An SMB called me on a Monday morning because "files won't open". When I got there, every file on the server had a .lockbit extension. The attacker's email asked for US$ 25,000 in Bitcoin. They had an external disk plugged into the server where "backups were being made". It was encrypted too. That's mistake #1.
This article is about not reaching that Monday morning — and, if you do, about getting out without paying the ransom.
Why nobody's off the radar today
Ten years ago ransomware targeted large enterprises. Today it goes after everyone, because attackers operate at scale: botnets scanning entire IP ranges for open ports (3389 RDP, 22 SSH, 445 SMB), ransomware-as-a-service kits any criminal can rent, and phishing aimed at SMB employees who rarely receive training.
The average SMB has: a weak admin password on the server, RDP exposed to the internet without VPN, Windows Server two years out of date, free antivirus, and "backups" that are a folder synced to the same server. That's exactly the profile mass attacks hunt.
The 5 layers you must have
1. Patches up to date
The critical vulnerabilities exploited in mass attacks usually have patches available months before the attack. EternalBlue (WannaCry) had a patch 2 months prior; Log4Shell, ProxyLogon, PrintNightmare, MOVEit — all the same. A company that patches on the second Tuesday of each month is outside 80% of mass automated attack risk.
Minimum:
- Windows Update on workstations and servers, scheduled, not optional.
- Router / firewall firmware reviewed quarterly.
- Critical apps with an update plan (don't wait for it to break).
- Subscribe to CISA or NIST alerts for critical CVE notifications.
2. Backups following the 3-2-1 rule
The industry standard says three numbers: 3 copies of data, on 2 different media, with 1 copy offsite. A modern variant adds 1 immutable copy ransomware can't encrypt even if it takes the server.
| Layer | What it is | Practical example |
|---|---|---|
| Copy 1 (production) | Live data on the server | File server, DB |
| Copy 2 (local) | Backup on another device in the same building | Dedicated NAS, not SMB-shared |
| Copy 3 (offsite) | Copy in another physical location | Backblaze B2, AWS S3, another office, vaulted external drive |
| Immutable copy | Cannot be modified/deleted for X days | S3 Object Lock, Wasabi Immutable, Veeam Hardened Repo |
The external drive permanently connected to the server is NOT a backup — it's just another drive the ransomware will encrypt along with the original. A folder synced to OneDrive/Google Drive in real time isn't either — the encrypted version syncs immediately. The only thing that counts is a copy the attacker can't reach from the compromised server.
3. Tested backups, not just configured
A backup you never restored isn't a backup, it's a file. Half the SMBs hit by ransomware who "had backup" discover it was misconfigured, corrupt, incomplete or that restoration takes 9 days — time they don't have.
At least quarterly: restore a complete server or DB to a test machine, verify it opens, verify data integrity, time how long it took. Document the result. If RTO target isn't met, infrastructure must improve — not wait for the real incident.
4. RTO and RPO: the two numbers your business must define
RTO (Recovery Time Objective): how long you can be down before suffering irreversible damage. An hour? A day? A week? Depends on the business.
RPO (Recovery Point Objective): how much data you can lose. The last hour of operation? Yesterday? Last week? Also depends.
These two numbers drive the entire architecture. A 5-minute RPO demands continuous replication; 24-hour RPO is covered by nightly backup. 1-hour RTO requires redundant hardware ready to spin up; 1-week RTO can wait for parts.
| Company type | Typical RTO | Typical RPO |
|---|---|---|
| Active e-commerce | < 1 hour | < 15 min |
| Professional services firm | 4–8 hours | 4–8 hours |
| Construction / industrial | 1 day | 1 day |
| Small retail | 1–2 days | 1 day |
5. Business continuity plan (BCP) and disaster recovery plan (DRP)
The BCP is: "if this happens, my business keeps running like so". The DRP is: "if the infrastructure goes down, this is how we bring it back". Both are living documents tested annually.
Minimum content:
- Inventory of critical systems with declared RTO/RPO.
- Up-to-date network diagram.
- Vendor list with direct contacts (ISP, hosting, line-of-business software).
- People to contact by scenario (client, lawyer, tech, manager).
- Step-by-step procedures to restore each critical system.
- Communication plan: what to tell clients, when.
- Physical location of credentials and offsite backups.
What to do in the first 60 minutes of an attack
- Isolate. Disconnect compromised machines from the network. Unplug Ethernet, turn off WiFi. Do NOT power down (it may erase RAM evidence useful for forensics).
- Identify scope. Just one machine or several? Did it reach the server? The backups?
- Don't pay the ransom immediately. Paying doesn't guarantee recovery (half who pay don't recover everything); it also funds more attacks.
- Notify. IT team, management. In Colombia, CSIRT-Gob and CAI Virtual at the police. If personal data is involved, the Superintendencia de Industria y Comercio (Law 1581/2012) requires reporting.
- Restore from clean backup. Rebuild systems on new or clean infrastructure. Never restore over a server that may carry persistence.
- Forensics. Identify entry vector (phishing? exposed RDP? leaked credential?) and close the door before operating again.
Tools I recommend for SMBs
- Veeam Backup & Replication — industry standard for Windows/VMware. Supports immutable repository, M365 and Endpoint backups.
- Synology Active Backup for Business — if you already have a Synology, it's free and very complete (workstations, physical servers, VMs, M365).
- Macrium Reflect / Acronis Cyber Protect — for individual workstations and small servers.
- Backblaze B2 / Wasabi — offsite storage with immutability support at reasonable prices (US$ 5–6/TB/month).
- Bitwarden / 1Password — credential management is mandatory. Enough with passwords in spreadsheets or post-its.
- Microsoft Defender for Business or Bitdefender GravityZone — proper EDR antivirus, not free versions.
The real cost of not doing this
| Incident | Typical cost for Colombian SMB |
|---|---|
| Technical restoration | $ 5–20 million COP |
| Days of downtime | $ 2–10 million COP/day |
| Unrecoverable data loss | Variable (can be fatal) |
| SIC sanction for personal data | Up to 2,000 monthly minimum wages |
| Reputation damage | Hard to quantify; some clients don't return |
A properly implemented 3-2-1 strategy for a 20–50 employee SMB costs between $ 1–4 million COP upfront and $ 200,000–600,000 COP monthly. The math is self-evident.
What I ALWAYS ask a new client
- When was your last backup?
- When did you last restore from backup to verify it works?
- Is the backup connected to the server 24/7?
- How long can your business be down?
- How many days of data can you afford to lose?
- Are patches up to date?
- Is RDP exposed to the internet?
- Are passwords in a manager or in an Excel sheet?
If the answer to 3+ of these makes you uncomfortable, you already know where to start.
Want an assessment of your situation?
I run continuity and recovery audits for Colombian SMBs — no commitment, with a written report on what you have right, what's missing and what to prioritize. Reach me and we'll book the review.