// TL;DR

The thing that decides whether ransomware is a bad day or a closed business is your backups, set up before the attack. Businesses with intact, immutable backups recover for a fraction of the cost of those whose backups got destroyed in the attack. Everything else (MFA, EDR, email filtering, segmentation) reduces the odds of getting hit. Your backups decide what happens when you are.

  • Recovery, intact backupsHours to days
  • Recovery, no backupsWeeks
  • Highest-return controlImmutable backups
  • Should you pay?No

The real question isn't "will I get hit"

Almost every ransomware article aimed at small business is the same list: turn on MFA, train your staff, patch your software, have backups. That advice is correct. It is also everywhere, and it leaves out the part that actually matters.

Here is the part that matters, backed by the 2026 data. When ransomware hits a small business, the cost of recovery splits into two wildly different worlds depending on one thing: whether your backups survived the attack. Organizations with intact backups had a median recovery cost around $375,000. Organizations whose backups were compromised had a median around $3 million. That is an eight-times difference, decided entirely by how the backups were set up before anyone clicked anything.

You don't get to decide whether you're attacked. You do get to decide, in advance, what it costs you.

And the trend that makes this urgent: in 2025, only about 54% of victims successfully restored from their backups, the lowest rate in six years. Not because backups stopped working, but because attackers got good at finding and destroying them first. So this guide is built around the honest center of the problem: reduce your odds of being hit, yes, but above all make sure that when it happens, your recovery is already paid for in preparation rather than in ransom.

How ransomware actually gets in

Ransomware is not magic and it rarely involves some sophisticated zero-day. For small businesses, it comes through a small number of predictable doors, almost all of which are preventable.

01
Phishing email. The most common entry point by far. An employee clicks a link or opens an attachment, and the attacker gets a foothold. AI-generated phishing has made these dramatically more convincing than the old typo-ridden scams.
02
Stolen or reused credentials. An employee's password, exposed in some unrelated breach, gets reused on your systems. Without MFA, that password is a key to the front door.
03
Unpatched software. A known vulnerability in software you never updated. Attackers scan the internet for these constantly. Patch management closes this door automatically.
04
Exposed remote access. A remote desktop service left open to the internet, often set up years ago for convenience and forgotten. These get found and brute-forced.

The pattern across all four: these are preventable with controls that are not expensive or exotic. The reason attacks keep working is not that the defenses are hard, it is that small businesses assume they are too small to be targeted. The data says the opposite. In 2025, ransomware was involved in 88% of all small business breaches, more than double the rate at large enterprises. You are not too small. You are the preferred target precisely because you are small.

The layers that stop it

Ransomware defense is layered security applied to one specific threat. Each layer catches what the previous one missed, mapped to the attack sequence above. For the full model, see our guide to layered security; here is the ransomware-specific stack.

// Layer 1 — MFA everywhere

Multi-factor authentication on every account that supports it, especially email and remote access. This single control eliminates stolen-password attacks as an entry path, and it is usually included free with Microsoft 365 or Google Workspace. If MFA is not on every account, it is not done.

// Layer 2 — EDR, not antivirus

Endpoint detection and response watches for ransomware behavior, like a process suddenly encrypting files fast or trying to disable backups, and stops it mid-attack. Traditional signature-based antivirus misses new variants entirely. This is the single most important endpoint investment, and it runs only a few dollars per device per month.

// Layer 3 — Email filtering with sandboxing

Since phishing is the top entry point, real email security earns its place. Sandboxing opens suspicious attachments in an isolated environment to catch malware that basic spam filters miss. It stops the attack before it reaches the employee.

// Layer 4 — Network segmentation

If one machine gets infected, segmentation keeps it from becoming the whole network. The guest WiFi should not be able to reach the accounting server. This limits the blast radius, which is often the difference between losing one device and losing everything.

// Layer 5 — Patch management

Automated patching closes the known-vulnerability door across every machine, including the laptop someone forgot in a drawer. Done by hand on more than a handful of machines, something always falls behind. That something is the way in.

These five reduce your odds of a successful attack. They are necessary and worth every dollar. But none of them is a guarantee, because no security is perfect. Which brings us to the layer that is not about prevention at all.

Why backups decide everything

Backups are the only control that determines what happens after prevention fails. And in 2026, getting them right means one specific thing that most small business backups get wrong: they have to be immutable.

An immutable backup cannot be changed or deleted for a set period, even by an administrator with full credentials. This matters because modern ransomware does not just encrypt your live data, it actively hunts for your backups and destroys them first, knowing that intact backups are the one thing that lets you refuse to pay. If your backup is a drive plugged into the server or a cloud folder the admin account can delete, the attacker will delete it. An immutable backup survives, because there is no command that can erase it within its lock window.

// The 3-2-1 rule, plus the part that's new

What a survivable backup looks like.

