“We’re too small to be a target” is the most common thing we hear from Australian SMBs about ransomware. It’s also one of the most dangerous assumptions.

Ransomware attackers mostly don’t pick specific targets. They sweep the internet for vulnerable systems, exploit whatever they find, and only decide what to do with the access afterwards. A 40-person accounting firm in Parramatta is just as likely to end up on the receiving end as a large enterprise — sometimes more so, because the defences are thinner.

This post is a plain explanation of how ransomware attacks on SMBs actually unfold, and the specific controls that reduce the risk.

How SMB ransomware attacks actually happen

Almost every ransomware incident we’ve seen follows one of three entry patterns.

Pattern 1: Phishing with follow-up payload

Staff member receives a convincing phishing email — invoice, quote, CV, delivery notification. They open an attachment or click a link, which leads to credential theft or a malicious payload. The attacker gains initial access, moves laterally inside the network for days or weeks, identifies the backup systems and valuable file shares, then triggers encryption across the environment.

The key insight: the attacker is usually inside for weeks before anything obviously breaks. Detection and response matter as much as prevention.

Pattern 2: Exposed remote access

An RDP port, a VPN gateway, or a remote management tool (like ScreenConnect or TeamViewer) is exposed to the internet with weak or default credentials. Attackers scan constantly for these and brute-force or credential-stuff their way in.

Once inside, the pattern is the same — reconnaissance, privilege escalation, backup destruction, encryption.

Pattern 3: Supply chain compromise

An attacker compromises a service provider — your MSP, a shared management tool, a software vendor. They use the elevated access that provider has into your environment to deploy ransomware.

This was the 2021 Kaseya and SolarWinds pattern. It’s less common at SMB scale than the other two, but the impact when it happens is severe because the attacker already has privileged access.

What ransomware attackers actually do once they’re in

The encryption event is the end of a successful attack, not the beginning. Before the files get encrypted, a professional ransomware operator typically:

Establishes persistence. Multiple ways back in, so removing the initial access doesn’t evict them.
Escalates privileges. Targets a domain admin account, or creates their own.
Maps the environment. File shares, backup systems, critical applications, the domain controller.
Exfiltrates data. They’ll encrypt your files, but they also copy them first — so you can be extorted twice (pay to decrypt, pay again to prevent leak of stolen data).
Destroys backups. They know backups are the main way out. Online, network-accessible backups get deleted. Shadow copies get wiped.
Deploys the encryptor. Usually simultaneously across as many machines as possible, ideally on a Friday evening or long weekend.

This whole sequence typically takes 1-4 weeks. The longer the dwell time, the worse the eventual impact.

The controls that actually work

Here’s what we’ve seen meaningfully reduce ransomware risk and impact for Australian SMBs.

Prevention

1. Multi-factor authentication on everything. This blocks most phishing-based initial access. Phishing-resistant MFA (hardware keys) for administrator accounts is especially important.

2. Close your external attack surface. Don’t expose RDP to the internet — ever. VPN, and ideally ZTNA behind MFA. Remote management tools behind MFA. Regular external scans to catch anything that got exposed accidentally.

3. Patch quickly. Internet-facing systems within 48 hours of critical patches. Everything else within two weeks.

4. Remove standing admin privileges. Attackers who compromise a normal user account can’t immediately pivot to “destroy the backups” if that user doesn’t have admin rights anywhere.

5. Endpoint protection with behavioural detection. Modern EDR (SentinelOne, CrowdStrike, Defender for Endpoint) can catch the reconnaissance and privilege escalation phase, before encryption starts. Traditional AV won’t.

Containment

6. Network segmentation. Flat networks let attackers move laterally freely. Segmentation at least between user VLANs, servers, backup systems, and any OT/IoT gear reduces the blast radius.

7. 24/7 monitoring and response. The dwell time gap — weeks between initial compromise and encryption — is when detection saves the business. Most SMBs don’t have their own SOC; a managed detection and response (MDR) service is a cost-effective alternative.

Recovery

8. Immutable backups. Backup systems that even the attacker can’t delete, even if they have domain admin. Veeam hardened repositories, immutable S3 buckets, Cohesity SpanFS — the specific product matters less than the property. If the attacker can touch the backup with normal privileges, it’s not immutable.

9. Tested restore procedures. “We have backups” is different from “we’ve restored the domain controller, the file server, and the payroll system from backup inside 8 hours.” Test, document, improve the gap between those two states.

10. Documented incident response plan. Who calls the insurer? Who authorises disconnecting the network? Who speaks to staff? Who speaks to customers? These questions don’t have good answers at 3am during an active incident unless they were answered in advance.

What NOT to do

Don’t assume cyber insurance will save you. Insurance helps with the financial blow. It doesn’t help with the 72 hours of downtime, the customer trust lost, or the compliance fallout. And policies increasingly require specific controls as a precondition of payout — MFA, EDR, immutable backups, staff training. Read your policy.

Don’t pay the ransom as your first option. Sometimes it’s the pragmatic choice. But payment funds the next attack, doesn’t guarantee working decryption, doesn’t prevent the stolen data being leaked anyway, and may violate sanctions depending on who the attacker is. Professional incident response always evaluates no-pay recovery paths first.

Don’t try to fight an active ransomware incident alone. The moment you see encryption starting, you need an incident response specialist on the phone. Most cyber insurance policies have one pre-nominated; if yours doesn’t, get one on retainer before you need them.

The cost of the problem

The average cost of a ransomware incident for an Australian SMB — including downtime, recovery, legal, regulatory, and reputational costs — is materially higher than the ransom itself. Typical recovery takes 2-4 weeks, during which the business operates at significantly reduced capacity.

Compare that to the cost of the prevention measures above, which for a typical SMB total less than a couple of months of a single IT support FTE.

The bottom line

SMB ransomware isn’t a question of whether you’re big enough to be a target. It’s a question of whether your external attack surface and your defensive controls are harder than the baseline the sweeps are looking for.

Most of the controls above aren’t expensive. They require deliberate implementation, clear ownership, and regular testing. The businesses that survive the incident cleanly are the ones that did the work before they needed to.

If you’d like an honest assessment of where your ransomware risk currently sits — and where the highest-leverage improvements would be — get in touch. A ransomware readiness review typically takes a week and produces a short, actionable list of changes to make.