How To Protect Your Business From Ransomware: Understanding How It Works, the Costs, and What to Do

Ransomware attacks increased by 95% globally in 2023, according to Corvus Insurance, hitting over 4,000 organizations. Sophos reports that 66% of organizations were hit by ransomware in the past year. And the cost keeps climbing: the average ransomware incident now runs upward of $5 million in total damages (IBM).

If your business stores data, processes payments, or relies on computers to operate, which is every business, ransomware is a threat you need to take seriously. Small and mid-sized businesses are especially attractive targets because they typically have weaker defenses than large enterprises. The good news is that while absolute prevention may not be possible, the right combination of security practices can prevent ransomware from succeeding against your organization.

This guide covers how ransomware works, what it costs, how real attacks have played out, and the specific steps you can take to protect yourself from ransomware:

How Ransomware Works

Ransomware is malicious software that encrypts your files, documents, databases, backups, entire servers, and demands payment (usually in cryptocurrency) to unlock them. If you do not pay, the attackers threaten to delete your data permanently or publish it online. Modern ransomware attacks often involve data theft alongside encryption, where attackers steal sensitive information to increase pressure on victims through double extortion.

The typical attack chain looks like this: an employee receives a convincing phishing email and clicks a link or opens an attachment. That installs malicious code that harvests login credentials. The attacker uses those credentials to move through your network, escalating privileges and mapping your systems. Once they have access to everything that matters, they deploy the ransomware payload, often on a weekend or holiday when nobody is watching, and encrypt everything at once.

What makes modern ransomware especially dangerous is that attackers do not strike immediately. The SolarWinds hackers were inside their victims’ networks for nine months before anyone noticed. That dwell time lets threat actors find and disable your backups, identify your most critical systems, and maximize the damage when they finally pull the trigger.

Types of Ransomware

Ransomware comes in several forms, each with different tactics for extorting victims.

Encrypting ransomware is the most common and most damaging type. It uses advanced encryption algorithms to lock your files, documents, databases, and even backups, making them completely inaccessible until you pay. Victims are typically greeted with a ransom note on their screen outlining payment instructions and a countdown timer.

Screen lockers take a different approach, locking the entire computer screen and preventing access to the operating system or any applications. These attacks often impersonate law enforcement or government agencies to pressure victims into paying through social engineering.

Scareware bombards users with alarming pop-ups or fake security alerts claiming your system is infected. The goal is to frighten you into paying for unnecessary or fraudulent software.

Ransomware as a service (RaaS) is a rapidly growing threat. Cybercriminals can purchase or rent ready-made ransomware packages on the dark web, making it easy for even non-technical attackers to launch sophisticated attacks. This model has dramatically increased the number of ransomware incidents worldwide.

Doxware (leakware) raises the stakes by threatening to publish or sell your sensitive data online unless the ransom is paid. This double extortion tactic not only risks data loss but also exposes organizations to reputational damage and regulatory penalties.

What Ransomware Actually Costs

The ransom payment itself is often the smallest part of the bill.

The average ransom demand reached $5.3 million in the first half of 2021, according to Palo Alto Networks’ Unit 42. But the total cost of a ransomware incident, including the ransom, lost productivity, investigation, legal exposure, and recovery, averages over $5 million, according to IBM’s Cost of a Data Breach Report.

Downtime alone costs an average of $300,000 per hour, according to Gartner. When the City of Atlanta was hit by the SAMSAM ransomware in 2018, the attackers demanded $50,000 in Bitcoin. Atlanta refused to pay, but the total recovery cost reached an estimated $17 million, according to the Atlanta Journal-Constitution. More than one-third of the city’s 424 programs were knocked offline, and nearly 30% of those were classified as mission-critical.

And paying the ransom does not guarantee you get your data back. Of organizations that paid, only 75% actually recovered their data, according to Sophos. The other 25% paid and got nothing.

Ransomware is not an IT problem. It is a financial problem that happens to arrive through your technology.

Real Ransomware Attacks That Changed the Game

Understanding how major attacks played out helps you understand what you are defending against. These are not theoretical scenarios, they happened to real organizations.

Kaseya and REvil: The Supply Chain Attack

On July 4th, 2021, the REvil ransomware gang launched what CBC called “the biggest ransomware attack on record.” They exploited a zero-day vulnerability in Kaseya VSA, a remote network management tool used by managed service providers, and pushed a compromised software update to Kaseya’s clients. Because MSPs manage networks for hundreds of businesses, one compromise cascaded into 800 to 1,500 downstream organizations.

REvil demanded $70 million for a universal decryption key. Casualties included 11 schools in New Zealand, a Swedish grocery chain that had to close stores, and hundreds of small businesses across the United States. The same group had previously attacked JBS, the world’s largest meat supplier.

