Essentials

The SMBs Ransomware Survival Guide: Don't Pay, Do This Instead

Waking up to a screen that says "Your network has been encrypted" is a nightmare for any small business owner. In the past, ransomware gangs targeted massive corporations for multi-million dollar payouts. Today, they…

By SecureBusinessHub Editorial, International cybersecurity desk — · 7 min read

Finding your network encrypted when you open your laptop is one of the worst things that can happen to a small business owner. Ransomware gangs used to target large enterprises for eight-figure payouts. Now they run automated campaigns against SMBs, asking for amounts under $50,000, which are small enough that many businesses pay quickly rather than deal with the fallout.

Paying is almost always the wrong call. Here's what to do instead.

Step 1: Isolate, don't power off

The reflex when you see a ransom screen is to pull the power cable. Don't. Abruptly shutting down servers corrupts files and wipes volatile memory that forensic experts can use later. Instead, cut the network connection. Unplug ethernet cables and disable Wi-Fi on infected machines immediately. The goal is to stop the malware spreading to your backups and cloud storage.

Step 2: Check your offline backups

Ransomware groups know that if you have backups, you won't pay. That's why modern variants actively hunt for connected backup drives and cloud sync folders to encrypt those first. Check your offline backups: the ones sitting in a drawer or in immutable cloud storage. If yesterday's data is safe, you've won the critical part.

Step 3: Call your insurer and legal counsel

Don't negotiate with the attackers on your own. Your first call should be to your cyber insurance provider. They have specialist negotiators and forensic teams on retainer. Your second call is to legal counsel. Depending on your jurisdiction, you may have a strict 72-hour window to report the breach if customer data was exposed.

The myth of the honest thief

Why not just pay? Two reasons. First, in many jurisdictions paying ransomware criminals is legally complicated or outright illegal. Second, nearly 80% of businesses that pay get attacked again, often by the same group. Even if you pay, there's a 30% chance the decryption key doesn't work. You end up with less money and the same situation.

Prevent the next breach

Once the immediate situation is contained, close the entry point. For most SMBs, that means enforcing MFA on every account and disabling external Remote Desktop Protocol access.