Skip to main content
All Resources
BlogMay 6, 2026

Ransomware Hits a Business Like Yours: The Anatomy — and the 3 Things That Stop It

By Northeast Managed IT Team

Ransomware feels like a bolt of lightning — sudden, random, unlucky. It almost never is. These attacks follow a predictable script, and understanding that script is the single best way to see where it can be stopped. One thing up front, because it matters: what follows isn’t a specific customer’s story. It’s the common pattern security teams see over and over, assembled into one plain-English walkthrough so you can recognize the stages — and know which defense breaks each one.

It usually starts with a person, not a hacked firewall. The most common way in is a convincing email: a fake invoice, a shared-document lure, a “your password is expiring, log in here” page that looks exactly like Microsoft 365. Someone busy clicks, enters their credentials on a fake page, or opens an attachment that quietly runs code. That’s the foothold — and it’s why the first stage of most ransomware incidents is really a phishing problem, not a technology one.

Once they have a working password or a foothold on one machine, attackers often don’t strike right away. They log in and look around. If that account isn’t protected by multi-factor authentication, a stolen password is simply a working key — nothing stops them from using it. They may sit quietly for days or even weeks, reading email, learning how your business runs, and figuring out where the valuable data lives. The quiet is deliberate; the longer they go unnoticed, the more damage they can set up.

From that first account or device, they move sideways — what security people call lateral movement. They hunt for more credentials, especially administrator accounts, and for the servers where your important files live. A “flat” network, where everything can talk to everything else with no segmentation, makes this easy: one compromised laptop becomes a path to the whole environment. This is the stage where a manageable problem quietly becomes a business-wide one, usually with no visible symptoms at all.

Here’s the step most people don’t know about, and it’s the cruelest one: before they encrypt anything, sophisticated attackers find and destroy your backups. They know your recovery plan is “restore from backup,” so they delete or encrypt those backups first — especially any that are connected to the same network using the same credentials. This is exactly why “we have backups” isn’t the same as being safe. A backup the attacker can reach is a backup the attacker can take away.

Only then do they pull the trigger. Encryption often fires after hours or over a weekend to do maximum damage before anyone notices. You arrive to locked files, a ransom note, and a deadline — increasingly paired with a second threat: “pay us or we leak the data we already copied,” a tactic known as double extortion. By this point you’re not fixing a computer problem; you’re negotiating with someone who has spent weeks getting into position. The leverage they have is precisely the leverage you failed to take away earlier in the chain.

Now the useful part, because the whole point of understanding the anatomy is knowing where to break it. Three defenses, each aimed at a different stage. First: MFA plus email security. This attacks the beginning — it makes phishing far less likely to land and renders a stolen password nearly useless, because the password alone no longer opens the door. Second: monitoring and endpoint detection. This attacks the quiet middle — the logging in, the looking around, the lateral movement — so the intrusion gets caught while it’s still an incident, not after everything is encrypted. Third: tested, isolated backups. This attacks the leverage — backups kept offline or otherwise out of the attacker’s reach, and actually test-restored, so that even in the worst case you can rebuild and say “no thanks” to the ransom.

No single product makes you “ransomware-proof,” and any vendor who tells you otherwise is overselling. But notice what the anatomy reveals: the attack is a chain, and a chain only has to break in one place to fail. The honest goal for a small business isn’t perfection — it’s being a harder target than the script expects, and making sure that if something does slip through, it’s an incident you recover from rather than a catastrophe you pay for. Every one of those three defenses is standard in a well-run managed IT environment, working quietly at a different link in the chain.

Have questions about your IT?

We’re happy to talk — no strings attached. Book a call and let’s see how we can help.