Ransomware Protection for Small Businesses: What Actually Works

A dental office in Alabama lost every patient record in 2024. The owner clicked a link in an email that looked like it came from their insurance portal. Within four hours, every file on the server was encrypted. The ransom demand: $45,000 in Bitcoin. They didn’t pay, but the recovery still cost them over $12,000 in emergency IT labor, lost revenue during two weeks of downtime, and a mandatory breach notification to every patient on file.

That office had antivirus installed. It was running. It didn’t help.

Most ransomware advice is written for companies with dedicated security teams. They’ll tell you to implement zero-trust architecture and deploy a SIEM with 24/7 SOC coverage. That’s fine if you have a hundred employees and a six-figure security budget. If you run a small business with fifteen devices or fewer, you need different advice. You need to know what actually works at your scale, what you can realistically do, and what your IT provider should be handling for you.

How Ransomware Actually Gets In

Ransomware gets into small businesses through three main doors: phishing emails, exposed Remote Desktop Protocol, and unpatched software. Phishing is the most common method. An employee receives an email impersonating a vendor or a bank, clicks a link or opens an attachment, and the attacker gains a foothold on the network. From there they move laterally through connected machines and encrypt everything valuable. Exposed RDP is the second most common entry point. Automated scanning tools probe every public IP address on the internet looking for open Remote Desktop ports, and when they find one, they brute-force the login credentials. Unpatched software is the third door. When a vendor releases a security patch, attackers reverse-engineer it to build exploits targeting the machines that have not applied the fix yet. Closing these three doors blocks the vast majority of ransomware attacks against businesses of any size.

Phishing Emails

This is still the number one way ransomware hits small businesses. Someone on your team gets an email that looks legitimate. It might impersonate Microsoft, your bank, a shipping company, or even someone in your own organization. The email contains either a malicious attachment or a link to a fake login page. Once someone clicks and enters credentials or opens that file, the attacker has a foothold. From there, they move through your network, figure out what’s valuable, and encrypt it.

Phishing emails have gotten much better in the last two years. The spelling mistakes and weird formatting that used to give them away are mostly gone. Attackers now use real company logos, proper formatting, and even reference actual invoice numbers or project names they’ve scraped from previous breaches. Your employees are not stupid for falling for these. The emails are designed by professionals whose entire job is tricking people.

Exposed Remote Desktop (RDP)

Remote Desktop Protocol is a Windows feature that lets you connect to a computer from somewhere else. It’s useful, and a lot of small businesses use it so employees can work from home or so their IT person can log in remotely. The problem is when RDP is left open to the internet without any protection. Attackers scan the entire internet constantly, looking for machines with RDP exposed on port 3389. When they find one, they try common usernames and passwords until they get in. This is called a brute-force attack, and it works more often than you’d think.

If your RDP is exposed to the internet with just a username and password protecting it, you are running on borrowed time. This is not a theoretical risk. Automated scanning tools hit every public IP address on the internet within hours of it going online. If port 3389 is open, someone will try to get in. The fix is to put RDP behind a VPN or use a remote access tool that doesn’t require exposing ports. Your IT provider should have already handled this.

USB Drives and Physical Access

Less common than phishing but still worth mentioning. An infected USB drive plugged into a workstation can deliver ransomware. This happens in offices where people share USB drives, bring them from home, or find one in the parking lot and plug it in out of curiosity. It also happens when a former employee or contractor still has physical access to your office and your machines.

Unpatched Software

Software vulnerabilities are publicly disclosed all the time. When Microsoft releases a security patch, they’re telling the world exactly what the vulnerability is. Attackers reverse-engineer the patch to build exploits. If your machines are weeks or months behind on patches, those exploits work on your systems. This is why automated patching matters. Not just Windows updates, but patches for every application on your machines. A vulnerability in your PDF reader or your web browser is just as dangerous as one in Windows itself.

What Traditional Antivirus Misses

Traditional antivirus works by recognizing known threats. It has a database of malware signatures, essentially fingerprints of known bad files. When a file matches a known signature, it gets blocked. This worked reasonably well fifteen years ago. It does not work well against modern ransomware.

Modern ransomware rarely arrives as a known malicious file. Instead, attackers use what the security industry calls “living off the land” techniques. They use legitimate Windows tools like PowerShell, Windows Management Instrumentation, and remote administration utilities to do their dirty work. Your antivirus sees PowerShell running and thinks nothing of it because PowerShell is a normal part of Windows. But the commands being executed through PowerShell are downloading and deploying ransomware. The antivirus never flags it because no known malicious file was involved.

Signature-based antivirus also struggles with new ransomware variants. Attackers modify their code constantly to avoid detection. A ransomware sample that was caught yesterday might be slightly modified today, giving it a new signature that your antivirus has never seen. By the time the antivirus vendor adds the new signature to their database, the damage is done.