The lesson: a single compromised vendor in your supply chain can take down your entire operation. This is why you should install software updates in phases rather than all at once, and why vetting your vendors’ security practices matters as much as your own.

SAMSAM and the City of Atlanta

The SAMSAM ransomware operation stole $6 million across 233 victims between 2015 and 2018, according to the DOJ indictment. Their most high-profile hit was the City of Atlanta in March 2018, a $50,000 ransom demand that turned into an estimated $17 million recovery effort when the city refused to pay. City employees could not access email, residents could not pay water bills online, and police had to file reports by hand.

The lesson: the cost of recovery almost always dwarfs the ransom demand. And refusing to pay is the right decision, but only if you have the backups and recovery plan to restore operations without the attacker’s help.

FIN7: Ransomware by Mail

Not all ransomware arrives by email. In 2021, the FBI issued a warning about FIN7, an Eastern European criminal group that ran the BlackMatter and DarkSide ransomware operations, mailing ransomware-infected USB drives to businesses via USPS and UPS.

The packages were disguised as Amazon gift boxes with thank-you notes and fake COVID-19 guidance from the Department of Health and Human Services. The USB drives, branded as LilyGo devices, were programmed to register as a keyboard when plugged in and automatically download malware. FIN7 had done something similar in 2020, mailing teddy bears containing infected USBs to retail companies, hotels, and restaurants.

The lesson: ransomware is not just a digital threat. Physical attack vectors exist, and your employees need to know never to plug in a USB drive they did not purchase themselves.

CryptoLocker and the Ransomware Playbook

CryptoLocker infected an estimated 250,000 computers in its first 100 days in 2013, according to Dell SecureWorks, demanding ransoms of $400 to $2,000 with a 72-hour payment window. It was one of the first ransomware strains to gain mainstream attention, and it established the playbook that every ransomware operation has followed since: encrypt the files, display a countdown timer, and demand cryptocurrency.

CryptoLocker spawned a wave of successors, GoldenEye, WannaCry, Petya, each more destructive than the last. What made these ransomware variants especially dangerous was their ability to delete or encrypt shadow copies, the automatic backup snapshots that Windows creates. This meant that even organizations with basic backup practices found their recovery options destroyed along with their primary data.

The economics of cybercrime have escalated rapidly, from $400 CryptoLocker ransoms in 2013 to $70 million REvil demands in 2021.

Ransomware Prevention: Best Practices and Core Defenses

Ransomware prevention is not about any single tool or tactic. It is about layering defenses so that if one fails, the next one catches the threat. Here are the five areas every business needs to address.

1. Minimize Entry Points

Every device, every user account, and every network connection is a potential entry point for ransomware. The more you can reduce and control those entry points, the harder it is for an attacker to gain access.

Limit access to sensitive data on an on-demand basis, employees should only have access to the systems and files they need for their current work, not blanket access to everything. This principle of least privilege applies to user accounts, admin credentials, and service accounts alike. Remote workers create especially porous security borders because their home networks, personal devices, and public Wi-Fi connections are all potential weak points. Every remote connection should go through a VPN with MFA enforced.

2. Lock Down Identity and Access Management

Weak passwords and stolen credentials are the number one way ransomware gets into networks, according to the Verizon DBIR. Your identity management practices need to include:

• Strong password requirements (minimum 8 characters, complexity enforced)
• Mandatory password changes on a regular cycle
• Multi-factor authentication on every system and application
• Prompt deactivation of user accounts when employees leave

Password managers can help your team maintain strong, unique passwords across accounts without resorting to reuse.

Only an estimated 57% of businesses currently use MFA, whether through two-factor authentication apps, hardware keys, or biometrics. That means 43% are relying on passwords alone, and with an estimated 8.4 billion stolen credentials circulating on the dark web, a password-only approach is an open invitation. Attackers exploit vulnerabilities in identity management before they exploit vulnerabilities in software.

3. Ransomware Detection: Catch Threats Early

The difference between a minor incident and a catastrophic breach often comes down to how quickly you detect the attacker. Traditional detection relies on proxy analysis, signature-based scanning, and machine learning algorithms to identify known threats. Security software including antivirus and endpoint detection tools still matter, but modern ransomware, especially AI-generated variants, can evade signature-based detection.

The next generation of defense uses behavioral detection, monitoring for anomalies in how users and systems behave rather than looking for known malware signatures. If an account that normally accesses three folders suddenly starts touching every file on the server at 2 AM, that is a behavioral anomaly worth investigating immediately, even if no known malware signature was triggered.

