A plain-English deep dive into ransomware for small and mid-sized businesses. Explains how a ransomware attack actually works (initial access, spread, encryption, ransom), the common ways it gets in (phishing, stolen passwords, unpatched software), why paying is not a plan, and how to survive it with layered defences and tested, isolated backups. The businesses that recover well are the prepared ones, not the ones who pay.

    Threat Guide Deep Dive
    How it works, and how to beat it

    Ransomware: how it works and how to survive it

    Ransomware is the threat that keeps business owners up at night, and for good reason. But it is not magic, and it is not unbeatable. Here is how an attack actually unfolds, and the handful of things that decide whether it is a bad day or a disaster.

    StartCloud7 July 20268 min read
    The short version

    The short version

    Ransomware gets in through a gap you left open, spreads across your network, then encrypts your files and demands payment. It almost always starts with phishing, a stolen password, or unpatched software.

    Paying is not a plan. It does not guarantee your data back, it funds crime, and you can still be down for days. The businesses that come through well have tested backups.

    The winning formula is boring and effective: MFA, patching, endpoint protection, email security, and backups that are recent, tested, and kept separate from your main systems.

    The attack

    How a ransomware attack unfolds

    It usually happens in stages, and often quietly. First, the attacker gets in, typically through a phishing email, a stolen password, or an unpatched system. Then they look around: mapping the network, finding where the valuable data and the backups live, and quietly gaining more access.

    When they are ready, they strike. The ransomware encrypts files across devices, shared drives, and servers, often trying to reach or delete your backups first so you cannot simply restore. Then comes the ransom note: pay, usually in cryptocurrency, for the key to unlock your data. Many attackers now also steal a copy of your data first and threaten to leak it, so paying to decrypt does not even make the exposure go away.

    The way in

    How it gets in

    Phishing emails

    The most common way in. One click on a malicious attachment or link, and the attacker has a foothold on a device.

    Stolen or weak passwords

    Reused or leaked credentials, especially on remote access without MFA, let attackers log straight in as a real user.

    Unpatched software

    Known vulnerabilities in systems that have not been updated are actively scanned for and exploited to gain access.

    Notice the theme: none of these are brute force. Close these gaps and you stop the overwhelming majority of attacks before they start. Two of them are covered in our deep dive on MFA and business email compromise.

    The ransom

    Why paying is not a plan

    When the note appears, paying can feel like the fastest way out. It rarely is. There is no guarantee the attacker hands over a working key, no guarantee they delete the data they stole, and you are handing money to a criminal operation that will target the next business, maybe even you again.

    The ACSC advises against paying. Even when businesses pay, many still face days of downtime rebuilding systems. The real way out is prepared in advance: tested backups you can restore from.

    The defence

    How to survive it

    There is no single silver bullet. Surviving ransomware is about layers, so that if one fails, another holds, and a safety net that means the worst case is recovery, not ruin.

    MFA everywhere

    Stops the account takeovers that many attacks rely on, even when a password is stolen.

    Patching & endpoint protection

    Closes the holes attackers exploit, and modern EDR detects and isolates suspicious behaviour before it spreads.

    Email security & training

    Filters malicious mail and helps staff spot the lures, cutting off the most common entry point.

    Tested, isolated backups

    The ultimate safety net. If backups are recent, tested, and kept separate from your main systems, you recover instead of paying.

    Backups deserve special mention: the reliable approach keeps multiple copies, on more than one type of storage, with at least one kept offline or otherwise isolated so ransomware cannot reach it. We cover getting recovery right in our business continuity and disaster recovery deep dive.

    Verdict

    The takeaway

    Ransomware is frightening because of what it can do, not because it is unstoppable. The same short list of controls that stops most cyber attacks stops most ransomware too, and tested backups turn the worst case from a business-ending event into a manageable one.

    Getting those layers in place, and monitored so an attack is caught early rather than discovered at 6am, is exactly what our managed security service does. If you are not sure where you stand, that is the place to start.

    FAQ

    Common questions

    Should we pay the ransom?

    The advice from the ACSC is not to pay. Paying does not guarantee you get your data back or that it will not be leaked, it funds criminal groups, and you may still face days of downtime rebuilding. The businesses that recover well are the ones with tested backups, not the ones who pay.

    How does ransomware usually get in?

    Most often through phishing emails, stolen or weak passwords (especially on remote access without MFA), and unpatched software with known vulnerabilities. It rarely 'breaks in' by force; it walks in through a gap that was left open.

    Will antivirus stop ransomware?

    Traditional antivirus catches known threats but misses new or evasive ones. Modern endpoint detection and response (EDR), combined with MFA, patching, email security, and monitoring, is far more effective, and tested backups are what save you if something still gets through.

    How fast can ransomware spread?

    Once inside, it can move across a network in minutes to hours, encrypting shared drives and servers as it goes. That is why early detection and network segmentation matter: the goal is to contain it before it reaches everything.

    StartCloud Assistant

    Online

    G'day! 👋 I'm the StartCloud Assistant. How can I help you today?