How to Protect Your Business from Ransomware: A Practical Guide Based on Real Incidents

Every day, dozens of companies worldwide face ransomware attacks. The morning starts the same way: an employee turns on their computer, and there - all files have strange extensions (.elpy, .djvu, .lockbit, etc.) and a ransom demand.

Typical scenario: An accountant opens an email supposedly from the tax office with an attachment "Invoice.pdf". The file looks like a regular PDF, correct extension, nothing suspicious. But inside the document is embedded malicious script that triggers when opened. Within minutes, all company files are encrypted. Work has stopped. 1C database is inaccessible. Backups are missing or also encrypted. Attackers demand $5,000-50,000 for decryption. And this is just small business - for large companies, amounts run into millions.

Statistics you need to know:

• 71% of ransomware attacks target small and medium businesses
• Average ransomware damage globally - around $780,000 (2024 data)
• 60% of companies that paid ransom never got their data back
• 25% of small companies closed within a year after serious cyberattack
• 93% of successful attacks start with phishing email

Most companies learn about their vulnerability only after an attack. This article is about how to protect BEFORE it hits. No fluff, just practical solutions based on real incident analysis.

Real Cases: This Happens Every Day

Case 1: Accounting Encrypted in 15 Minutes

Medium-sized manufacturing company, 50 employees. Accountant opened an email from "tax office" with attachment. Within 15 minutes, entire 1C database encrypted, all accounting files for 3 years, backups on network drive.

Ransomware: Phobos. Demand: $25,000. Company refused to pay - restored data over 2 weeks from old archives. Losses: around $140,000 (downtime + recovery).

Case 2: RDP with Password "123456"

IT company, 20 developers. One server had RDP open to internet with default password "admin/123456". Attackers gained access through brute force, installed ransomware, encrypted all development servers and client databases.

Ransomware: LockBit 3.0. Demand: $100,000. Company lost 5 major clients due to data breach. Damage: over $900,000 + reputation.

Case 3: Supply Chain

Medical equipment distributor. Infection came through compromised supplier website - malicious link embedded in PDF invoice. Manager opened file, clicked "update data" - done. CRM database encrypted, invoices, contracts.

Ransomware: Conti. Company paid $15,000, got decryptor, but it only restored 70% of files. Rest lost forever.

What unites all these cases?

Missing or improperly configured backups, weak passwords or open ports, untrained employees, outdated software and no antivirus (or ignoring it). All this could have been prevented. Let's break down how.

What is Ransomware and Why It's Serious

Ransomware is malicious software that encrypts your files and demands ransom for decryption. Usually in Bitcoin.

Important to understand: even if you pay, there's no guarantee of decryption. Moreover, you get into the database of "paying customers" and become target for repeat attacks.

Average ransom for small business: $5,000 to $50,000. For large companies, it runs into millions.

How Infection Happens

1. Phishing Emails (90% of cases)

Responsible for 93% of infections. Modern attacks use legitimate file formats - real PDFs or Word documents with embedded malicious script or exploit. File is named "Invoice.pdf" - regular PDF without suspicious extensions. When opening such file, embedded code triggers, exploiting vulnerability in Adobe Reader or operating system itself to download and launch malware. This is especially dangerous because file looks completely legitimate. Other methods include password-protected archives in email (to bypass antivirus) and macros in Word/Excel documents that run when clicking "Enable Content".

2. Software Vulnerabilities

Outdated operating systems and applications contain known vulnerabilities that attackers exploit to gain system access and deploy ransomware.

3. RDP and Remote Access

Weak passwords on remote desktop services combined with RDP ports open to internet and lack of two-factor authentication create easy entry points for attackers.

4. Infected Sites and Ads

Compromised websites, malicious advertising, and fake software updates can deliver ransomware directly through web browsers without user knowledge.

Multi-Layer Defense: Practical Implementation

Level 1: Backups (Most Important)

This is your main defense. If data gets encrypted - just restore from backup.

The 3-2-1 Rule

• 3 copies of data
• 2 different media types
• 1 copy offsite

For 1C and Corporate Databases

Bad solution: Backing up 1C database to files on same server

Why it's bad: during infection, not only local files get encrypted, but all accessible network folders including backups. Result - both working database and all backup copies lost simultaneously.

Correct solution: 1C on remote server in client-server architecture

Database and 1C server are on separate machine. Access closed to everyone except authorized clients. Accountant connects through thin client. Even if local machine is encrypted - database on server is intact.

Automated Agent-Based Backups

Recommended tools:

• Restic - simple, reliable, with deduplication
• Kopia - more advanced, with web interface

For Restic, there's also excellent web interface Backrest that simplifies backup management.