This doesn’t mean antivirus is useless. Windows Defender, which comes free with every Windows machine, catches a lot of commodity malware. It should be running on every machine you own. But treating it as your only line of defense is like locking your front door and leaving every window open.

EDR Explained Simply

Endpoint detection and response, commonly called EDR, works differently from traditional antivirus software. Antivirus compares files on your computer against a database of known threats. If a file matches a known virus signature, it gets blocked. EDR monitors behavior instead of just checking file signatures. It watches what programs are running, what network connections they make, what files they modify, and whether any of that activity looks suspicious. When EDR sees a program suddenly encrypting files across a network share at high speed, it can kill that program and isolate the machine from the network within seconds, even if that specific malware variant has never been seen before. For a small business, EDR needs to be monitored by real people who can respond to alerts around the clock. Unmonitored EDR is just expensive software generating alerts and logs that nobody reads.

At Mr. Fix IT Geeks, managed threat detection with EDR is included in our Professional and Complete tiers. We use Huntress, which combines endpoint detection with human threat analysts who review every suspicious event. It’s not just software running on your machine. There are actual people looking at what it finds.

Backup as Your Last Line of Defense

Here’s the uncomfortable truth about ransomware: no defense is perfect. You can have EDR, email filtering, patched machines, and trained employees, and a sufficiently determined attacker might still get through. When prevention fails, your backup is the difference between a bad week and a business-ending disaster.

A working, tested, verified backup means you can tell the attacker to pound sand. They encrypted your files? Fine. You wipe the machines, reinstall from a clean backup, and you’re back in business. No ransom payment. No negotiation. The attacker’s entire business model depends on you having no other option. A good backup gives you that option.

But the backup has to actually work. We have seen too many businesses discover during an emergency that their backup hasn’t been running for months. Or it was running but backing up the wrong folders. Or it completed successfully but the backup file is corrupted and can’t be restored. The difference between a backup that runs and a backup that works is the difference between a green checkmark on a dashboard and actually being able to get your data back when you need it. Backup verification, meaning a real test restore performed on a regular schedule, is the only way to know your backup will save you when it matters.

Your backup also needs to be stored somewhere the ransomware can’t reach it. If your backup drive is connected to your network and accessible from your workstations, the ransomware will encrypt your backups too. This is called the “blast radius” problem. A proper backup strategy uses offsite or cloud storage that’s isolated from your production network. Even if every machine in your office gets encrypted, the backup sitting in a secure cloud location is untouched.

The Real Cost of a Ransomware Attack

The real cost of a ransomware attack on a small business typically runs between twelve thousand and thirty thousand dollars, and that is without paying the ransom demand. Emergency IT labor alone costs four to eight thousand dollars when a break-fix technician charges emergency rates to rebuild every encrypted workstation and server. Lost revenue during one to two weeks of downtime adds another five to fifteen thousand dollars depending on the type of business and how long full recovery takes. Client notification requirements, replacement hardware, and potential regulatory fines stack on top of those direct costs. Businesses that choose to pay the ransom still face most of these recovery expenses because the decryption tools attackers provide are frequently slow, buggy, and incomplete. A managed IT service with EDR, verified backups, and automated patching costs six to seventeen thousand dollars per year. One prevented incident pays for multiple years of that ongoing protection.

Let’s walk through a realistic scenario. A five-person accounting firm gets hit with ransomware in January, right at the start of tax season. Every workstation is encrypted. The server is encrypted. The local backup was on a NAS drive connected to the network, so that’s encrypted too. Here’s what the actual bill looks like:

• Emergency IT labor: $4,000 to $8,000. A break-fix technician charges $150 to $250 per hour for emergency response. Rebuilding five workstations, a server, and restoring whatever data can be recovered takes 20 to 40 hours.
• Lost revenue during downtime: $5,000 to $15,000. If the firm bills $200 per hour average and loses a week of productivity across five people, that’s $40,000 in billings gone. Even partial downtime while systems are being rebuilt costs thousands.
• Client notification and reputation damage: Hard to quantify but very real. If client financial data was involved, you may need to notify every affected client. Some will leave. Trust takes years to build and seconds to destroy.
• Replacement hardware and software: $2,000 to $5,000. Sometimes encrypted machines need to be wiped and rebuilt from scratch. Sometimes the hardware is so old that a clean install isn’t practical and you need new machines.
• Regulatory penalties: Varies. If you handle financial, medical, or legal data, there may be reporting requirements and fines for failing to protect client information.

Compare that to prevention. A managed IT service that includes EDR, verified backups, automated patching, and email security runs $499 to $1,399 per month depending on the number of devices and features. The math is straightforward.

