In February 2023, the U.S. Marshals Service got hit with ransomware that took critical systems offline for months. A federal law enforcement agency with a real IT budget and actual security staff. It took them 30 days to stand up a replacement system. Not because they didn’t know what they were doing, but because ransomware doesn’t work the way most people think it does.
Most people think ransomware is something that shows up one morning. You open a bad attachment, your files get encrypted, you see a ransom note. That’s the movie version. The reality is the encryption is the last thing that happens. By the time you see the ransom note, the attacker has been inside your network for days or weeks, and they’ve already done the real damage.
The three weeks before the ransom note
IBM’s 2024 Cost of a Data Breach Report found that the average time to identify a breach is 194 days. For ransomware specifically, the dwell time is shorter because the attacker eventually announces themselves, but it’s still not instant. The typical pattern looks like this.
The attacker gets in through something mundane. A VPN that doesn’t require multi-factor authentication. An exposed RDP port. A phishing email that delivers a remote access tool. According to Verizon’s 2024 Data Breach Investigations Report, stolen credentials are involved in nearly half of all breaches. Same password on a personal site that got breached. You already know how that goes.
Once inside, they move slowly. They map the network. They figure out where the important files are. They find the backup system and either encrypt it, delete it, or disconnect it. They identify the domain admin account and compromise it. They do all of this during off-hours when nobody’s watching the logs, assuming anyone’s watching the logs at all.
This is exactly what happened in the Change Healthcare attack in 2024, which disrupted pharmacy operations and claims processing across the entire U.S. healthcare system. The attackers got in through a Citrix portal that didn’t have MFA. They spent nine days inside the network before deploying the ransomware. Nine days was enough to cripple a company that processes 15 billion healthcare transactions a year.
The backup problem
Here’s where it gets personal for small firms. A lot of small businesses think they have backups. They’ve got a USB drive that gets plugged in periodically, or they’re backing up to a NAS on the same network, or they’re using a cloud backup that authenticates with the same domain credentials the attacker already has.
If the attacker can reach your backups from inside your network using the credentials they’ve already stolen, you don’t have backups. You have an extra copy of your data sitting in the blast radius.
The firms that survive ransomware have immutable, offsite backups. That means backups stored somewhere the attacker can’t touch, using credentials that aren’t connected to the main network, with retention policies that can’t be overwritten. The 3-2-1 backup rule (three copies, two different media types, one offsite) has been around forever because it works. The “immutable” part is what’s changed. Your offsite copy needs to be write-once so that even if an attacker gets the credentials, they can’t delete the backups before deploying the ransomware.
What actually stops this
Three things change the outcome in almost every ransomware case I’ve seen or read about.
MFA on every remote access point. VPN, RDP, Citrix, whatever you’re using to let people connect from outside the office. If the Change Healthcare attack taught us anything, it’s that one portal without MFA is all it takes.
Monitoring and alerting that catches lateral movement. Someone logging in at 2 AM from an IP address in another country. A service account suddenly accessing file shares it’s never touched before. New admin accounts being created. If you’re not watching for these things, you’re relying on the attacker to make a mistake. They usually don’t.
Backups that actually survive the attack. Offsite. Immutable. Tested. Not just “we have a backup.” Tested, as in someone actually tried restoring from it within the last 90 days and verified the data was there.
None of these are exotic. None of them require a massive budget. They require someone to set them up, verify they work, and keep checking. Ransomware doesn’t start with ransomware. It starts with one weak credential and an open door. The encryption is just what happens when nobody noticed the rest.