The Ultimate Ransomware Guide

The ransom note is a lagging indicator. By the time it’s on your screen, the outcome was already decided: the firewall nobody patched, the password reused on LinkedIn, the backup nobody had tested in a year.

That’s the hard part about writing a ransomware guide in 2026. Most of what matters happens before the attack. The rest happens in the first hour after you notice.

This guide is for the owner or operations lead who hasn’t audited any of this in a while. Your IT director already knows it. You sign the cyber insurance renewal. That’s who this is for.

2026 Ransomware Doesn’t Look Like 2018 Ransomware

Ransomware used to be a malicious email attachment that locked your files. That model is still active at the low end, but it’s not the threat model that ends businesses anymore.

Modern crews exfiltrate your data before they encrypt anything. Some skip the encryption entirely and threaten to publish what they stole. About half of all extortion cases in 2025 involved no encryption at all.¹ The attacker doesn’t need to take your systems down to demand money. They only need to show you a sample of your customer data and a countdown clock.

The attack is also faster than most defenses are tuned for. Sophos pegged median attacker dwell time inside a victim network at four days in 2025.¹ Palo Alto’s incident response team watched one crew complete the entire playbook, from first click to encrypted files, in six hours.²

The method changed too. Initial access rarely comes through a suspicious attachment. It comes through a phished Microsoft 365 login that bypasses ordinary MFA, or through an unpatched VPN that a separate crew already sold as a working foothold. Once inside, the attackers use the same remote management tools your IT provider uses. ConnectWise. AnyDesk. Atera. Abuse of legitimate remote-management software grew 277% year over year.³

One terminology note before moving on. If a guide tells you there are two kinds of ransomware, “generic” and “shotgun,” close it. The real split is opportunistic (mass-scanned, automated, five-figure ransoms) versus targeted (a human operator researching your revenue and calibrating the demand to it). Most SMBs face the opportunistic version first. A bad outcome on that one upgrades you to the targeted version.

Five Decisions That Decide the Outcome

The ransom note is a lagging indicator because the real fight was over before it started. Five controls account for most of the gap between a bad morning and a company-ending incident.

1. Identity, with phishing-resistant MFA on anything that matters. Phishing kits now proxy the login page in real time, defeating SMS codes and authenticator-app prompts and capturing the active session. The 2026 standard for admin accounts and remote access is a hardware key (FIDO2) or a device-bound passkey. Microsoft Entra conditional access gates the risky logins. Security awareness training is useful. It is not a substitute for controls that don’t require anyone to be awake and careful.

2. Backups the attacker cannot reach. Modern crews look for your backups before they touch your production data. Veeam reported that 96% of ransomware attacks attempted to hit backup repositories.⁴ The defense is immutability (backup copies that cannot be modified or deleted for a retention window, regardless of credentials) and credential isolation (backup admin accounts that do not overlap with domain admin). If a single Active Directory compromise reaches your backups, you don’t have backups.

3. EDR, not antivirus. Signature-based AV is a floor, not a ceiling. Endpoint detection and response watches process behavior, flags suspicious activity in real time, and can isolate an endpoint automatically. Every managed endpoint in our environment runs three layers: Microsoft Defender for Business, Datto EDR, and Veriato file-activity monitoring. Cyber insurance carriers have started denying coverage for endpoints running legacy AV alone.⁵

4. Patch cadence on the edge. The single most common initial access vector in 2025 was an unpatched internet-facing device: a VPN appliance, a firewall, a remote management gateway.¹ Automated patching with a defined service level against CVSS score is the operational baseline. Quarterly patch cycles on perimeter gear are an invitation.

5. An incident response plan you have actually rehearsed. Most breach notifications cite “robust security controls” that failed at 2 AM because nobody on the call knew who had authority to pull systems offline, where the cyber insurance carrier’s 24/7 incident number lived, or which outside firms the policy would cover. A tabletop exercise twice a year is cheap. The alternative is learning the answers in the crisis.

What SMBs Still Get Wrong

A few recurring mistakes turn recoverable incidents into catastrophic ones.

Treating cyber insurance as a strategy. Insurance is a financial instrument for residual risk. It is not a plan. The 2026 market is hard: 41% of first-submission applications are denied, and missing MFA or missing EDR are the top two reasons.⁵ Carriers want proof, not promises. Screenshots of conditional access policies. Reports showing EDR coverage. Evidence of a tested restore.

Assuming Microsoft 365 is backed up. It isn’t, in the sense that matters. Microsoft protects its infrastructure from its own hardware failures. It does not protect your tenant from a malicious administrator, a compromised account mass-deleting data, or a ransomware payload that reaches synced OneDrive files. Third-party backup for M365 is a separate product line for a reason.

Declaring all-clear too early. Ejecting a ransomware crew is not the same as removing them. They usually leave a way back in: a new admin account, a scheduled task, a cached credential, a backdoor on a dormant host. Teams that skip the threat-hunting phase and rush the rebuild tend to see the same attackers again within weeks.

