Ransomware Prevention for Australian Small Businesses: How to Protect and Recover

Ransomware is not a problem reserved for large corporations. Australian small and medium-sized businesses are targeted constantly, and the consequences — days of downtime, stolen client data, regulatory obligations, and potential permanent closure — are severe. Yet the controls that prevent most ransomware attacks are achievable without an enterprise IT budget.

This guide explains what ransomware is, how it gets into business networks, what happens during an attack, and — most importantly — what you can do right now to protect your business and ensure you can recover without paying a criminal.

What Is Ransomware?

Ransomware is malicious software that encrypts the files on your systems, making them completely inaccessible. Once encryption is complete, the attackers present a ransom note — typically a text file or on-screen message — demanding payment, almost always in cryptocurrency, in exchange for the decryption key that will restore access to your data.

The encryption used in modern ransomware is genuine and robust. Without the decryption key, recovering files is effectively impossible in most cases. There is no shortcut, no tool that will simply unlock the files. This is what makes ransomware so destructive: the attacker holds the only key.

Modern ransomware attacks typically go further than simple encryption. In what is known as double extortion, attackers first exfiltrate — that is, copy out — sensitive data before they trigger the encryption. They then threaten to publish that stolen data on dark web leak sites if the ransom is not paid. This creates a second layer of pressure on businesses: even if you can restore from backup and decline to pay the ransom, the attackers can still threaten to release confidential client files, financial records, or personal information. For businesses handling sensitive data — legal files, medical records, financial information — this secondary threat can be as damaging as the encryption itself.

Understanding this is essential: ransomware is not a technical problem you can solve after the fact. It is a threat you prevent before it happens.

The Australian Ransomware Landscape

The Australian Signals Directorate (ASD), which publishes the annual ASD Cyber Threat Report, consistently identifies ransomware as one of the most impactful cyber threats to Australian businesses and critical infrastructure. The 2022–23 ASD Cyber Threat Report noted that ransomware remained a significant and ongoing threat, with healthcare, education, and professional services among the most frequently targeted sectors. Healthcare providers, legal firms, and accounting practices are attractive targets precisely because their data is sensitive — stolen patient records or confidential legal files have high leverage value for double extortion.

For Australian SMBs, the financial impact of a ransomware incident extends well beyond any ransom demand. When you factor in business downtime (commonly ranging from several days to three weeks for full recovery), the cost of specialist forensic investigation, data recovery labour, regulatory compliance obligations, and increased cyber insurance premiums, a single ransomware incident can cost a small business hundreds of thousands of dollars. For businesses without robust recovery capabilities, the costs can be existential.

The Australian Cyber Security Centre (ACSC), now operating under the ASD, consistently advises that paying the ransom is not recommended. The reasons are practical as much as principled. There is no guarantee that paying will result in decryption — some ransomware groups take payment and provide non-functional keys, or simply disappear. Paying also signals to criminal networks that your business is a viable target, potentially attracting further attacks. And in some cases, ransomware operators are entities under international sanctions, meaning payment may carry legal risk.

The uncomfortable truth for SMB owners is that most ransomware attacks succeed not because they are technically sophisticated, but because basic preventive controls were not in place.

How Ransomware Gets In — The Three Main Entry Points

Understanding how ransomware enters a network is the first step toward preventing it. The vast majority of attacks exploit one of three initial access vectors.

Phishing Emails

Phishing is the single most common way ransomware is delivered into a business. An employee receives an email that appears legitimate — a supplier invoice, a parcel delivery notification, a message from a colleague — and either opens an attachment or clicks a link. The attachment executes a malicious payload, or the link leads to a site that downloads one. The ransomware then installs itself and begins its work.

Modern phishing has become highly targeted. Spear phishing attacks are personalised to the recipient, referencing their employer, their role, or even ongoing business relationships. An accountant might receive what appears to be a client query with a spreadsheet attachment. A property manager might get what looks like a maintenance request with a PDF. These targeted attacks are far more effective than the generic phishing emails of a decade ago, and they are increasingly difficult for untrained staff to identify without good filtering in place.

Exposed Remote Access (RDP)

Remote Desktop Protocol (RDP) allows users to connect to a computer remotely as if they were sitting in front of it. It is a legitimate and widely used tool — but when it is exposed directly to the internet with weak credentials, it becomes one of the most exploited entry points for ransomware.