What a Good MSP Should Have in Place

If you already work with a managed service provider, or you’re shopping for one, here’s what to look for when it comes to ransomware protection. Not marketing language on their website. Actual capabilities you can verify.

A managed service provider handling ransomware protection for small businesses should have six things in place at minimum. First, endpoint detection and response installed on every managed device and monitored by analysts who respond to alerts in real time. Second, automated patching for both operating systems and third-party applications, applied within days of release. Third, email security including anti-spoofing DNS records and phishing protection that scans links and attachments before delivery. Fourth, verified backups stored offsite or in the cloud and tested regularly with actual restore operations. Fifth, no exposed RDP or other remote access ports visible from the internet. Sixth, a monthly report showing exactly what was patched, blocked, and backed up as proof the protection is active. If your MSP cannot demonstrate all six of these capabilities with documentation and evidence, you have no way to confirm the protection you are paying for is actually in place.

At Mr. Fix IT Geeks, all six of those items are built into our service. Foundation tier covers monitoring, patching, Windows Defender management, and email security. Professional adds managed EDR with Huntress, verified cloud backups, and vulnerability scanning. We didn’t add these because they look good on a features list. We added them because we spent years auditing providers who were missing exactly these things, and we watched businesses suffer the consequences.

What You Can Do Right Now

You don’t need to wait for a new IT provider to start protecting your business. Here are five things you can do today:

• Enable multi-factor authentication on every account that supports it. Start with email. If an attacker gets your password but can’t pass the MFA challenge, they’re locked out. This single step blocks the majority of account compromise attempts.
• Check whether your RDP is exposed. Ask your IT person or provider: “Is Remote Desktop accessible from the internet on any of our machines?” If the answer is yes, get it fixed immediately.
• Verify your backup works. Don’t just check that the backup ran. Ask for a test restore. Can you actually open the files? Is the data current? If nobody can answer that, your backup is a hope, not a plan.
• Run Windows Update on every machine. If your machines are behind on updates, run them now. While you’re at it, check whether other software like your web browser, PDF reader, and office suite is current.
• Talk to your team about phishing. You don’t need a formal training program. Just tell them: if an email asks you to click a link or open an attachment and something feels off, call the sender to verify. A thirty-second phone call can prevent a thirty-thousand-dollar incident.

Frequently Asked Questions

Can ransomware hit a small business with only a few computers?

Yes. Attackers don’t specifically target small businesses, but they don’t exclude them either. Most ransomware campaigns are automated. The attackers send millions of phishing emails and see who bites. They scan the entire internet for exposed RDP ports. They don’t check how many employees you have before launching the attack. In fact, small businesses are often easier targets because they’re less likely to have EDR, email filtering, or properly segmented networks. Your size doesn’t make you invisible. It makes you easier.

Is paying the ransom ever worth it?

Almost never. The FBI recommends against it. Paying funds criminal organizations and makes you a target for repeat attacks because you’ve proven you’ll pay. Even when businesses pay, the decryption tools provided by attackers are often slow and unreliable. Many businesses that pay still lose some data and still face significant recovery costs. The only scenario where payment is even considered is when there’s no backup, the data is irreplaceable, and the business literally cannot survive without it. That scenario is entirely preventable with a proper backup strategy.

What’s the difference between antivirus and EDR?

Antivirus looks at files and compares them to a database of known threats. If a file matches a known virus signature, it blocks it. EDR watches behavior across the entire endpoint. It monitors processes, network connections, file system changes, and registry modifications in real time. When it sees behavior that looks like an attack, it can respond automatically by killing the process and isolating the machine, even if the specific malware has never been seen before. Think of antivirus as a guard checking IDs at the door. EDR is the camera system watching everything happening inside the building.

How often should backups be tested?

At minimum, once per quarter. Monthly is better. We verify backups on a regular schedule for every client on our Professional and Complete tiers. A test restore doesn’t have to be complicated. You pick a file or folder from the backup, restore it to a test location, and confirm the data is intact and current. If you’ve never tested your backup, you should do it today. Right now. Before you finish reading this article. A backup you’ve never tested is an assumption, not a safety net.

Does my business need both EDR and backups, or is one enough?

You need both. They serve different purposes. EDR tries to prevent and stop attacks in progress. Backups give you recovery options when prevention fails. No security tool is perfect. EDR will stop most threats, but a sophisticated attacker might still get through. When that happens, your backup is the only thing standing between you and a catastrophic loss. Skipping EDR and relying only on backups means you’ll be restoring from backup more often, with more downtime and more data loss each time. Skipping backups and relying only on EDR means one missed detection could end your business. They’re not interchangeable. They’re complementary.