Assuming size is protection. The small-business story used to be that attackers wanted enterprise targets. The economics changed. Automated tooling makes an opportunistic attack on a thirty-person firm almost free to run. Sophos found the median ransom demand hit $1.32 million in 2025, and 88% of ransomware breaches struck small and mid-sized businesses.¹ Per Duane Morris, data-breach class actions have quintupled since 2020.⁷

Paying without checking. OFAC operates on strict liability for ransom payments.⁶ Paying a threat actor on the U.S. Treasury’s sanctions list is a federal violation whether you knew or not.

The First Hour

The operational part. If ransomware is confirmed on your network, this is the order.

1. Isolate, but do not power off. Pull network cables. Disable Wi-Fi. Take the affected segment off the switch. Don’t shut down the machine. The attacker’s tooling lives in memory, and powering off destroys forensic evidence you and your insurer will need later.

2. Call your cyber insurance carrier before your IT team touches anything substantive. Most policies require prompt notification and specify which incident response firms are approved. Using an unapproved IR firm, or delaying notification, can void coverage on a claim you desperately need. The 24/7 incident number belongs in your phone before you need it, not after.

3. Preserve the evidence. Memory dumps from live infected systems. Firewall and authentication logs. Ransom notes. File-system snapshots. Do this before reimaging anything.

4. Stand up out-of-band communications. Assume corporate email, Teams, and Slack are compromised until proven otherwise. A pre-agreed Signal group or phone tree is the backup channel.

5. Notify legal. Involving legal early establishes attorney-client privilege over the investigation. That matters more than it sounds like it does.

6. Report to law enforcement. FBI via IC3.gov. CISA at cisa.gov/report. Cooperation is a documented mitigating factor under OFAC if a ransom conversation is on the table later.

7. Verify backups in isolation. Before restoring anything, confirm the backup chain is intact and not also encrypted. Check the backup logs for signs of tampering going back thirty to sixty days. The attackers were probably in the environment longer than the ransom note implies.

The first hour is easier when someone practiced it before the first hour showed up.

Where Think Comes In

We spend most of our time on the first four items in the “five decisions” list. Backup and disaster recovery is part of every managed IT engagement, with hourly immutable snapshots and tested restores. Cybersecurity covers the identity, EDR, and monitoring side, backed by a 24/7 security operations center.

We’ve managed IT for Florida businesses since 2011. In that time we’ve worked plenty of incidents with plenty of outcomes. The common thread on the good outcomes is that the decisions above were already made.

For the broader resilience picture, our business continuity guide walks through the full recovery system. For the version of this threat where no ransom is ever offered, what Stryker’s attack teaches every business owner covers destructive wiper attacks.

If you’re not sure where your business stands against the threats in this post, start a conversation with us. We’ll walk through your identity posture, your backup isolation, and your detection stack, and tell you honestly where the gaps are. No pitch, no pressure. Just an honest look.

Sources

1. The State of Ransomware 2025. Sophos, April 2025. Survey of 3,400 IT professionals across 17 countries. Dwell time, encryption rates, median ransom demand of $1.32 million, 88% of ransomware breaches hit SMBs, exploited vulnerabilities as the #1 root cause. sophos.com

2. The Ransomware Speed Crisis. Palo Alto Networks Unit 42, September 2025. Time from first click to ransom compressed to hours; under-an-hour data exfiltration in a growing share of 2025 cases. paloaltonetworks.com

3. 2026 Cyber Threat Report, via Dark Reading, “RMM Abuse Explodes as Hackers Ditch Malware.” Huntress, January 2026. 277% year-over-year growth in abuse of legitimate remote-management tools (ConnectWise ScreenConnect, AnyDesk, Atera). darkreading.com

4. 2024 Ransomware Trends Report. Veeam, May 2024. Survey of 1,200 IT leaders whose organizations had been hit by ransomware. 96% of attacks target backup repositories; 76% breach them successfully. veeam.com

5. Cyber Insurance Requirements (2026 Guide), summarizing Marsh McLennan’s 2024 Cyber Insurance Market Report. MoneyGeek. 41% of first-submission applications denied; missing MFA and inadequate endpoint protection as the top two denial reasons. moneygeek.com

6. Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. U.S. Department of the Treasury, Office of Foreign Assets Control, September 2021. Strict liability standard; mitigating factors; scope extended to financial institutions, cyber insurers, and IR firms. ofac.treasury.gov

7. DMCAR Trend #7: Data Breaches Give Rise To An Unprecedented Number Of Class Action Filings. Duane Morris Class Action Review 2025, January 2025. Data-breach class action filings grew from ~300 in 2020 to 1,488 in 2024 — a roughly fivefold increase. duanemorris.com

Further Reading

• #StopRansomware Guide. CISA, FBI, NSA, and MS-ISAC, updated 2023. Joint federal guidance on preventing, detecting, responding to, and recovering from ransomware. Includes the official incident-response checklist and law-enforcement reporting paths. cisa.gov