How do small businesses get hit by ransomware?

The most common entry points are: phishing emails where staff click a malicious link or attachment, compromised passwords (especially for Remote Desktop or VPN access), unpatched software vulnerabilities, and malicious websites. Over 90% of ransomware infections start with a phishing email or a compromised credential — making staff training and multi-factor authentication the highest-value defences.

Should I pay a ransomware ransom?

Australian Government guidance (via the Australian Cyber Security Centre) advises against paying ransoms. Payment doesn't guarantee file recovery, encourages future attacks, and may be illegal in some circumstances if the attackers are on sanctions lists. The better approach is to restore from clean backups — which is why tested, offline backups are the most important ransomware protection measure.

What is the most important thing a business can do to prevent ransomware?

The two highest-impact measures are: (1) multi-factor authentication (MFA) on all accounts — particularly email and any remote access — which blocks the majority of credential-based attacks; and (2) tested offline backups — so that even if ransomware encrypts everything, you can restore without paying. Both measures are inexpensive relative to the cost of a ransomware incident.

April 12, 2026 · Business Security

Ransomware Protection for Townsville Businesses

Ransomware is the single biggest cyber threat facing Australian small businesses right now. It's not just a problem for large corporations — in fact, small businesses are specifically targeted because they're more likely to pay and less likely to have strong defences. This guide explains what ransomware actually is, how businesses get hit, and what you can do today to make your business a hard target.

By the numbers: The average cost of a ransomware attack on an Australian small business is $39,000 — and that's for businesses that recover. Many don't reopen. Australian businesses reported over 94,000 cybercrime incidents in the 2022–23 financial year, with ransomware among the most damaging.

What Is Ransomware and How Does It Work?

Ransomware is malicious software that encrypts your files — documents, photos, databases, everything — and demands payment (usually cryptocurrency) for the decryption key. Once it runs, it can spread across your entire network in minutes, encrypting shared drives, backup locations, and connected servers.

The attack typically follows this pattern:

Entry — an attacker gets access to your network (usually via phishing email or compromised password)
Reconnaissance — they spend time (sometimes days or weeks) quietly mapping your network, identifying backups, and maximising their footprint before triggering the encryption
Encryption — all accessible files are encrypted simultaneously; network shares and mapped drives are hit first
Ransom demand — a message appears on screen with payment instructions and a deadline

Modern ransomware groups also exfiltrate (steal) data before encrypting — so they can threaten to publish sensitive client or financial data if you don't pay, even if you restore from backups.

How Businesses Get Hit

The vast majority of ransomware incidents start in one of three ways:

1. Phishing Emails

A staff member receives a realistic-looking email — from what appears to be a supplier, courier, or bank — and clicks a link or opens an attachment. This downloads the ransomware or gives the attacker credentials.

Modern phishing is sophisticated. Emails reference real order numbers, use your company name, and are personalised using publicly available information. "Just don't open suspicious emails" is not adequate protection — training and technical controls are.

2. Compromised Passwords

An attacker obtains a username and password — either from a data breach (your staff member used the same password elsewhere) or by brute-forcing a weak password on a remote access service. They log in as a legitimate user and run the ransomware from inside.

Remote Desktop Protocol (RDP) exposed to the internet is one of the most common entry points in Australia. If your business uses RDP and doesn't have MFA and a VPN in front of it, this is a critical risk.

3. Unpatched Software Vulnerabilities

Attackers exploit known security holes in software that hasn't been updated — Windows, your firewall, remote access tools. These vulnerabilities are often publicly known, meaning automated scanning tools can identify unpatched systems within hours of a vulnerability being disclosed.

What to Do Right Now — Practical Defences

Priority 1: Multi-Factor Authentication (MFA) on Everything

MFA requires a second form of verification (usually a phone app code) in addition to a password. Even if an attacker has your password, they can't log in without the second factor.

Enable MFA on:

Microsoft 365 / Google Workspace (highest priority)
Any VPN or remote access system
Your banking and financial accounts
Your domain registrar and DNS provider
Cloud storage (OneDrive, Dropbox, Google Drive)

MFA is free on Microsoft 365 and blocks over 99% of automated credential attacks. There is no excuse for not having this enabled.