Automated scanning tools probe the entire internet looking for systems with RDP open on its default port. Once found, those systems are subjected to brute-force credential attacks — automated attempts to guess the username and password. Many businesses that set up remote access during the COVID-19 pandemic did so quickly and without hardening: default ports, simple passwords, no multi-factor authentication. Years later, many of those same configurations remain in place, and attackers know it.

Gaining access via RDP gives an attacker interactive control of the affected machine — they are effectively sitting at that computer. From there, lateral movement to the rest of the network is straightforward.

Unpatched Software Vulnerabilities

Attackers routinely exploit known vulnerabilities in software that has not been updated. When a security patch is released for a VPN appliance, a firewall, a web application, or an operating system, the patch itself effectively publishes the vulnerability — and attackers immediately begin scanning for systems that have not yet applied it.

Some of the most damaging ransomware outbreaks in recent years have exploited vulnerabilities in internet-facing systems: VPN gateways, perimeter firewalls, and business applications. In these cases, the attacker did not need to trick anyone into clicking a link — they simply found an unpatched, internet-exposed system and walked in through a known hole.

This is precisely why patch management is a foundational security control, not an optional maintenance task.

What Happens During a Ransomware Attack

Most people imagine a ransomware attack as a sudden event — files are encrypted and a ransom note appears. In reality, the process unfolds over hours, days, or even weeks, and understanding the attack lifecycle helps explain why certain defensive controls are so important.

Initial access. The attacker gains entry to the network through one of the vectors described above — a phishing email, an exposed RDP server, or an unpatched vulnerability.

Establish persistence. Once inside, the attacker installs tools that allow them to maintain access even if the initial entry point is closed. They may create new user accounts, install remote access software, or plant backdoors that survive a reboot.

Lateral movement. The attacker explores the network, moving from the initially compromised machine to others. They are looking for domain administrator credentials, file servers, backup systems, and anything else that will maximise the impact of the eventual attack. This phase can last days to weeks.

Data exfiltration. Before encrypting anything, the attacker copies out sensitive files to infrastructure they control. This is the double extortion setup — stolen data becomes a second lever if the victim restores from backup and refuses to pay.

Deploy encryption. Once the attacker has mapped the environment and ensured maximum reach — including, critically, attempting to access and corrupt or delete backup systems — the ransomware payload is deployed across the network simultaneously. Encryption of files begins and completes rapidly.

Ransom note. The victim discovers encrypted files and a ransom note demanding payment for the decryption key.

The key insight from this lifecycle is the dwell period — the time between initial access and encryption deployment. Attackers spend this time ensuring they have reached your backups. If your backups are on a network share accessible from the production server, they will be encrypted too. If your backups are stored in cloud storage that is directly mounted or accessible from the compromised server, they may be deleted or encrypted. This is why the architecture of your backup environment is as important as the backups themselves.

The Business Impact of Ransomware

Beyond the ransom demand — which for SMBs can range from tens of thousands to hundreds of thousands of dollars — the real cost of a ransomware attack is the total business impact.

Downtime is typically the largest cost. Restoring systems from backup is not instantaneous; it involves identifying clean restore points, rebuilding infrastructure, reinstalling software, and verifying data integrity. For businesses without tested recovery procedures, full restoration can take three weeks or longer. During that time, the business may be entirely unable to operate.

Forensic investigation is essential but expensive. Before restoring systems, you need to understand how the attacker got in and ensure they do not have persistent access. Engaging a specialist incident response firm to conduct a forensic investigation adds significant cost but is necessary to prevent a repeat attack.

Data recovery labour — the time spent by staff and IT professionals manually reconstructing records, re-entering data, and verifying what was and was not recovered — is often underestimated.

Regulatory obligations apply if personal information was exfiltrated. Under Australia's Notifiable Data Breaches (NDB) scheme, businesses covered by the Privacy Act 1988 that suffer an eligible data breach are required to notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC) within 30 days of becoming aware of the breach. Failure to do so can result in regulatory penalties. See our guide to notifiable data breaches for a detailed walkthrough of the NDB scheme obligations.

Reputational damage — particularly for professional services firms — can result in the loss of clients who no longer trust that their sensitive information is safe.

Cyber insurance premium increases following a claim are significant and sustained. Many businesses that survive a ransomware attack find their insurance premiums double or more at renewal.

