Ransomware: what it does, how it gets in, and how to protect your business

Someone in your office opens an email attachment. It looks like a normal document – an invoice, a delivery notification, a CV. Within minutes, files across your server start becoming unreadable. File names change to random characters. A message appears on screen demanding payment in cryptocurrency to unlock your data.

This is ransomware. It encrypts your files so you cannot access them, then demands money for the decryption key. And it does not just hit large corporations. Small businesses are frequent targets precisely because they tend to have weaker defences and are more likely to pay.

Understanding how ransomware works is the first step to protecting against it. It is not magic and it is not unstoppable – but you need the right protections in place before it arrives.

How ransomware gets into a small business

Ransomware does not break through firewalls with sophisticated hacking. It gets in because someone opens a door. These are the most common entry points we see:

Phishing emails The most common method by far. An email arrives with an attachment or a link. The email looks convincing – it might appear to come from a supplier, a courier company, or even a colleague. Clicking the attachment or link downloads the ransomware. From there, it spreads across everything the infected computer can reach.

Compromised passwords If an attacker has a stolen password for your remote desktop, VPN, or email account, they can log in as if they were a legitimate user. Once inside, they deploy ransomware manually, often choosing to do it at night or over a weekend when nobody is watching. Multi-factor authentication prevents this by requiring a second verification step, even if the password is compromised.

Unpatched software Software updates are not just about new features. They fix security vulnerabilities. When a known vulnerability exists and a patch is available but not applied, attackers exploit it. This is especially common with Windows systems and server software that has not been updated in months.

Infected USB drives or external devices Less common now but still a risk, particularly in environments where people share USB drives between machines. A single infected drive plugged into a computer on your network can trigger an attack.

In most cases, the common thread is the same: the ransomware got in because a basic protection was missing. Not because the attacker was particularly clever.

What happens when ransomware hits

Understanding the timeline helps you understand why prevention matters more than response.

Minutes 1 to 30: Encryption begins The ransomware starts encrypting files on the infected machine. It works through documents, spreadsheets, databases, images – anything it can access. If the infected computer has access to shared network drives or a server, the ransomware encrypts those too. Modern ransomware can encrypt thousands of files per minute.

Hours 1 to 4: Discovery Someone notices they cannot open files. File names look wrong. A ransom note appears on the screen or as a text file in every folder. By this point, the damage is often already done.

The demand The ransom note tells you how much to pay (usually in Bitcoin or another cryptocurrency) and gives you a deadline. Amounts vary – from a few thousand rand for small targets to millions for larger organisations. There is usually a threat: pay within 48 hours or the price doubles, or your data gets published online.

The real cost Even if you never pay the ransom, the damage is significant:

• Staff cannot work while systems are down – hours or days of lost productivity
• Emergency IT recovery is expensive (an evening of emergency server work can run to R7,000 or more)
• Data that was not backed up is permanently lost
• Client trust takes a hit, especially if their data was affected
• Under POPIA, if personal data was compromised, you may need to notify the Information Regulator and affected individuals

Should you pay the ransom?

The short answer: no.

Here is why:

• No guarantee: Paying does not guarantee you get your data back. Some attackers take the money and disappear. Some provide a decryption tool that only partially works. Some come back and demand more.
• You become a repeat target: If you pay once, you are flagged as a business that pays. You may be targeted again.
• You fund the operation: Ransom payments fund the development of more ransomware, which targets more businesses.
• Law enforcement advises against it: Both South African authorities and international cybersecurity agencies recommend against paying.

The only reliable protection is not needing to pay in the first place. That means having backups that are current, tested, and stored where ransomware cannot reach them.

What to do if ransomware hits your business

If you discover ransomware on your systems, act immediately:

1. Disconnect the infected machine from the network. Unplug the network cable. Turn off WiFi. The goal is to stop the ransomware from spreading to other machines and your server. Speed matters here.
2. Do not turn off the machine. Some forensic information lives in memory and is lost when you shut down. Disconnect it from the network but leave it running.
3. Call your IT support immediately. This is a priority incident. Your IT team needs to assess the scope – which machines are affected, whether the server has been encrypted, and whether backups are intact.
4. Check your backups before attempting recovery. If your backups are clean and current, recovery is possible. If your backups were connected to the network, they may have been encrypted too. This is why off-site backup matters.
5. Notify affected parties if required. If client personal information was compromised, POPIA requires notification to the Information Regulator and affected individuals. Your IT provider can help determine what data was exposed.
6. Document everything. Screenshots of the ransom note, affected file names, the timeline of events. You will need this for your insurer and for any law enforcement report.

How to protect your business from ransomware

Ransomware is preventable. Not with a single product, but with layers of protection that make it difficult to get in and easy to recover if it does.

Backup that ransomware cannot reach Your most important protection. Off-site backups stored in a secure data centre are not connected to your network, so ransomware cannot encrypt them. Daily backups mean you lose at most a day’s work if you need to restore. More frequent backups reduce that further. And regular restore testing means you know recovery works before you need it. See our disaster recovery planning guide for how to set this up properly.

Email security Since phishing is the most common entry point, filtering malicious emails before they reach your staff’s inbox stops most attacks at the source. This includes scanning attachments, checking links, and blocking known malicious senders.

Endpoint protection (not just antivirus) Standard antivirus catches known threats. Endpoint Detection and Response (EDR) goes further – it monitors what programs are doing on your machines and can isolate a device automatically if ransomware behaviour is detected. The difference: antivirus recognises threats it has seen before. EDR recognises suspicious behaviour it has never seen before.

Multi-factor authentication MFA prevents attackers from using stolen passwords to access your systems remotely. This closes one of the most common entry points for targeted ransomware attacks.

Patch management Keeping Windows, server software, and applications updated closes the vulnerabilities that ransomware exploits. This sounds simple, but in practice, many businesses fall behind on updates because there is nobody managing it systematically.

Staff awareness Your staff are the last line of defence against phishing. They do not need formal “cybersecurity training” – they need to know three things: do not open unexpected attachments, do not click links in emails that create urgency, and report anything suspicious rather than ignoring it.

None of these protections work in isolation. Together, they make ransomware significantly harder to succeed and significantly easier to recover from.

Is your business protected?

If you are not sure whether your business could recover from a ransomware attack – or whether your current protections would stop one from happening – we can help you find out.

Talk to us about your security

Or get in touch directly:

Call: 087 820 5005 WhatsApp: 081 526 1626

Want to understand the full picture? See our security solutions for endpoint protection, email security, and monitoring. And make sure your data is properly backed up – because backup is the last thing standing between ransomware and permanent data loss.

Related reading

• Multi-factor authentication: what it is and how to set it up
• Business backup: what it actually means
• Phishing protection: how to spot fake emails
• Data breach response: what to do in the first 72 hours
• Endpoint protection: why antivirus is not enough