Priority 2: Tested Offline Backups

Backups are your get-out-of-jail card — but only if:

They're isolated from your main network (ransomware specifically targets connected backup drives and network shares)
They follow the 3-2-1 rule: 3 copies, on 2 different media, with 1 offsite
They're tested regularly — someone actually restores files from the backup and confirms they work

A backup that's mapped as a network drive will be encrypted along with everything else. Cloud backups with versioning (like OneDrive or a proper backup service) are better, but need to be configured correctly to maintain history beyond 30 days.

Priority 3: Patch Everything Consistently

Keep Windows, Office, and all software updated. Enable automatic updates where possible. For server software, assign someone the responsibility of checking and applying patches monthly.

Unpatched systems are the low-hanging fruit for ransomware groups. A managed IT provider can handle this automatically as part of patch management.

Priority 4: Staff Training

Your staff are your biggest vulnerability — and your best defence. Regular training on recognising phishing, safe email practices, and what to do if they click something suspicious dramatically reduces successful attacks.

Training doesn't need to be expensive. Regular short sessions (15 minutes, quarterly) with real examples of current phishing campaigns are more effective than annual compliance tick-boxes.

Priority 5: Endpoint Detection and Response (EDR)

Standard antivirus detects known threats. EDR (endpoint detection and response) software monitors behaviour — it can catch ransomware that's never been seen before by looking for suspicious activity patterns (mass file encryption, unusual process execution). This is the current best practice in business security.

If You're Hit Right Now — What to Do

Disconnect affected computers from the network immediately — unplug ethernet cables, turn off Wi-Fi. This stops the ransomware spreading to other machines.
Do not restart or shut down the affected computers unless you're told to by a security professional — some ransomware deletes itself on restart making forensics harder; others encrypt more on restart.
Call us or a cyber incident response provider immediately. The first few hours are critical for containing damage.
Don't pay the ransom immediately — there are often alternatives, and payment doesn't guarantee recovery.
Report to the Australian Cyber Security Centre at cyber.gov.au/report — this helps authorities track ransomware groups and may assist in recovery.
Check your backups — when did they last run? Are they clean? What's the earliest clean restore point?

How Managed IT Reduces Ransomware Risk

A properly managed IT environment addresses most ransomware attack vectors proactively:

Patch management keeps every system updated — eliminating the vulnerability exploit entry point
MFA enforced across all Microsoft 365 accounts — blocking credential attacks
EDR deployed and monitored — catching threats before encryption begins
Backup monitoring with tested recovery — ensuring you can always restore
Regular security reviews — identifying new risks as they emerge
Staff training coordination — keeping your team aware of current threats

No solution is 100% guaranteed. But a well-managed IT environment makes your business a significantly harder target — and ransomware groups largely target the path of least resistance.

Is Your Business Protected?

Free security assessment for Townsville businesses. We'll check your MFA status, backup configuration, patch levels, and remote access exposure — and give you a prioritised action list. No obligation.

Book a Free Security Assessment → 📞 0408 777 938

Frequently Asked Questions

We're a small business — are we really a target?

Yes. Ransomware groups don't target specific businesses — they use automated tools to scan the internet for vulnerable systems. A small business with an exposed RDP port and no MFA is just as targetable as a large corporation. In many ways, small businesses are more attractive: they're more likely to pay (they can't afford extended downtime) and less likely to have incident response capabilities. The "we're too small to be targeted" mindset is exactly what attackers count on.

Can I recover my files without paying if I get hit?

Sometimes, but it depends on the ransomware variant. Some older or poorly implemented ransomware variants have had their encryption keys leaked by security researchers — tools like No More Ransom (nomoreransom.org) are worth checking. In most cases though, without clean backups, recovery requires either paying or accepting data loss. This is why backups are the most important defence.

Is cyber insurance worth getting for a small business?

For businesses handling client data, financial records, or dependent on uptime — yes. Cyber insurance typically covers incident response costs, data recovery, business interruption, and sometimes ransom payments. Premiums have risen significantly in recent years as claims have increased, but for most businesses it remains cost-effective relative to the exposure. Many insurers now require MFA and tested backups as conditions of coverage — another reason to implement them regardless.