Most small business owners assume ransomware is an enterprise problem. It is not. 88% of ransomware attacks in 2025 hit small businesses. The average downtime is 24 days. One in five SMBs that get hit does not reopen.

I am not writing this to scare you. I am writing this because the number one thing that gets small businesses hit is the assumption that they are not worth targeting. That assumption is exactly what makes them easy targets.

Why small businesses get targeted

It is not about what you are worth. It is about how easy you are to hit.

Large enterprises have dedicated security teams, endpoint detection, 24/7 monitoring, and incident response plans. Small businesses usually have none of that. From an attacker's perspective, a small business is faster to compromise, faster to encrypt, and — because they have less resilience — more likely to pay to get back online.

The economics are brutal: ransomware groups run like businesses. They pick targets based on the ratio of effort to payout. A business with 10 employees and no offsite backups is a better target than a Fortune 500 with a SOC team. Ransomware-as-a-service has made this even more accessible, dropping the technical bar to launch an attack to near zero for affiliates.

What the numbers actually say

The recovery cost figure is the one that catches people off guard. $115,000 ransom sounds bad. But even if you pay it, and even if you get your files back, the 24 days of downtime, the incident response, the forensics, the system rebuilds, the lost business, and the reputational damage push the real cost well above $1 million. Most small businesses do not have $1 million sitting in reserve.

How an attack actually unfolds

Ransomware does not just appear. It usually lives in a network for days or weeks before the encryption starts. Attackers get in, move laterally, find the backups, and delete or encrypt those first. Then they hit the main systems. By the time you see a ransom note, your recovery options are already limited.

The most common entry points for small businesses:

• Phishing email: someone clicks a link or opens an attachment. The malware runs in the background, establishes a foothold, and waits.
• Exposed RDP: Remote Desktop running on port 3389, accessible from the internet, with a weak password. Bots scan for this constantly. A working credential gives full desktop access.
• Unpatched software: a known vulnerability in a VPN appliance, firewall firmware, or server application that was never updated. Attackers buy working exploits for these.
• Compromised vendor: 41% of attacks now come through a third-party supplier or managed service provider. The attacker gets into a vendor, then pivots to every business that vendor manages.

The backup problem

Almost every small business I talk to says they have backups. What they mean, when pressed, is that they have a backup drive plugged into the server, or an Azure backup job they set up two years ago and never tested.

Neither of those will save you. A backup drive connected to the network gets encrypted along with everything else. An untested backup job may have been silently failing for months. And even a working backup does not save you from the data exfiltration that happens before encryption: attackers copy your files before they lock them, then threaten to publish them unless you pay.

A backup strategy that actually works:

• 3-2-1 rule: 3 copies of data, 2 different media types, 1 offsite. The offsite copy must be air-gapped or immutable. An attacker who gets into your network should not be able to reach it.
• Test your restores: a backup you have never restored from is not a backup. Restore from it quarterly. Confirm the data is actually there and usable.
• Immutable storage: Azure Blob Storage with Object Lock, or AWS S3 with versioning and MFA delete enabled. Ransomware cannot delete what it cannot write to.

The five things that reduce your risk most

You cannot eliminate the risk. But you can make your business a much harder target than the one next door.

1. Multi-factor authentication on everything external-facing. Email, VPN, remote desktop, cloud consoles. A compromised password alone should not get someone in. MFA stops the vast majority of credential-based attacks cold.
2. Patch your systems on a schedule. Not eventually. Not when something breaks. On a schedule. Monthly at minimum. Critical patches within 48 hours.
3. Kill RDP if you do not need it. If you do need it, put it behind a VPN and change the default port. Do not expose 3389 to the internet.
4. Train your team on phishing, once. Not a policy document. A real session with real examples of what fake emails look like. The single most common entry point is a human clicking something they should not.
5. Test your backups before you need them. This one alone is the difference between 24 days of downtime and being back online in 4 hours.

Should you pay the ransom?

The FBI says no. The practical reality is more complicated. If your backups are gone, your data is encrypted, and your business is dead in the water, some organizations pay. The median payment in 2025 was 34% lower than the initial demand, which means there is negotiation happening. But paying does not guarantee you get your files back, and it funds the next attack.

The better answer is to never be in that position. If you have tested immutable backups and an incident response plan, the ransom is not a decision you need to make.