According to CrowdStrike’s 2025 State of Ransomware Survey, 48% of organizations now cite AI-automated attack chains as their greatest ransomware concern. AI-generated ransomware can produce polymorphic payloads that adapt to defenses in real time and auto-iterate in hours rather than weeks. Eighty-five percent of security professionals believe legacy defenses are becoming obsolete against these threats.

4. Harden Your Perimeter and Network Security

Your perimeter defenses are the walls around your network. They include:

• Email and web gateways that filter malicious content before it reaches employees
• Antivirus and anti-malware on every endpoint
• Firewalls configured to block unauthorized traffic
• VPNs for all remote access
• Intrusion detection and prevention systems that monitor for suspicious activity

Beyond traditional perimeter controls, network segmentation is critical. Dividing your network into isolated zones means that even if an attacker breaches one segment, they cannot move laterally to reach critical systems in others. Combine this with least-privilege access policies and automated containment playbooks that can isolate a compromised device within seconds of detection. This approach limits the blast radius of any ransomware infection and helps maintain business continuity even during an active attack. For many Chicagoland organizations, partnering with a Chicago managed IT services provider is the most practical way to maintain this level of layered network defense without building an in-house security operations team.

5. Security Awareness Training

Employee negligence remains the number one cause of ransomware breaches. Over 90% of cyberattacks begin with a phishing email, according to Cofense, and CrowdStrike reports that 87% of security leaders say AI is making those lures more convincing than ever.

Training cannot be a one-time annual event. It needs to be ongoing, specific, and reinforced with simulated phishing attacks that test whether employees actually apply what they learned. Your training should cover:

• How to recognize phishing emails and malicious attachments
• The danger of clicking suspicious or malicious links
• The risk of plugging in unknown USB devices
• How to verify requests through a second channel before acting
• How to report suspicious activity immediately
• The emerging threat of deepfake voice calls and video that impersonate executives or vendors
• Securing mobile devices, which are increasingly targeted as attack vectors for ransomware

Sixty-five percent of hacker groups use spear-phishing as their primary attack vector, according to Mandiant. Your people are either your weakest link or your first line of defense. Training determines which one.

Ransomware Protection for Your Backups and Encrypted Files

Backups used to be the ultimate ransomware insurance, if your files get encrypted, just restore from backup. That is no longer guaranteed.

Modern ransomware strains specifically target backup systems. CryptoLocker and WannaCry can delete or encrypt shadow copies. Newer variants search for and destroy network-attached backup drives, cloud sync folders, and even backup software configurations. If your backups are connected to the same network as your primary systems, ransomware can encrypt them too, turning your encrypted files into permanent losses.

Protecting your backups requires a fundamentally different approach. For businesses that lack the in-house expertise to build and maintain a resilient backup architecture, professional data backup and recovery services can ensure your strategy holds up when it matters most.

Use immutable, air-gapped storage. Immutable storage means the data cannot be modified or deleted once written, not by users, not by administrators, and not by ransomware. Air-gapped means the backup storage is physically or logically disconnected from your production network so ransomware cannot reach it. Offline backups on separate storage media provide an additional layer of ransomware protection.

Apply zero-trust principles to backup access. No single person should be able to access, modify, or delete backups without multiple layers of authentication. Remote access to backup systems should require partner-level credentials plus MFA plus encrypted connections. Deleted backup data should remain recoverable for a defined window (7 days minimum) before permanent removal.

Maintain multiple copies in multiple locations. The 3-2-1 backup rule still applies: three copies of your data, on two different types of media, with one copy stored offsite. A secure backup strategy covers everything, on-premises servers, remote PCs, laptops, and cloud applications.

Test your backups regularly. A backup that has never been tested is not a backup, it is a hope. Regular restoration tests verify that your backups are complete, uncorrupted, and can actually be restored within your recovery time objectives. Always scan backup files for other malware before restoring to ensure you are not reintroducing threats. This is how you find out your backup strategy has a gap, during a scheduled test, not during an active ransomware attack.

Incident Response: What to Do If You Get Hit

Prevention is the priority, but you also need a plan for when prevention fails. Here is what an effective ransomware response looks like.

Detect and isolate immediately. The moment you suspect a ransomware infection, disconnect the affected devices from the network. Power them down if necessary. The goal is to stop the encryption from spreading to other systems. Every minute of delay means more files encrypted and more damage done.

Do not pay the ransom. According to CrowdStrike, 83% of organizations that paid a ransom were targeted again, and only 75% of those who paid actually recovered their data (Sophos). Paying funds criminal operations, marks you as willing to pay, and provides no guarantee of recovery. The FBI, CISA, and virtually every cybersecurity authority recommends against paying.

Preserve evidence and investigate. Document everything: what systems were affected, when the attack was detected, what actions were taken, and what data may have been compromised. This information is critical for law enforcement, your cyber insurance claim, and your own post-incident analysis. Report the attack to the FBI’s Internet Crime Complaint Center (IC3).

