You've just received an email from the wrong address. The phone rings. A client tells you they can't open files. Then the red screen appears: "All your data has been encrypted. Pay 5,000 euros in Bitcoin within 48 hours or lose everything." This isn't a movie. It happens every day to small businesses like yours. Here at Meteora Web, we see it when projects arrive for recovery after an attack. And the first hard truth is: those who pay the ransom often don't get their data back. Ransomware isn't just a virus — it's a precise mechanism, and understanding how it works is the first step to not being overwhelmed.
This guide is for businesses without an internal IT department, for those running an e-commerce, a professional practice, or a store with an online management system. We'll talk concrete prevention — domains to update, backups to make, software to configure — and what to do if the worst happens. Zero theory, only action.
How does ransomware work? The three-phase mechanism
Ransomware doesn't appear by magic. It follows a precise sequence. Understand it, and you'll recognize it before it's too late.
Phase 1 — Infiltration. Ransomware usually enters via a phishing email (malicious attachment, fake link) or by exploiting a known but unpatched vulnerability — an old WordPress plugin, a server with RDP exposed on port 3389 with a weak password. Phase 2 — Execution and spread. Once inside, the malware connects to a command and control server (C2) and receives instructions. It encrypts local files and, if it finds network resources, tries to spread to other PCs, servers, and connected backups. Phase 3 — Ransom demand. The system displays a message with a payment request, usually in cryptocurrency, and a timer. If you don't pay by the deadline, the ransom increases or files are destroyed.
Sponsored Protocol
Common mistake to avoid: thinking "it won't happen to me." According to reports from the Cybersecurity & Infrastructure Security Agency (CISA) and our own experience, small businesses are the preferred target precisely because they have fewer defenses. We've seen a farming client lose their harvest database because the backup was on the same server. That's not an extreme case.
Action: Open a command prompt on Windows (cmd) and type netstat -an | findstr :3389. If you see lines with LISTENING status and a non-local IP address, your RDP is exposed publicly. Stop it immediately — disable Remote Desktop in system settings or block it on the firewall.
Ransomware prevention: what to do today to avoid paying tomorrow
Prevention isn't a €50,000 project. It's a list of concrete actions any SME can implement in an afternoon. Start with what makes the real difference.
Sponsored Protocol
3-2-1 backup: the only insurance that works
3 copies of data, on 2 different media, 1 of which offline (not connected to the network). Sounds simple, but how many have an external disk that they physically disconnect after backup? We at Meteora Web always ask: a cloud-synced backup (like Google Drive) is useless if ransomware encrypts it together with the original files. Offline backup (e.g., external hard drive connected only during backup and then disconnected) is the only one that withstands an attack. Use an automated script or a tool like Veeam Agent Free for scheduled backups to a removable drive.
Software updates: the most exploited gap
WordPress plugins, Joomla modules, PHP versions, system libraries. Zero-days are discovered daily. Microsoft releases patches on the second Tuesday of each month. We set automatic updates for WordPress (via wp-config with define('WP_AUTO_UPDATE_CORE', true);) and monitor plugins with a service like WPScan. For Linux servers, we configure unattended-upgrades for security updates.
Access control and network segmentation
An employee doesn't need administrative access to the server. A cashier shouldn't be able to write to the pricing database. Use the principle of least privilege. Segment the network: the checkout PC shouldn't see the accounting server. If ransomware infects one PC, it won't spread. On Windows systems, set standard user accounts (not admin) for daily tasks and use an admin account only for installations.
Sponsored Protocol
Anti-phishing training: the human filter
90% of ransomware attacks start with a click on an email. We run 30-minute sessions with clients: we show a real phishing email and a legitimate one, explain how to check the URL (hover over the link before clicking), how to verify the sender domain, and what to do if suspicious. No expensive courses needed: just simple rules and a Slack or WhatsApp channel to report suspicious emails.
What to do if you are hit by ransomware
The red screen has appeared. Have you already done everything wrong? No, now you need to act methodically. Panic is the worst enemy.
Stop everything: isolate the infected system
Physically unplug the network cable from the infected computer. If it's a server, shut it down (but evaluate if you need to preserve volatile memory for forensics). The priority is to prevent spread to other devices. Don't try to remove the malware, don't reboot randomly — you might make things worse.
Don't pay the ransom
We say it clearly: paying does not guarantee getting your data back. According to FBI and Cybersecurity Ventures reports, about 30-40% of those who pay recover nothing, and those who do often receive corrupted files. Moreover, paying funds criminals and puts you on a list of "available targets." We had a client who paid €3,000 — after payment, the ransom increased to €10,000, threatening to publish stolen data. Don't pay.
Sponsored Protocol
Check your offline backups
If you followed step 2, you have an offline copy. Connect the external disk (after disconnecting the PC from the network!), extract data and restore on a clean system. If you don't have offline backups, don't attempt to restore from online backups — if ransomware encrypted those too, you might render even the last copy unreadable. In this case, contact a professional data recovery specialist (but costs can be high and chances low).
Report the attack to authorities
In many countries, national cybercrime units accept reports. Report the incident, provide the ransom note, file hashes (if possible). It helps track criminals and prevent further attacks.
Restore the system from scratch
Never trust the infected system, even if you manage to remove the ransomware. Reinstall the operating system from a clean source, restore data from offline backups, change all passwords (admin, email, databases, social, etc.). We recommend generating strong passwords with a manager like Bitwarden and enabling two-factor authentication (2FA) on all services.
Sponsored Protocol
What to do now
Don't wait for an attack to put these instructions into practice. Take 30 minutes this afternoon:
- Check if you have an offline backup. If not, buy an external hard drive and configure an automatic weekly backup.
- Verify updates. Log into your WordPress site or management software and update everything. Enable automatic security updates.
- Disable public RDP. If you don't need remote access, turn it off. If you need it, use a VPN.
- Take an inventory of accounts. Delete unused accounts, strengthen passwords, enable 2FA.
- Schedule an anti-phishing training session for yourself and your team. Just 20 minutes.
Cybersecurity is not a cost — it's an investment that prevents loss of workdays, clients, and reputation. As we always say: a website is measured in revenue, not compliments. A ransomware attack wipes out revenue in hours.
Want to go deeper into your business's security strategy? Read our pillar guide on cybersecurity for users and businesses, of which this article is a part. And if you need a concrete check of your digital environment, contact us: we'll conduct a no-obligation security audit using the same tools we use for our clients.
Useful resources:
- CISA StopRansomware — official guides
- NoMoreRansom — free decryption tools for some ransomware variants