Ransomware has become the most financially damaging cyber threat facing Australian small businesses. The Australian Cyber Security Centre received over 94,000 cybercrime reports in the 2022β23 financial year β ransomware accounted for a disproportionate share of the highest-cost incidents, with the average loss for an SMB exceeding $46,000.
Despite this, many business owners still have only a vague sense of what ransomware actually is and how it works. This guide explains it plainly β and more importantly, tells you what specifically stops it.
What Is Ransomware?
Ransomware is malicious software (malware) that encrypts the files on your computer and network, making them completely inaccessible. Once encryption is complete, you receive a ransom demand β typically in cryptocurrency β with a promise that the attacker will provide a decryption key if you pay.
In reality:
- Paying the ransom does not guarantee you get a working decryption key
- Even with a key, restoring an encrypted environment takes days to weeks
- Attackers often exfiltrate data before encrypting it, creating a second extortion threat (βpay or we publish your dataβ)
- Businesses that pay once are often targeted again, as they're now known to pay
The FBI and Australian Cyber Security Centre both advise against paying ransoms.
How Does Ransomware Get Into a Business?
Ransomware doesn't appear from nowhere. It gets in through specific, well-documented attack vectors β most of which are preventable.
1. Phishing emails
The most common entry point. An employee receives an email that looks legitimate β an invoice, a delivery notification, a message from a senior colleague β and either clicks a malicious link or opens an attachment that executes the ransomware. Modern phishing attacks are sophisticated: they spoof known senders, reference real business details, and bypass basic spam filters.
2. Compromised credentials
If an attacker obtains a valid username and password β through a data breach, a previous phishing attack, or credential-stuffing against a reused password β they can log directly into your systems without triggering any alarm. They then deploy ransomware manually, often during business hours when it will cause maximum disruption.
3. Unpatched software vulnerabilities
Many ransomware attacks exploit known vulnerabilities in operating systems, remote access software (particularly RDP), or business applications. These vulnerabilities are often patched by vendors β but businesses that don't apply updates promptly remain exposed long after a fix is available.
4. Remote Desktop Protocol (RDP) exposure
RDP is a Microsoft protocol that allows remote access to Windows computers. Many businesses expose RDP directly to the internet for remote work purposes. Attackers scan the internet constantly for exposed RDP ports and attempt to brute-force credentials. An exposed RDP endpoint without MFA is one of the highest-risk configurations an SMB can have.
5. Malicious websites and drive-by downloads
Visiting a compromised or malicious website can trigger an automatic download of malware without any user action beyond the page loading. This is less common than phishing but still a meaningful vector, particularly on unprotected endpoints without DNS filtering.
Reality check: Most ransomware incidents are not sophisticated, targeted attacks against a specific business. They are opportunistic β automated tools scanning for known weaknesses and exploiting whichever businesses haven't patched them. This is actually good news: the defences that stop opportunistic attacks are well understood and implementable by any SMB.
The Real Cost of a Ransomware Attack
Business owners often think of ransomware cost as the ransom itself. The actual cost is much larger:
| Cost Component | Typical Impact |
|---|---|
| Downtime (staff unable to work) | Average 9β21 days for SMBs |
| IT recovery costs | $10,000β$50,000+ for investigation and rebuild |
| Ransom payment (if paid) | $10,000β$500,000+ AUD |
| Lost revenue during downtime | Depends on business, often exceeds recovery costs |
| Reputational damage / client notification | Hard to quantify, significant for B2B businesses |
| Regulatory obligations (if data breached) | Notifiable Data Breaches scheme β legal and compliance costs |
The total cost of a ransomware incident for an Australian SMB typically runs $50,000β$200,000 when all components are included. For context, the cost of preventing it is a fraction of that.
What Actually Stops Ransomware
There is no single product that prevents ransomware. Protection comes from layering multiple controls, each of which reduces the likelihood or impact of an attack.
Multi-factor authentication (MFA) on all accounts
MFA is the single highest-impact control for most SMBs. Even if an attacker obtains a valid username and password, MFA prevents them from using those credentials to log in without the second factor. Enable MFA on email (Microsoft 365 or Google Workspace), remote access, and any cloud application with sensitive data. This alone stops the majority of credential-based ransomware attacks.
Endpoint Detection and Response (EDR)
Traditional antivirus detects known malware signatures. EDR goes further β it monitors behaviour on endpoints and can detect and contain ransomware activity in progress, even for previously unknown variants. Modern EDR solutions like Microsoft Defender for Business (included in Microsoft 365 Business Premium) provide SMB-appropriate EDR at no extra cost.
Email filtering and anti-phishing controls
A significant portion of ransomware arrives via email. Layered email security β including attachment sandboxing, URL rewriting, and impersonation protection β intercepts malicious emails before they reach your staff. No filter is 100% effective, which is why staff training is also essential.
Staff security awareness training
Your staff are the last line of defence. Regular phishing simulations and training measurably reduce click rates on malicious emails. Businesses that run quarterly simulations see 60β70% reductions in susceptibility within 12 months. This is not a box-ticking exercise β it genuinely changes behaviour.
Patch management
Apply operating system and application updates promptly. The majority of successful exploits target vulnerabilities that have already been patched β attackers rely on businesses delaying updates. A managed patching schedule that applies critical updates within 48 hours of release eliminates a large class of attacks.
Immutable offsite backups
Even with all the above controls, a determined attacker may still get through. Immutable backups β stored offsite or in the cloud, with versions that cannot be deleted or encrypted β are your recovery option. If ransomware hits and you have clean, tested backups from 24 hours ago, the incident becomes a recovery exercise rather than a business catastrophe.
Want to know where your specific security gaps are? We assess cybersecurity posture for Sydney businesses at no cost.
Get a Free Security Assessment βWhat to Do If You're Hit by Ransomware
If you discover ransomware in progress or a ransom note on a screen:
- Isolate immediately. Disconnect affected machines from the network β pull the ethernet cable or disable Wi-Fi. Ransomware spreads laterally across networks; isolation limits the blast radius.
- Do not restart or shut down infected machines. Restarting can trigger additional encryption or destroy forensic evidence needed for investigation.
- Call your IT provider immediately. Incident response requires technical expertise. Do not attempt to recover on your own.
- Report to the ACSC. Report the incident at cyber.gov.au. If personal data was accessed, you may have obligations under the Notifiable Data Breaches scheme.
- Do not pay the ransom without advice from your IT provider and legal counsel.
The Bottom Line
Ransomware is a genuine and growing threat to Australian SMBs β but it is largely preventable with the right controls in place. MFA, EDR, email filtering, staff training, patching, and tested backups will stop the overwhelming majority of ransomware attacks.
The question is not whether your business could be targeted. It's whether it's hardened enough that attackers move on to an easier target β because they will.