For a small business, the combination of these impacts is frequently devastating. Industry data consistently shows that a material proportion of SMBs that suffer a serious ransomware attack do not survive as a going concern.

How to Prevent Ransomware — The Essential Controls

Preventing ransomware does not require a large IT security budget. It requires implementing a set of well-understood controls consistently. The following are the most important.

Maintain Tested, Offline or Immutable Backups

If there is one control that separates businesses that recover from ransomware from those that do not, it is having tested, offline or immutable backups that the attacker cannot reach.

The widely recommended 3-2-1 backup rule provides a practical framework: maintain at least three copies of your data, on at least two different types of media, with at least one copy stored offsite. But the application of this rule to the ransomware threat requires one additional and critical consideration — your backups must not be directly accessible from your production network.

A backup drive plugged into the server will be encrypted. A backup stored on a network share that the server can write to will be encrypted. A backup in cloud storage that is mounted as a drive letter or accessible via credentials stored on the compromised system may be deleted or encrypted. The attacker, during the lateral movement phase, is actively looking for and targeting your backup infrastructure.

The solution is to ensure your cloud backup is written to a separate account — one whose credentials are not accessible from the production environment — and that immutable storage is enabled where the cloud provider supports it. Immutable backups cannot be deleted or modified for a defined retention period, even by an authenticated user. This is an architectural decision, not just a settings toggle, and it is one of the most important things your IT provider should be implementing on your behalf.

Equally important: test your backups. Many businesses have backups that they have never verified can be restored. Discovering your backup is incomplete or corrupted at the moment of a ransomware incident is a catastrophic outcome.

Patch Everything, Consistently

Unpatched systems are an open invitation to opportunistic attackers. Operating system patches, application updates, and firmware updates for network devices must be applied promptly and consistently.

The Essential Eight framework, developed by the ACSC as a baseline cybersecurity guidance for Australian businesses, specifies that internet-facing systems and services with known vulnerabilities must be patched within 48 hours at Maturity Level 2. For internal systems, patching within two weeks is expected. Many SMBs operate well outside these timeframes simply because patch management is not being actively managed.

A managed IT provider should be monitoring your environment for missing patches and applying them on an agreed schedule, with priority given to internet-facing systems.

Enable MFA on All Accounts

Multi-factor authentication (MFA) requires a second form of verification — typically a code from an authenticator app or a push notification — in addition to a password. Even if an attacker obtains a user's password through a phishing attack or a credential database breach, they cannot log in without also controlling the second factor.

MFA is most critical on email accounts (which are frequently used to reset other passwords), VPN and remote access, cloud services including Microsoft 365 and Google Workspace, and any administrative interfaces. Enabling MFA across these systems eliminates a large proportion of credential-based attacks that lead to ransomware.

This is a relatively low-effort control with a very high impact, and it should be in place for every business regardless of size.

Block or Limit RDP and Other Remote Access

If your business does not require RDP, it should be disabled. If RDP is required, it should never be exposed directly to the internet. Instead, it should be accessible only through a VPN, and access should be restricted to specific known IP addresses where possible.

Businesses should also audit which user accounts have RDP access and remove it from accounts that do not need it. Enabling network-level authentication and account lockout policies adds further resistance to brute-force attempts.

Remote access tools of all kinds should be reviewed periodically. It is common to find remote access software installed during a past project that was never removed, creating a forgotten entry point.

Email Filtering and Attachment Sandboxing

Modern email security platforms do more than block known spam. Advanced email security solutions analyse attachments and links in real time, detonating suspicious attachments in an isolated sandbox environment to determine whether they are malicious before delivering them to the recipient. Links are checked at the time of click against threat intelligence feeds.

For businesses receiving a high volume of external email — which is virtually every business — this layer of filtering significantly reduces the volume of malicious content that reaches staff inboxes. It does not eliminate the risk entirely, which is why security awareness training remains important, but it materially reduces the attack surface.

Endpoint Detection and Response (EDR)

Traditional antivirus software relies on signatures — databases of known malware — to detect and block threats. Ransomware operators routinely modify their tools to evade signature-based detection.

