Ransomware, explained for business owners — and the one habit that beats it
Ransomware locks your files and demands payment to get them back. It sounds like a big-company problem. It is not — and one unglamorous habit changes the outcome entirely.
Ransomware sounds like something that happens to hospitals and government agencies. It does happen to them — but it also happens to plumbing companies, law firms, dental practices, and small accounting offices. Every week. Often quietly, because small businesses rarely make the news when it happens to them.
Here is what it is, how it usually gets in, and the one thing that changes the outcome from catastrophe to inconvenience.
What ransomware actually does
When ransomware gets onto a system, it quietly encrypts your files — documents, spreadsheets, databases, photos, everything. Once it's done, every file is locked. You can see the names, but you can't open them. Then a note appears demanding payment, usually in cryptocurrency, in exchange for the key that decrypts everything.
In recent years, most ransomware attacks have added a second layer called double extortion. Before encrypting your files, the attacker copies them. If you refuse to pay, they threaten to publish your data — client records, financial files, employee information — publicly or sell it. This turns a "do I pay to get my files back" decision into a "do I pay to keep my data private" decision as well.
Paying the ransom does not guarantee you get your files back. Roughly half of businesses that pay don't recover everything. Many get hit again.
How it gets in
The movie version involves sophisticated hackers probing defenses for weeks. The reality is more mundane.
- Phishing email with a malicious attachment or link. Someone on your team gets an email that looks normal, clicks a link or opens a file, and that's enough. No vulnerability required — just one click.
- Reused or stolen passwords. If an attacker has a valid login for your systems — bought from a breach list or guessed — they can get in the same way any legitimate user would. Remote desktop and VPN (virtual private network) login pages are common entry points.
- Unpatched software. Vendors release updates to fix known security flaws. When those updates don't get installed, the flaws stay open. Attackers run automated tools that scan the internet looking for exactly those known flaws.
None of these are exotic. They're the same doors that come up in almost every security conversation, which is why the defenses are the same too.
Why small businesses get hit
The short answer: small businesses are more likely to have the open doors, and less likely to recover on their own.
A 15-person business usually doesn't have an IT security person, a tested incident-response plan, or backups that have actually been verified to work. When ransomware hits, the options are: pay, spend weeks trying to rebuild from scratch, or restore from a backup. If there's no reliable backup, those options narrow quickly.
Attackers know this. A small business is less protected going in and more likely to pay to get out.
The prevention layer
Two things block the most common entry points:
MFA (multi-factor authentication) on every account. The extra step — a code or app prompt after your password — means a stolen password alone isn't enough to get in. This stops the "reused credential" attack path that accounts for a significant share of ransomware incidents.
Keeping software patched and up to date. Windows, your firewall, your remote-access software — these all need updates applied promptly. Leaving known vulnerabilities open is the equivalent of leaving a door with a published lock-picking guide lying next to it.
The one habit that changes everything
Here is the part that doesn't get enough attention: tested, offline backups.
If ransomware hits and you have a recent, clean backup on a separate system — one that wasn't connected to your network when the ransomware ran — you don't need to pay anyone. You restore from the backup. You lose maybe a day or two of work. It's expensive in time. It is not a catastrophe.
"Offline" matters because ransomware will try to encrypt network drives and connected backup systems too. A backup drive that was plugged in when the attack ran is probably also encrypted.
"Tested" matters because backups that have never been restored often turn out to be broken when you need them. Run a test restore at least once — pick a few files, put them on a different machine, confirm they open correctly.
The backup question to ask your IT provider: "When did we last do a test restore, and is any part of the backup system offline or air-gapped?"
The honest picture
Ransomware is not going away. But the businesses that get through it intact are almost always the ones with working backups, not the ones with the most sophisticated defenses. The prevention layer — MFA, patching, not clicking suspicious links — reduces the odds of getting hit. The backup is what protects you when those defenses aren't enough.
Tenant Strike checks your Microsoft 365 and Azure setup in read-only mode and flags the settings most commonly associated with ransomware entry points: accounts without MFA, legacy authentication paths, and exposed configurations that automated scanners look for first. A five-minute scan to see what your environment looks like from the outside.
AI-researched from public sources. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.