Ransomware is the most impactful cyber threat facing mid-market organizations today. Unlike data theft — which may go undetected for months — a ransomware attack is immediately, catastrophically visible: systems are encrypted, operations halt, and the business faces a binary decision under extreme time pressure. This guide covers what actually works for prevention, what to do during an attack, and how to build resilience before you need it.
Why Mid-Market Companies Are Primary Targets
Enterprise organizations (10,000+ employees) have dedicated security teams, mature incident response programs, and the budget for advanced detection tools. Small businesses (under 50 employees) often lack the data value that justifies a targeted attack. Mid-market companies — 50 to 2,000 employees — are the sweet spot for ransomware operators:
- Enough data value to justify a significant ransom demand — the median demand against mid-market firms was roughly $110,000 (Sophos State of Ransomware 2025; Coveware by Veeam, Q3 2025)
- Limited security staff — often one IT generalist responsible for everything from help desk to security
- Flat network architectures that allow rapid lateral movement from initial compromise to domain-wide encryption
- Cyber insurance policies that ransomware operators research before setting demands
- Lower tolerance for downtime — every hour of downtime directly impacts revenue, making ransom payment more likely
The Ransomware Kill Chain: Where to Break It
Modern ransomware attacks follow a predictable sequence. Understanding this sequence reveals where defensive controls are most effective:
1. Initial Access (Day 0)
How they get in: Common initial access vectors include phishing emails with malicious attachments, compromised VPN/RDP credentials, exploitation of public-facing vulnerabilities, and supply chain compromise (Verizon DBIR).
Defense: MFA on all remote access (VPN, RDP, email, SaaS). Patch externally-facing systems within 48 hours of critical CVE publication. Disable SMBv1, LLMNR, and NBT-NS.
2. Persistence & Reconnaissance (Days 1–14)
What they do: Establish persistence (scheduled tasks, registry run keys), enumerate Active Directory (BloodHound, SharpHound), identify domain admins and backup systems, map network topology.
Defense: Network segmentation limits lateral movement. AD hardening (tiered administration, privileged access workstations). Endpoint detection and response (EDR) with behavioral analysis.
3. Privilege Escalation (Days 7–21)
What they do: Kerberoasting service accounts, credential dumping (LSASS), exploiting GPO misconfigurations, abusing certificate services (AD CS).
Defense: Regular penetration testing identifies these exact attack paths before a real attacker does. Implement LAPS for local admin passwords. Disable NTLM where possible.
4. Data Exfiltration (Days 14–30)
What they do: Stage and exfiltrate sensitive data to external infrastructure for double-extortion leverage. Even if you have backups, they threaten to publish your data.
Defense: DLP controls and network monitoring for large outbound data transfers. Segment sensitive data stores. Encrypt data at rest.
5. Encryption & Ransom (Day 30+)
What they do: Deploy ransomware payload across all accessible systems simultaneously, delete shadow copies, encrypt backup volumes if accessible.
Defense: Offline/immutable backups (the single most important control). Backup systems on isolated network segments with separate credentials. Test restoration procedures quarterly.
The 5 Controls That Actually Matter
If you implement nothing else, implement these five controls. They address the most common attack vectors used in real ransomware incidents:
- MFA everywhere: Multi-factor authentication on VPN, email, RDP, and all administrative interfaces. This baseline control blocks over 99% of automated account-compromise attacks (Microsoft research).
- Network segmentation: Separate user workstations, servers, backup systems, and management interfaces into distinct network segments with enforced access controls. This prevents a single compromised workstation from becoming a domain-wide incident.
- Immutable backups: Maintain offline or immutable backup copies that cannot be encrypted or deleted by an attacker with domain admin privileges. Test restoration quarterly.
- Patch management: Patch externally-facing systems within 48 hours of critical CVE publication. Maintain a rolling patch schedule for internal systems.
- Penetration testing: Annual penetration testing identifies the specific attack paths a ransomware operator would exploit in your environment — before they do.
What to Do During a Ransomware Attack
If you are reading this section during an active incident: do not pay the ransom yet. Follow these immediate steps:
- Isolate affected systems — disconnect from the network but do not power off (preserves forensic evidence in memory)
- Identify the ransomware variant — check ID Ransomware (id-ransomware.malwarehunterteam.com) for known decryptors
- Engage incident response — contact your MSSP, cyber insurance carrier, and legal counsel simultaneously
- Preserve evidence — do not wipe or rebuild systems until forensic imaging is complete
- Report — file with FBI IC3 (ic3.gov) and your state attorney general (NY: ag.ny.gov)
The decision to pay a ransom is a business decision that should involve legal counsel, your insurance carrier, and executive leadership — not a panicked IT team at 2am. Having an incident response plan documented and tested before an incident occurs is what separates organizations that recover in days from those that recover in months.