Endpoint detection and response (EDR) takes a different approach. Rather than looking for known malicious files, EDR monitors behaviour — what processes are running, what files they are accessing, what network connections are being made — and identifies patterns consistent with an attack. When ransomware begins encrypting files, it exhibits distinctive behavioural patterns. EDR solutions can detect this in progress and automatically isolate the affected endpoint, stopping the encryption before it spreads to the rest of the network.

EDR is not a replacement for the other controls listed here, but it is an important last line of defence that can contain an attack that has already begun.

Incident Response — What to Do When Ransomware Hits

Even with strong preventive controls in place, no defence is absolute. Having a clear, practised incident response plan means that if an attack does succeed, you act quickly and correctly rather than making panicked decisions that worsen the outcome.

Step 1: Isolate affected systems immediately. The moment ransomware is identified, disconnect affected machines from the network. Physically unplug the ethernet cable and disable WiFi. Do not wait. Every second the affected machine remains connected is an opportunity for the ransomware to spread laterally to other systems.

Step 2: Do not restart affected systems. It is a natural instinct to reboot a malfunctioning computer, but with ransomware this can destroy forensic evidence that your incident response team needs to understand how the attack occurred. Some ransomware variants also deploy additional payloads on restart. Leave affected systems powered on but isolated.

Step 3: Contact your IT provider and incident response team immediately. Time is critical. Your managed IT provider should have a defined incident response procedure. If specialist forensic capabilities are needed, engage an incident response firm. Do not attempt to investigate or remediate without expert guidance — well-intentioned actions can destroy evidence and complicate recovery.

Step 4: Report to the ACSC via ReportCyber. Australian businesses are encouraged to report ransomware and other cyber incidents to the ACSC through reportcyber.gov.au. Reporting helps the ACSC track active threats and issue warnings to other businesses. In some cases, the ACSC or Australian Federal Police may have intelligence relevant to your specific situation.

Step 5: Assess your obligations under the Notifiable Data Breaches scheme. If personal information was likely accessed or exfiltrated — and in a double extortion attack it almost certainly was — you need to determine whether you have notification obligations under the notifiable data breaches framework. The OAIC must be notified within 30 days of becoming aware of an eligible data breach. Get legal advice on this promptly.

Step 6: Restore from clean backups — but not into the same environment. Before restoring, your incident response team must identify how the attacker got in and ensure that access has been eliminated. Restoring into a compromised environment means the attacker simply re-establishes access and you may face a repeat attack within days. Restoration should occur into a rebuilt, clean environment.

Step 7: Contact your cyber insurer before making any public statements or considering ransom payment. Your cyber insurance policy will typically have specific requirements around notification timeframes and may cover the cost of incident response, data recovery, and business interruption. Contact your insurer early. Do not make public statements or communicate with the attackers before speaking with your insurer and legal adviser.

Should You Pay the Ransom?

This is the question every ransomware victim faces, and there is no simple answer — but there is a clear recommendation.

The ACSC, the Australian Federal Police, and the broader cybersecurity community advise against paying the ransom. The reasons are substantive.

Payment does not guarantee decryption. Some ransomware groups provide non-functional or incomplete decryption tools after receiving payment. Others simply take the money and provide nothing. The transaction is with criminals; there is no recourse if they do not deliver.

Payment funds criminal operations. Every ransom paid provides resources that enable further attacks — against your business, your suppliers, and other Australian businesses.

Paying may attract further targeting. Businesses that pay ransoms signal that they will pay again. Some criminal groups maintain lists of businesses that have previously paid and sell access to those lists.

In some cases, payment may carry legal risk. Several ransomware operators are entities that have been placed under international sanctions. Making a payment to a sanctioned entity — even unknowingly — may breach Australian sanctions laws. This is a real and underappreciated legal risk.

That said, the decision of whether to pay is ultimately a business decision, not a purely technical or ethical one. There are circumstances — where lives depend on immediate system recovery, for example — where the calculus is genuinely difficult. That decision should be made with legal advice, cyber insurance guidance, and involvement from a professional incident response team, not under panic at two in the morning after discovering encrypted files.

The best position is one where you never need to face this decision — because your backups are intact, tested, and inaccessible to the attacker.

How Pickle Protects Australian SMBs from Ransomware

Ransomware prevention is not a single product or a one-time project. It is an ongoing set of managed controls that must be implemented correctly, monitored continuously, and updated as threats evolve.

