How to Protect Against Small Business Ransomware Attacks

IT Professional Facing the Threat of a Ransomware Attack

27 May How to Protect Against Small Business Ransomware Attacks

Posted at 12:00h in Cybersecurity, TCT News by

Small businesses are the most common ransomware target by volume of incidents, even though many small business owners assume hackers focus on larger organisations. A 22-person company has enough revenue to be worth attacking, no dedicated security team to defend it, and a publicly traceable footprint that takes about an hour to research. What follows is a step-by-step walkthrough of how a small business gets attacked, written from the attacker’s side. The company in this account is composite, but the methods are accurate to current threat intelligence reporting. After the walkthrough, you’ll see five specific points where the attack would have been stopped by controls that come bundled with security tools most small businesses already pay for.

How Small Business Ransomware Attacks Work

Monday – How I picked you

I focus on small-to-mid-sized businesses, typically 10–50 staff, because they offer the best balance of valuable data and limited security resources. Larger companies are harder and more expensive to attack, while very small ones aren’t worth it. I found your business through public records—registries, contract databases, and licensing data—which revealed your company details, recent work, and key contact. The biggest signal for me was that nothing had gone wrong yet, meaning credentials were likely unchanged and staff were not alert to risks.

Tuesday – Building your org chart for free

In under an hour using only public sources, I mapped out your organisation. LinkedIn showed key staff and roles, including your office manager handling payroll and payments. Social media and filings confirmed identities and tenure. I identified who manages finances, what tools you likely use, and who can approve payments. That person—your office manager—became the primary target, as they have access, authority, and a busy workload that makes unusual emails less likely to be scrutinised.

Wednesday – Buying your credentials for $14

I searched stolen credential databases and found login data linked to your company domain. For $14, I purchased a package containing your office manager’s email and password, along with a related personal account. The password was reused and had appeared in an old breach, meaning it was likely still active. Variations of the same password also worked across multiple accounts, including Microsoft 365, leaving only multi-factor authentication (MFA) as a barrier.

Thursday – Getting past MFA

Since basic MFA attacks didn’t work due to improved protections, I used adversary-in-the-middle phishing. I sent a convincing Microsoft 365 password reset email that led to a fake login page. When your office manager entered credentials and approved the MFA prompt, I captured the session token and gained access without triggering suspicion. As a backup, I also attempted a social engineering call posing as IT support. By the end of the day, I had full inbox access and set up hidden email forwarding to monitor activity.

Friday – Executing the attack

I spent 36 hours reviewing emails to understand your finances, insurance, and operational pressures. This allowed me to set a realistic ransom of $65,000—low enough to ensure payment but high enough to be worthwhile. I launched the attack late Friday afternoon when key staff were unavailable and response would be delayed. By the time the issue was discovered, systems were encrypted and the business was under pressure to pay. Total cost to me: $14 and a few hours of effort.

 

Five places this attack would have died

The attack on your business worked because five ordinary things were not in place. None of them were expensive. Most were already bundled into security tools you already pay for.

1. The credential purchase on Wednesday.

HaveIBeenPwned is free. Microsoft Entra password protection can detect and block reused or commonly-compromised passwords across your accounts. Enforcing unique passwords per account, through a password manager and through Entra’s policies, makes a stolen credential purchase useless for me.

2. The MFA bypass on Thursday night.

Microsoft already blocks the simpler push-bombing attack, because number matching has been enabled by default for all Microsoft Authenticator push notifications since May 2023. The current dominant credential-based bypass is adversary-in-the-middle phishing. Defenses include phishing-resistant MFA (FIDO2 hardware keys, passkeys, or Windows Hello for Business), Conditional Access policies that require a compliant or hybrid-joined device, and anti-phishing protection in Microsoft Defender for Office 365. Any one of these would have either prevented the session token capture or made the captured token unusable from my IP address.

3. The inbox forwarding rule.

Microsoft 365 allows admins to block external email forwarding rules at the tenant level. With that block in place, the inbox forwarding rule I used to read 36 hours of email would not have worked. I might have encrypted anyway, but I would have been guessing on the ransom size.

4. The 36-hour dwell time.

Microsoft Defender for Business, included in Microsoft 365 Business Premium, generates an alert when a new inbox forwarding rule is created. If anyone had been watching those alerts, or if the alerts had been routed somewhere visible, I would have been detected on Thursday night. The most impactful change for a business your size is rarely a new product purchase. The improvement comes from someone reviewing the security alerts that the tools you already pay for are already generating.

5. The public business records.

You cannot unpublish a state contracting registry or a federal contract award. That data will stay public. What you can control is what your team chooses to post about their specific responsibilities. Your office manager’s LinkedIn profile listed her financial responsibilities in enough detail to make her the obvious target. That detail is worth a conversation with your team, framed as practical security awareness rather than a rule about what people can post.

Three questions to send your IT provider

These three questions cover most of where the example attack failed. Each one corresponds to a control that comes bundled with security tools you most likely already pay for.

  1. Are we using phishing-resistant MFA (FIDO2 keys, passkeys, or Windows Hello for Business) for finance, admin, and executive logins?
  2. Is external email forwarding blocked at the tenant level?
  3. Are our security alerts going somewhere, and is someone reviewing them?

 

The three questions above are a good starting point. Your IT provider should be able to confirm what is in place and what is not within an hour or two. And if you don’t have an IT provider, feel free to reach out to us and we’ll help you sort it.

Robert Brown
27/5/2026

Related Articles:
5-Minute Browser Extension Security Check
LinkedIn Recruitment Scams