Ransomware starts small.
Ransomware doesn't arrive with sirens. It arrives as one boring email, one click, one moment of trust — and then spreads quietly for days before the lock.
Every ransomware story we respond to starts the same way — not with sirens, but with a quiet moment nobody thought was important. One click on a Word doc. One call to a help desk that wasn't actually the help desk. One reused password. The real damage comes later, but it all traces back to a single small mistake.
The quiet phase nobody sees
After that first click, attackers don't encrypt anything right away. They poke around. They steal credentials. They find backup servers and quietly delete backups. They map out the network. This phase often lasts one to three weeks. Only when they're satisfied do they pull the trigger on encryption — usually on a Friday night or before a holiday — so you wake up to a ransom note with no clean backup to restore from.
How it escalates from a single click
“An office manager at a small law firm clicked a fake Microsoft login email and typed her password.”
Red flag: Two weeks later, the firm's file server was encrypted on a Saturday morning. The attackers had been inside the whole time reading case files.
“An employee took a call from someone claiming to be the company's IT help desk and allowed remote access.”
Red flag: The 'help desk' was an attacker. They installed a remote tool, stayed quiet for ten days, then deployed ransomware across twelve servers.
The three controls that actually stop it
- MFA on every account — stops the stolen-password attack from escalating.
- EDR (endpoint detection and response) on every device — spots the quiet phase and kills the process.
- Offline, tested backups — means if the worst happens, you're back in hours, not weeks.
Not sure where you stand?
A 30-minute security review will tell you in plain English. No jargon, no sales pressure.
- 1Deploy EDR on every endpoint — servers, desktops, laptops. Defender for Business is a solid baseline.
- 2Verify your backups run AND test a restore this month. Untested backups are not backups.
- 3Keep at least one backup offline or in a separate account attackers can't reach from your network.
- 4Train staff to hang up and call back when 'IT' calls out of the blue.
- 5Patch the internet-facing stuff this quarter — firewalls, VPNs, any remote access.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
What happens when you get breached.
A realistic walkthrough of the first 30 days after a breach — the calls, the costs, the clients, and what you wish you'd done sooner.
ReadTip #19 · RansomwareThe ransomware first-hour playbook.
What you do in the first 60 minutes of a ransomware event determines whether it's a bad week or a bad year. Here's the playbook.
Read