Pickle's managed IT services for Australian small and medium-sized businesses include the core controls that prevent most ransomware attacks and enable rapid recovery when prevention is not enough.

Backup architecture and management. We design and manage backup environments that follow the 3-2-1 rule with immutable or isolated cloud storage that cannot be reached from the production network. Backups are tested on a regular schedule so you know they will restore when needed.

Patch management. We monitor your environment for missing patches across operating systems, applications, and network devices, and apply updates on a scheduled basis with priority given to internet-facing systems — consistent with the Essential Eight framework.

MFA deployment. We configure and enforce multi-factor authentication across email, remote access, and cloud services for all staff accounts, ensuring that stolen credentials alone are not sufficient for an attacker to gain entry.

Endpoint detection and response. We deploy and monitor EDR across your managed endpoints, providing behavioural-based detection that can contain an active ransomware deployment before it spreads.

Email security. We configure advanced email filtering with attachment sandboxing and link analysis to reduce the volume of malicious content that reaches your staff.

If you are concerned about your business's exposure to ransomware — or if you have never had your backup and recovery capability tested — contact Pickle to discuss how we can help.

Call 1300 688 588 or email [email protected].

Frequently Asked Questions

Q: How do you know if your business has been hit by ransomware?

A: The most obvious sign is discovering that files have been encrypted — they will typically have an unfamiliar file extension added to their names and will not open normally. A ransom note, usually a text file or an on-screen message, will appear demanding payment. You may also notice that business systems are suddenly slow or unresponsive, or that staff cannot access shared drives. In some cases — particularly at the early stages of an attack before encryption is deployed — you may see signs of unusual network activity, unfamiliar user accounts, or security alerts from your endpoint protection software. If you suspect an attack is in progress, isolate affected systems immediately and contact your IT provider without delay.

Q: Can ransomware spread from one computer to other devices on the same network?

A: Yes. Modern ransomware is specifically designed to move laterally across a network after gaining initial access. Once it has compromised one machine, it attempts to spread to other computers, servers, and network-accessible storage — including backup drives and mapped network shares. This lateral movement is one reason why isolating an affected machine immediately is so critical: every moment it remains connected is an opportunity for the ransomware to spread. Network segmentation — the practice of dividing a network into isolated segments — can limit lateral movement by preventing ransomware from crossing from one segment to another, and is an important architectural control for businesses with multiple systems or locations.

Q: Does cyber insurance cover ransomware attacks?

A: Many cyber insurance policies do cover ransomware incidents, including costs associated with incident response, data recovery, business interruption, ransom payment (subject to policy terms and legal considerations), and regulatory notification. However, coverage varies significantly between policies, and many insurers now require that certain security controls — including MFA, patching, and backup practices — are in place as a condition of coverage. It is essential to read your policy carefully and to disclose your security posture accurately when applying. Businesses that misrepresent their security practices at application risk having claims denied. If you are reviewing your cyber insurance, ask your broker specifically about ransomware coverage and what security controls are required to maintain it.

Q: Is it illegal to pay a ransomware demand in Australia?

A: There is no blanket law in Australia that makes paying a ransomware demand illegal. However, it may be unlawful to make payment to certain ransomware operators if they are entities subject to Australian or international sanctions. Several ransomware groups — including some of the most active ones — have been designated as sanctioned entities by the United States, the United Kingdom, and the European Union. Australia's sanctions regime may apply in certain circumstances. Before making any payment, seek legal advice. The Australian Federal Police and the ACSC strongly advise against paying, and the decision should never be made without legal and cyber insurance guidance.

Q: How long does it take to recover from a ransomware attack?

A: Recovery time depends heavily on the scope of the attack, the quality of your backup environment, whether you have a tested incident response plan, and the complexity of your IT environment. In the best-case scenario — where a business has tested, immutable backups and a clear recovery procedure — partial restoration of critical systems can begin within hours and full recovery may be achieved within a few days. In typical cases without robust backup infrastructure or tested recovery plans, full recovery commonly takes between one and three weeks. For businesses without any viable backups, full recovery may be impossible without paying the ransom — and even then is not guaranteed. This is why investing in backup architecture and recovery testing before an incident is so much more cost-effective than attempting to recover without preparation.

Difficulty ratings reflect the effort required with a managed IT provider in place. Without managed IT, most controls increase to Medium or High difficulty.