What Happens When Ransomware Hits a Small Business – Tower Zero Security
Back to Blog
Ransomware

What Happens When Ransomware Hits a Small Business

Tower Zero Security May 2026 9 min read
Ransomware attacking a small business Dark illustration showing a padlock and binary rain over small business building silhouettes, representing a ransomware attack 01001000 01100001 01100011 01101011 10110100 00110001 01010010 01000001 01001110 01010011 01001111 01001101 11010111 00101010 11100110 01010101 01000101 01010111 01000001 01010010 10101010 01001000 10110011 01000101 00110100 01010101 01001110 00110001 11001100 01001010 00100011 10110101 01001000 11010110 00101010 01001001 10110001 01010010 11100101 00110100 00101011 10101010 01001100 11001001 11010011 00110101 10110010 01010111 01000111 11001001 01010101 00101010 10110110 01001110 11010100 10110001 00110011 10101011 01001011 11001100 ENCRYPTED FILE_LOCKED RANSOM_NOTE PAY_OR_DELETE EXFILTRATING LOCKED LOCKED LOCKED YOUR FILES HAVE BEEN ENCRYPTED Send 2.5 BTC to wallet: 1A2b3C4d5E... within 72 hours DO NOT CONTACT AUTHORITIES · DO NOT ATTEMPT RECOVERY · TIMER STARTED

The way ransomware is portrayed in news coverage gives most business owners a distorted picture of what it actually looks like when it happens to them. The coverage focuses on large enterprises, hospital systems, and government agencies — organizations with dedicated IT departments, cyber insurance policies, and crisis communications teams. The reality for a small professional services firm is different, and in some ways harder.

There is no IT department to call. There is no incident response retainer already in place. The managing partner finds out because someone walked into the office and their computer will not turn on, or because every file in a shared folder now has a strange extension and there is a text file on the desktop with instructions for sending cryptocurrency.

What happens in the hours and days that follow is shaped almost entirely by the decisions made in the first two hours — most of which are made under extreme pressure, without the information needed to make them well.

What Ransomware Actually Does

Modern ransomware does two things. It encrypts your files, making them inaccessible without a decryption key that the attacker holds. And increasingly, before it encrypts anything, it exfiltrates your data — copying sensitive files to attacker-controlled infrastructure so that even if you recover from backups, they still have leverage over you.

This second element is what makes modern ransomware fundamentally different from what most people picture. Paying the ransom does not undo the data theft. The attacker has your files regardless. If you choose not to pay, they threaten to publish them. If you do pay, you are trusting that they will honor the agreement to delete what they took — a trust that is often misplaced.

The encryption itself is typically fast. Once a ransomware payload executes, it can encrypt thousands of files per minute. By the time the first employee notices something is wrong, the damage may already span the entire network. Shared drives, file servers, and cloud-synced folders are all targets. Backups that are connected to the network are often encrypted as well — attackers specifically look for and target backup infrastructure before deploying the encryption payload.

The Decisions That Determine the Outcome

The first decision is whether to reboot affected machines. Most people's instinct is to restart and see if that fixes it. It does not, and depending on the ransomware variant, rebooting can destroy forensic evidence that would have helped identify the entry point, assess the full scope of the attack, and support an insurance claim.

The second decision is whether to wipe and rebuild immediately. This feels like the fastest path to getting back to normal. It is also the path that destroys the evidence needed to understand what happened, determine whether data was exfiltrated, and satisfy the documentation requirements of your cyber insurance carrier. Rebuilding before forensics are done often means doing the forensics afterward becomes impossible.

The third decision — and the most fraught — is whether to pay the ransom. There is no universal right answer. It depends on whether your backups are intact and clean, whether a free decryptor is available for the specific ransomware variant you were hit with, how long you can sustain the downtime, and what your legal and regulatory obligations are. Making this decision without expert guidance is how businesses pay a ransom and then discover their backups were also compromised, or that a free decryptor was available, or that paying creates additional legal exposure.

What the Recovery Actually Looks Like

Recovery from ransomware, done correctly, is not fast. It is not simply restoring from backup and going back to work. Before any system is brought back online, the entry point needs to be identified and closed. The attacker's persistence mechanisms — the backdoors, scheduled tasks, and remote access tools they installed to maintain access — need to be found and removed. If you restore a clean backup to a system that still has an active backdoor, you have solved the encryption problem and left the attacker inside your environment.

Restoration also needs to happen in the right order. Domain controllers before member servers. Member servers before workstations. Each system verified clean before the next is brought back and connected to the network. This process takes days, sometimes longer, for a firm with even a modest number of systems.

Throughout all of this, the business is largely not functioning. Client communications are disrupted. Deadlines are at risk. If the firm handles financial transactions, those processes are halted. The operational impact of a ransomware incident for a small professional services firm can be severe enough to threaten the business itself — not just as a dramatic claim, but as a practical financial reality when billing stops for two weeks.

What Changes the Outcome

The firms that fare best in ransomware incidents share a few common characteristics. They have backups that are isolated from their primary network — backups the ransomware could not reach. They have cyber insurance with ransomware coverage. They call for expert help immediately rather than attempting to handle it internally. And they do not make irreversible decisions before they have the information needed to make those decisions well.

The firms that fare worst are the ones who spent weeks trying to handle it quietly with their IT provider before involving anyone with ransomware response expertise. By then, the forensic trail is cold, the insurance documentation requirements cannot be met, and the backups that existed have often been overwritten by the restore attempts.

Preparation matters enormously. Offline or immutable backups, tested regularly. A cyber insurance policy reviewed for ransomware coverage before you need it. An incident response contact you have already identified and can call within minutes of discovery. These are not expensive or complicated. But they are almost never in place at the small firms we get called by after something has already happened.

The goal of Tower Zero is to make sure the monitoring and response infrastructure is in place before the incident — so that when ransomware does deploy, it is detected in the early stages of execution rather than after the entire environment is encrypted.

No Obligation. No Sales Pitch.

Know Where You Stand Before an Attacker Does.

Get a clear picture of your Microsoft 365 security posture — for free. Our engineers review your environment and tell you exactly what an attacker would see.

Get Your Free Microsoft 365 Security Assessment →

Free Assessment · No Credit Card · Response Within 24 Hours