How Ransomware Comes for Small Organizations

When you hear “ransomware” in the news, it’s usually a hospital chain or a pipeline. What doesn’t make the news is the 12-person dental office, the small-town school district, or the church office that quietly paid a ransom last month. These are the easiest targets, and they’re where most ransomware actually lands.

Small organizations with one shared computer or a simple network. Especially:

• Dental offices, chiropractors, family clinics

• Law firms and accountants under 20 people

• Small-town school districts and individual schools

• Churches and religious organizations that run their own office

• Nonprofits with one or two paid staff

• Independent retail shops with a back-office PC

• Real estate offices

• Anyone with patient files, student records, or donor information on a shared drive

If your organization keeps records on a computer and you couldn’t operate without them for a week, you’re a target.

The story is almost always the same. It starts with an email, not a hack.

1. The phishing email. Someone on staff gets an email that looks like a vendor invoice, a delivery notice, or a shared document link. They click. They sign in on what looks like a real Microsoft or Google page. It isn’t.

2. The quiet sit-in. The attacker now has a username and password for your email system. They spend a few days reading emails, learning who approves invoices, and finding the shared drive.

3. The spread. If the compromised account has access to a shared network drive or any internal systems, the attacker scans for backup files and patient or donor records. Sometimes they just install their ransomware software on one computer and let it copy itself to everything else that’s connected.

4. The lock. One morning, every file on every computer shows a file name like patient_records.doc.encrypted. A text file appears on the desktop saying “Your files have been encrypted. Pay $15,000 in Bitcoin within 72 hours or we publish your data.”

5. The choice. Either you pay and hope they actually unlock the files (many don’t), or you rebuild from backups (if you have any), or you close down for a month while an expert tries to untangle it. Small orgs often end up paying because they can’t operate without the files.

Most ransomware is spotted AFTER the damage. But there are earlier warning signs:

• Emails from Microsoft, Google, or your bank saying “someone signed into your account from a new location”

• Co-workers reporting phishing emails sent from YOUR email address

• Unusual password reset notifications

• A computer that suddenly runs slowly or has its antivirus turned off

• Files on the shared drive being renamed or disappearing

• An invoice payment that went to a new bank account for a regular vendor (the attacker may have intercepted billing emails)

None of these require an IT person. You can do them yourself or with the help of a tech-savvy friend or family member in an afternoon.

Before anything happens:

• Turn on 2-step verification for every staff email account. This is the single best defence against the first step of the attack. If you use Google Workspace, go to admin.google.com and enforce 2-step verification for all users. If you use Microsoft 365, go to admin.microsoft.com and do the same. Our free course Simple Strategies to Be Secure Online walks you through it.

• Make sure backups exist and aren’t connected all the time. A backup plugged into the same PC is a backup the ransomware can eat. Use an external hard drive you unplug, or a cloud backup service like Backblaze or IDrive.

• Train everyone on the 4-step check. Sender, language, links, verify. Our free course How Not to Get Phished takes about 30 minutes. Send the link in an all-staff email and ask everyone to take it.

• Keep software up to date. Ransomware often exploits old, unpatched software. Turn on automatic updates for Windows, macOS, and your browsers.

If you get hit:

1. Unplug the affected computer from the network. Literal ethernet cable out, Wi-Fi off. This slows the spread.

2. Don’t pay immediately. Paying funds the criminals and doesn’t guarantee you get the files back.

3. Report it. Call the Canadian Anti-Fraud Centre at 1-888-495-8501. If you’re in the US, report to the FBI’s IC3. They have decryption keys for some ransomware families.

4. Contact a professional. A local IT consultant who has dealt with ransomware can often help. Budget a few hundred dollars for an assessment before deciding whether to pay.

5. Check if your email account was the source. Look at haveibeenpwned.com. Change every password for every account from a clean device.

Ransomware attackers treat small organizations like a grocery run. They send thousands of phishing emails, a few people click, and a percentage of those lead to ransoms. The fix isn’t exotic. Two-step verification on email, separated backups, and thirty minutes of phishing awareness training stop most of these attacks cold.

You don’t need an IT department to get this right. You need one Saturday afternoon.

If ransomware scares you, start with Simple Strategies to Be Secure Online. If you’ve been hit and don’t know what to do, Dave can walk you through the first steps.