Communicate with stakeholders. Notify your employees, customers, partners, and vendors as appropriate. Transparency during a breach is not just ethical, it is often legally required, and attempting to hide a breach almost always makes the consequences worse when it comes to light.

Restore from clean backups. This is where your backup strategy pays off. Restore your systems from verified clean backups, block the entry point the attacker used, reset all credentials, and conduct a thorough security review before bringing systems back online.

Conduct a post-incident review. Every ransomware incident is also a learning opportunity. What failed? What worked? What needs to change? Update your defenses, your training, and your recovery plan based on what you learned to prevent future attacks. Organizations with a documented disaster recovery plan recover significantly faster than those building a response on the fly.

The AI Ransomware Threat Is Already Here

Ransomware is evolving faster than most defenses can keep up with. The newest generation of AI-generated ransomware can produce polymorphic payloads that change their code with every deployment, making them invisible to traditional signature-based detection. These variants can auto-iterate in hours rather than the weeks it used to take human developers, and adapt to defenses in real time.

This is the new reality. Phishing campaigns carrying ransomware payloads have increased sharply over the past year, and according to CrowdStrike, the vast majority of those phishing emails now leverage AI-generated content, better grammar, more convincing pretexts, and personalization that used to require manual effort.

The defenses that worked five years ago are not enough. Behavioral detection, micro-segmentation, immutable backups, and continuous employee training against AI-powered social engineering, including deepfake voice calls and video, are no longer optional upgrades. They are the baseline.

Frequently Asked Questions

How do I protect myself from ransomware? Start with the fundamentals: enforce multi-factor authentication on every system, keep all software patched and updated, train employees to recognize phishing, implement network monitoring and intrusion detection, and maintain tested air-gapped backups. Layer these defenses so that no single failure can lead to a full breach.

What should I do if my business is hit by ransomware? Isolate affected systems immediately to stop the spread, do not pay the ransom, preserve evidence for investigation, notify stakeholders and law enforcement (FBI IC3), and restore from clean backups. Have an incident response plan documented before you need it.

Should I pay the ransom? No. Only 75% of organizations that paid actually recovered their data, and 83% of those who paid were targeted again, according to CrowdStrike. Paying funds criminal operations and signals to attackers that your organization will pay. The FBI and CISA recommend against paying ransoms.

How much does a ransomware attack cost? The average total cost of a ransomware incident exceeds $5 million, according to IBM, including ransom, disruption, investigation, and recovery. Downtime alone costs an average of $300,000 per hour. For context, the City of Atlanta refused a $50,000 ransom demand and spent an estimated $17 million on recovery.

Can ransomware encrypt my backups? Yes. Modern ransomware specifically targets backup systems, including shadow copies, network-attached drives, and cloud sync folders. This is why backups must be stored on immutable, air-gapped storage that ransomware cannot reach, and why you need to test your backups regularly to confirm they work.

What is AI-generated ransomware? AI-generated ransomware uses artificial intelligence to create polymorphic payloads that change their code with each deployment, evading traditional signature-based antivirus detection. These variants can adapt to defenses in real time and are significantly harder to detect. Nearly half of organizations now cite AI-automated attack chains as their top ransomware concern.

Is my small business really at risk for ransomware? Yes. Two-thirds of organizations were hit by ransomware last year, and small businesses are disproportionately targeted because they typically have weaker defenses than large enterprises. For a deeper look at why businesses of all sizes are targeted and what attackers are after, see our guide to the warning signs your business is a target for cybercrime.

What is a supply chain ransomware attack? A supply chain attack compromises a trusted vendor or software provider to reach their customers downstream. The Kaseya attack in 2021 compromised a remote management tool used by IT providers, which cascaded into 800 to 1,500 businesses. Defending against supply chain attacks means vetting your vendors’ security practices and installing software updates in phases rather than all at once.

Do Not Wait Until You Are the Next Headline

Most ransomware attacks do not start with sophisticated hacking. They start with a clicked link, a reused password, or a backup that was never tested. The businesses that survive ransomware are the ones that prepared before the attack, not the ones that scrambled after.

At LeadingIT, we help Chicagoland businesses build ransomware defenses that actually work, from 24/7 monitoring and endpoint protection to immutable backup strategies and employee training programs.

LeadingIT is a cyber-resilient technology and cybersecurity services provider. With our concierge support model, we provide customized solutions to meet the unique needs of nonprofits, schools, manufacturers, accounting firms, government agencies, and law offices with 25–250 users across the Chicagoland area. Our team of experts solves the unsolvable while helping our clients leverage technology to achieve their business goals, ensuring the highest level of security and reliability. Call us at 815-788-6041 or book a free assessment today.