Ransomware Protection for Small Business: How to Prevent and Survive an Attack
This post contains affiliate links. If you purchase through our links we may earn a small commission at no extra cost to you.
Ransomware Has Become the Most Disruptive Cyberthreat for Small Businesses
Ransomware is malicious software that encrypts your files and demands payment — typically in cryptocurrency — in exchange for the decryption key. What began as an attack targeting large enterprises has shifted decisively toward small businesses, which ransomware operators have learned are less likely to have effective backups, less likely to have cyber insurance, and more likely to pay quickly to restore operations.
The average ransom demand against a small business in 2025 was approximately $170,000. Many businesses that pay still do not receive a working decryption key. And paying the ransom does not address how the attackers got in — without remediation, reinfection is common. The businesses that survive ransomware with minimal damage are the ones that had prevention controls in place before the attack and offline backups that made paying the ransom unnecessary.
How Ransomware Gets Into Small Business Networks
Understanding the entry points helps prioritize your defenses:
- Phishing email (most common): An employee clicks a malicious attachment or link that downloads and executes ransomware. The email looks like a shipping notification, invoice, HR communication, or other routine business document.
- Compromised Remote Desktop Protocol (RDP): Businesses with RDP exposed directly to the internet — often used for remote access — are scanned continuously by attackers. Weak passwords on RDP accounts are brute-forced and used to access the network directly.
- Software vulnerabilities: Unpatched software with known vulnerabilities provides direct entry points. Attackers scan for unpatched systems and exploit them automatically.
- Compromised credentials: Stolen or purchased credentials from previous breaches are used to access business systems through VPNs, cloud portals, or email.
- Malicious websites and drive-by downloads: Visiting a compromised website can trigger automatic malware download in unpatched browsers.
Prevention: The Controls That Block Most Ransomware
Endpoint Detection and Response (EDR) Software
Traditional antivirus recognizes known malware by signature — it compares files against a database of identified threats. Ransomware operators regularly modify their code to evade signature detection. Endpoint Detection and Response (EDR) software uses behavioral analysis instead — monitoring for suspicious activity patterns regardless of whether the specific malware is in a known-threat database. An EDR solution that detects and blocks encryption behavior before it completes can stop a ransomware attack mid-execution.
For small businesses, EDR is available through managed security services or directly from vendors like SentinelOne, CrowdStrike Falcon Go, and Microsoft Defender for Business. Expect to pay $5 to $15 per endpoint per month for business-grade EDR.
Email Filtering and Anti-Phishing
Since phishing is the most common ransomware entry point, a strong email security layer is the highest-value preventive control. Microsoft 365 Defender and Google Workspace’s built-in security provide solid baseline protection. For additional protection, a dedicated email security gateway adds a layer of scanning before messages reach employee inboxes.
Disable or Secure RDP
If your business does not require RDP for remote access, disable it. If RDP is required, never expose it directly to the internet — require VPN access first, then RDP within the VPN tunnel. Enable NLA (Network Level Authentication) and enforce strong passwords and MFA on all RDP accounts. This single configuration change eliminates one of the most commonly exploited ransomware entry points.
A business VPN creates the secure tunnel needed for safe remote access. NordVPN for Teams provides encrypted remote access at a price point accessible to small businesses.
View NordVPN Standard on Amazon
Patch Management — Aggressively
Apply critical security patches within 30 days of release — sooner for actively exploited vulnerabilities. Enable automatic updates for operating systems and browsers where possible. For business applications that require manual updates, assign a specific person responsible for patch management and set calendar reminders.
Principle of Least Privilege
Employees should only have access to the files, systems, and permissions they need for their specific job function — nothing more. A ransomware infection that starts on a sales employee’s computer should not be able to encrypt the accounting department’s files. Network segmentation and access controls limit the blast radius of a successful infection.
The Most Important Ransomware Defense: Offline Backups
Every prevention control can fail. The one defense that makes ransomware survivable — regardless of how sophisticated the attack — is a tested backup that ransomware cannot reach and encrypt.
Ransomware operators know that backups defeat their leverage. Modern ransomware specifically seeks out and destroys backup files and cloud sync folders before triggering encryption. Backups stored in the same location as production data, connected continuously to the network, or accessible with the same credentials as other business systems are not protected against ransomware.
An effective ransomware-resistant backup strategy includes:
- Offline or air-gapped backups: Backups on physical media that is disconnected from the network except during the backup window — ransomware cannot encrypt a drive it cannot reach.
- Immutable cloud backups: Cloud backup services that use object lock or write-once storage that prevents modification or deletion for a defined retention period. Ransomware cannot alter immutable backups even with compromised credentials.
- Multiple retention points: Keep backups going back at least 30 days — some ransomware infections are dormant for weeks before triggering, meaning recent backups may contain the infection.
- Tested restores: A backup that has never been tested is not a known working backup. Test restoration quarterly at minimum.
Ransomware Response: What to Do If You Are Hit
- Isolate immediately. Disconnect affected systems from the network — unplug ethernet cables, disable Wi-Fi — to prevent ransomware from spreading to other systems.
- Do not pay the ransom without consulting your cyber insurer. Call your insurer first — they often have pre-negotiated relationships with ransomware operators and incident response firms that can reduce ransom amounts or recover data without payment.
- Engage a professional incident response firm. Do not attempt to decrypt or remediate on your own — improper handling destroys forensic evidence and may worsen the damage.
- Report to the FBI. File a report at ic3.gov. The FBI tracks ransomware payments and occasionally publishes decryption keys for specific ransomware families.
- Restore from backups. After remediation confirms systems are clean, restore from the most recent clean backup point.
Ransomware Prevention Checklist
- EDR software installed on all endpoints
- Email filtering active with anti-phishing enabled
- RDP disabled or secured behind VPN with MFA
- Critical patches applied within 30 days
- Employee access limited to least privilege
- Offline or immutable backups running and tested
- Backup retention covers at least 30 days
- Cyber insurance policy in force covering ransomware
- Incident response plan documented before an attack occurs
Bottom Line
Ransomware is survivable if you have tested offline or immutable backups — it is catastrophic if you do not. Prevention controls reduce the likelihood of a successful attack but cannot guarantee it. Invest in backups first, then layer prevention controls from highest-impact downward: EDR, email filtering, RDP security, patch management, and least privilege access. A ransomware attack that hits an organization with solid backups is a bad day. The same attack against a business without backups can be the last day.