying

  • Consult with professionals first
  • Understand you might not get files back
  • Know that payment funds future attacks
  • Some ransomware groups are “reliable,” others aren’t

Our strong recommendation: Invest in backups and security now so you never face this decision.

After Recovery

Even after you’re back online:

  • Investigate how they got in
  • Close the vulnerability
  • Assume they still have access (scan everything)
  • Enhance monitoring
  • Review and improve your security posture

Should You Pay?

This is a business decision, but consider:

Arguments against paying:

  • No guarantee you’ll get data back
  • Funds criminal organizations
  • Makes you a known “payer” (future target)
  • May violate sanctions (some ransomware groups are sanctioned entities)

Arguments for paying:

  • May be only way to recover critical data
  • Faster than rebuilding
  • Business survival depends on it

The FBI’s position: They recommend not paying, but understand some businesses have no choice.

Our position: If you have proper backups and can recover, don’t pay. If your backups failed and you’ll lose your business, make the decision that keeps your business alive - but know the risks.

Ransomware Insurance

Cyber insurance can cover:

  • Ransom payments
  • Business interruption
  • Recovery costs
  • Legal fees
  • Customer notification

Important: Insurers increasingly require proof of security controls. No MFA? No coverage.

The Bottom Line

Ransomware is a serious threat, but it’s not inevitable. Businesses that implement:

  • Good backups (3-2-1 rule)
  • MFA everywhere
  • EDR on all endpoints
  • Employee training
  • Regular patching

…dramatically reduce their risk and can recover if the worst happens.

The cost of prevention is a fraction of the cost of recovery.

Worried about ransomware? Let’s assess your readiness. Contact us for a ransomware readiness review.

Have More Questions?

Our team is here to help. Whether you're evaluating IT services or have a specific question about your technology, we're happy to have a conversation.

Contact Us Browse More Questions

Related Questions

Do small businesses really need cybersecurity?

SMB Cybersecurity

How do I know if my business has been hacked?

Signs of a Breach

Is free antivirus enough for my business?

Free vs Paid Antivirus