THREE
Three copies
Your live data plus at least two backups. One copy is not a backup; it is a single point of failure.
TWO
Two media types
Stored on two different kinds of storage, so one failure mode cannot take out everything at once.
ONE
One off-site
At least one copy off-site or offline, beyond the reach of an attack on your local network.
+ LOCK
Immutable
The 2026 addition: at least one copy that cannot be deleted within its window, even with admin access.
// The one that everyone skips

Test the restore. A backup you have never restored from is not a backup, it is a hope. Pull a random file and confirm it opens, quarterly. Run a full restore drill annually. Untested recoveries take three to four times longer when you are finally forced to do one for real, usually on the worst day of your business's year.

This is the whole financial argument in one line: the median recovery with intact backups was around $375,000; with compromised backups, around $3 million. The immutable backup setup that produces the first number costs a small fraction of the difference. No other security investment has a return remotely like it.

If you've already been hit

If you are reading this in the middle of an active incident, here is the short version. Do not panic, and do not start deleting things or paying anyone yet.

  • Isolate, don't shut down. Disconnect affected machines from the network (unplug ethernet, disable WiFi) to stop the spread, but avoid powering them off, which can destroy forensic evidence and sometimes the data itself.
  • Call for help early. An IT provider or incident response team with ransomware experience will move faster and avoid the mistakes that make things worse. This is not the moment for trial and error.
  • Find your backups and verify they're clean. This is where the preparation pays off or doesn't. Confirm your immutable backups are intact before you do anything else.
  • Notify the right people. Your cyber insurance carrier (per your policy), and depending on what data was involved, potentially law enforcement and affected parties. Many policies require early notification to stay valid.
  • Don't rush to pay. See the next section. Paying is rarely the fastest or safest path, and it should never be the first move.

The businesses that recover well are not the ones that respond perfectly under pressure. They are the ones that prepared a documented response plan beforehand, so the steps above are a checklist instead of a panic. If you do not have that plan written down, that is the single most useful thing to fix before anything happens.

Should you pay the ransom?

The honest answer is no, and the 2026 data backs it up clearly. Three reasons.

First, paying does not guarantee recovery. A meaningful share of businesses that paid did not get all their data back. You are trusting criminals to honor a transaction.

Second, paying marks you as a payer. A large majority of businesses that paid a ransom were attacked again, because the criminal ecosystem now knows you will pay. You are not buying safety, you are buying a place on a target list.

Third, payment funds the operation and can carry legal exposure, depending on who the attacker is and what sanctions apply. The share of victims paying has dropped to record lows precisely because more businesses now understand all of this.

The way to never face this decision is to make it irrelevant in advance. With tested, immutable backups, the ransom demand becomes a notification rather than a negotiation: you restore, you harden, you move on.

What protection actually costs

Here is the part that reframes the whole decision. A complete ransomware protection stack for a roughly 15-person business, covering EDR, email security, and immutable backup storage, runs a few hundred dollars a month. Call it the cost of a modest software subscription.

The cost of an actual ransomware incident at a small business commonly runs into the six and seven figures when you add up downtime, recovery labor, lost business, and the rest. Prevention runs roughly ten times cheaper than recovery, and that is before you count the businesses that simply do not survive the downtime.

You do not have to spend like an enterprise. You have to spend deliberately on the few controls that matter, with the immutable backup at the center. That is a budget any small business can carry, and it is a fraction of what the alternative costs.

Not sure if your backups would survive an attack?

Most small business backups can be deleted by the same credentials ransomware steals. We'll check yours, and tell you honestly where the gaps are. No fear-selling.

Get a review →

Frequently asked questions

// How can a small business protect against ransomware?

A layered approach: MFA on every account, modern EDR (not just antivirus), email filtering with sandboxing, network segmentation, automated patching, and above all tested, immutable backups. The first five lower your odds of being hit; the backups decide what it costs you when prevention fails.

// What is an immutable backup?

A backup that cannot be changed or deleted for a set period, even by an administrator. It matters because modern ransomware hunts for and destroys reachable backups first. An immutable backup survives that, which is the difference between a roughly $375K median recovery and a $3M one.

// Should a small business pay the ransom?

No. Paying does not guarantee recovery, marks you as a repeat target, and funds the operation. The way to avoid the decision entirely is tested, immutable backups plus a documented response plan.

// Is antivirus enough to stop ransomware?

No. Signature-based antivirus misses new variants. EDR watches for ransomware behavior and stops it mid-attack. It is the single most important endpoint investment and costs only a few dollars per device per month.

// How long does recovery take?

With tested, immutable backups: roughly 4 to 24 hours for essential systems. Without them: days to weeks, often incomplete. The average downtime for unprepared businesses is around three weeks.

Based in Southern Wisconsin or Chicagoland?

We build ransomware-resilient backups and security for small businesses, in plain English. Honest assessment, no scare tactics.

Talk to us →