Ransomware: The Real Playbook, Not Movie Hacking

Friday, 6:07 PM. An accounting clerk in Louisiana gets an email from a vendor with a PDF attachment—something about an invoice. She opens it. Nothing obvious happens, so she closes it and goes home for the weekend.

Monday morning, the office manager can't access the shared drive. Then the point-of-sale system won't boot. Then every computer on the network starts showing the same message:

Your files are encrypted.

Send 4.2 Bitcoin to the address below to receive the decryption key.
This address will expire in 72 hours. After that, your files will be deleted.

We can decrypt 3 files for free to prove we can unlock your data.

This is ransomware. And by the time the message appears, the damage is already done—files encrypted, systems locked, business at a standstill. What happened over the weekend was methodical: reconnaissance, privilege escalation, network spreading, and finally, encryption.

How ransomware actually works

Phase 1: Initial access (the PDF the clerk opened)

Ransomware operators need a way in. The most common methods:

• Phishing emails with malicious attachments or links (this is how most SMBs get hit)
• Infostealers that steal credentials, which ransomware operators buy and use for access
• Exploiting vulnerable systems like unpatched VPNs, RDP servers, or outdated software
• Compromised vendor access via an IT provider or software vendor with poor security

The initial infection is usually unremarkable. The PDF closes. The link goes to a normal-looking page. The victim doesn't know they've started something.

Phase 2: Foothold and reconnaissance (the weekend)

Once inside, attackers spend days or weeks:

• Moving laterally from the initial machine to other systems using harvested credentials and network shares
• Escalating privileges to administrator accounts by stealing more credentials or exploiting vulnerabilities
• Mapping the network to find the most valuable data and backup systems
• Disabling defenses by turning off antivirus, deleting backups, or tampering with recovery tools
• Identifying high-value targets like file servers, databases, and domain controllers

During this phase, everything looks normal. The victim doesn't know attackers are walking through their systems, identifying what to encrypt, and planning the attack.

Phase 3: Encryption (usually Friday evening or before holidays)

When attackers are ready, they trigger encryption:

• Files get locked with strong encryption that requires a decryption key to unlock
• The encryption spreads across the network, hitting file servers, shared drives, and connected computers
• Every few minutes, more systems lock up
• Eventually, every computer that can be reached is encrypted

Ransomware operators choose timing deliberately: Friday night, holiday weekends, or before vacations. They want maximum delay before the victim can respond.

Phase 4: Extortion (the ransom demand)

Once encryption is complete, the ransom note appears. Modern ransomware often includes a second layer:

• File encryption: Files are locked unless you pay
• Data exfiltration: Attackers copy your data before encrypting it, threatening to release it publicly ("double extortion")
• Reputation pressure: Attackers know SMBs depend on customer trust, so they threaten to publish stolen data

The ransom demand is calculated based on what they think you can pay. Mid-size businesses might see demands of $50,000 to $500,000. Some operators accept lower amounts from smaller victims.

What can go wrong

Complete operational shutdown: If your point-of-sale system, ordering system, or production software is encrypted, you can't do business. Every hour of downtime is lost revenue.

Data loss: Even if you pay, there's no guarantee the decryption key works, works quickly, or returns all your files. Some organizations have paid and still lost data.

Stolen data release: If attackers exfiltrated customer data, healthcare records, or proprietary information, paying the ransom doesn't guarantee they delete it.

Regulatory consequences: If the encrypted data included customer PII, healthcare records, or payment card data, you have notification requirements and potential fines.

Recovery without paying: Restoring from backups takes time—days to weeks—and you lose whatever changed between the backup and the encryption.

Targeted repeat attacks: Once attackers know your systems and your data, some operators come back weeks or months later for another hit.

What it costs

• Ransom payment: $10,000 to $500,000+ (ransom only, not including anything else)
• Incident response: $10,000 to $75,000 for forensic investigation, system rebuilding, and recovery
• Business interruption: $5,000 to $50,000 per day in lost revenue during downtime
• Recovery time: Weeks to months of reduced operations while systems are rebuilt
• Customer notification and credit monitoring: If customer data was stolen, $10-$50 per affected record
• Regulatory fines: Varies by industry, can reach $100,000+ for healthcare or financial data

Vendor questions (copy/paste)

"We had a ransomware incident over the weekend. What does your incident response process look like, and how quickly can you start?"

"How do we know if our backups are actually recoverable? Can you do a backup restoration test?"

"Our IT vendor says they have us covered. How do we verify that our backup and recovery would actually work if we got hit?"

"What ransomware-specific protections do you recommend beyond standard antivirus?"

"We clicked something suspicious. What are the early signs that ransomware might be setting up in our network?"

"What's your recommendation for backup strategy that accounts for ransomware? We've heard ransomware targets backups too."

Minimum viable implementation

1. Offline backups that ransomware can't reach. This is the most important thing. Cloud backups that are always connected can be encrypted by ransomware. Requirements: at least one backup that is disconnected from your network (air-gapped or immutable/encrypted in a way ransomware can't modify). Test restores quarterly.

2. Patch your systems and software. Many ransomware attacks start by exploiting known vulnerabilities. Close the doors. Prioritize internet-facing systems (VPNs, RDP, web servers) and end-user software (browsers, Office, Adobe).

3. Enable MFA everywhere, especially on email, VPNs, remote access tools, and cloud services. If attackers get a password, MFA stops them from using it.

4. Restrict remote access. If you don't need RDP or VPN open to the world, close it. If you do need it, require MFA and consider putting it behind a VPN.

5. Segment your network. File servers, backup systems, and domain controllers shouldn't be on the same network as employee workstations. If one machine gets infected, segmentation limits how far ransomware can spread.

6. Disable macros and script execution where possible. Many ransomware variants use PowerShell scripts or macros to spread. Restricting these reduces attack surface.

7. Educate employees on phishing. The initial infection usually starts with an employee clicking something. Training reduces clicks.

8. Have an incident response plan that includes ransomware scenarios. Who do you call? What's the first thing you do? How do you communicate if email is down? Write it down before you need it.

9. Know your recovery time objective (RTO). How long can your business survive without computer systems? A day? A week? Design your backup and recovery strategy to meet that RTO.

When to hire help

Call someone today if:

• You see a ransom note or suspect ransomware is on your systems
• Files are being encrypted or you're seeing unusual file modifications
• Your backup systems suddenly show signs of tampering
• You can't access systems and you're not sure why

Call someone this week if:

• You want to verify your backups would actually survive a ransomware attack
• You need help implementing the controls above
• You want an incident response plan written down before something happens

You can probably handle it yourself if:

• You have offline/immutable backups that are tested quarterly
• Your systems are patched within a reasonable window
• You have MFA on everything critical
• You have an IT person or vendor who knows your environment and can respond

Ransomware is a business problem, not a technology problem. The decisions you make before an incident—backups, patches, MFA—determine whether you pay or recover. Paying doesn't guarantee recovery. Proper preparation does.