Agent-based approach advantages:

They create incremental backups (changes only), and critically important: if backups are configured to separate server, they cannot be overwritten or deleted from client. Old versions are protected and inaccessible for modification. Maximum ransomware can do - corrupt current files and create encrypted copy, but all old versions on remote server remain untouched.

Restic Configuration for 1C:

#!/bin/bash
# backup-1c.sh - script for automatic 1C backup

# Path to 1C database
SOURCE="/opt/1c/bases/accounting"

# Backup repository (remote server in append-only mode)
RESTIC_REPOSITORY="rest:https://backup-server.com:8000/1c"
RESTIC_PASSWORD="YOUR_STRONG_PASSWORD"

# Create backup (append-only connection - can only add)
restic backup $SOURCE \
  --tag daily \
  --exclude-file=/etc/restic/excludes.txt

IMPORTANT: forget command must run ONLY on server, through separate cronjob with full access rights. From client, backup deletion impossible due to append-only mode

Critically important for security: configure Restic REST-server in append-only mode. In this case, from client you can only create new backups, but cannot delete existing ones. The restic forget command for cleaning old backups must run only on backup server itself through separate cronjob with full rights. Even if virus gets access to Restic credentials on client machine, it cannot delete or modify existing backups.

Add to cron on client machine (backup creation only):

0 2 * * * /opt/scripts/backup-1c.sh >> /var/log/backup-1c.log 2>&1

On backup server, configure separate cronjob for cleaning old copies:

#!/bin/bash
# cleanup-old-backups.sh - runs ONLY on server

RESTIC_REPOSITORY="/backup/repos/1c"
RESTIC_PASSWORD="SERVER_PASSWORD"

restic forget \
  --keep-daily 7 \
  --keep-weekly 4 \
  --keep-monthly 6 \
  --prune

This provides protection: even if client machine is compromised, backups remain safe.

Critically Important:

• Backups must be stored on separate server
• Protocol choice depends on your needs: SFTP (simple and secure), S3 (cloud storage), REST (native Restic protocol with append-only mode), WebDAV (universal)
• Most important: on backup server configure write-only access (append-only). Client can add new backups but cannot delete or modify existing ones
• Access to backup server only via SSH keys or secured API tokens
• Commands for deleting old backups (restic forget, restic prune) run only on server itself with full rights, never from client machines

For Regular Files (documents, accounting)

Local solutions:

• Windows Server Backup (for Windows Server)
• File History (for Windows 10/11)
• Time Machine (for macOS)

Cloud solutions:

• Google Workspace (automatic versioning in Google Drive)
• Microsoft 365 (OneDrive for Business with versioning)
• Dropbox Business
• Any cloud provider with file versioning enabled

Important: make sure file versioning is enabled. If ransomware encrypts files and syncs to cloud - you need ability to roll back to previous version.

Backup Server Configuration

For small business (5-20 employees) - VPS solution:

THE.Hosting VPS Ruthenium - Perfect for small business backups

• CPU: 2 vCore
• RAM: 4 GB ECC
• Disk: 60 GB NVMe
• Network: 10 Gbps
• Price: €9.77/month
• OS: Ubuntu Server / Debian

For medium business (20-100 employees) - VPS solution:

THE.Hosting VPS Osmium - Optimal for medium business

• CPU: 6 vCore
• RAM: 10 GB ECC
• Disk: 100 GB NVMe (scalable with additional storage)
• Network: 10 Gbps
• Price: €23.77/month
• OS: Ubuntu Server / Debian

For large business (100+ employees) - Dedicated server:

THE.Hosting Dedicated Black Pearl - Enterprise-level reliability

• CPU: 2× Intel Xeon E5-2697Av4 (32 cores total)
• RAM: 128 GB ECC
• Disk: 2× 960 GB Enterprise SSD (RAID 1)
• Network: 10 Gbps
• Price: €250/month
• Full hardware control, maximum performance

For mission-critical infrastructure:

THE.Hosting Dedicated Hope Diamond - Maximum capacity

• CPU: 2× Intel Xeon E5-2697Av4 (32 cores total)
• RAM: 384 GB ECC
• Disk: 4× 960 GB Enterprise SSD (RAID 10)
• Network: 10 Gbps
• Price: €410/month
• Backup duplication to second server in different datacenter

Note: All THE.Hosting plans available in 50+ countries at same price, only location changes. Dedicated servers available in 7 locations.

Level 2: Antivirus Protection

For business, corporate antivirus with ransomware protection is mandatory. Any commercial Endpoint Security solution (Kaspersky, ESET, Bitdefender and others) will provide necessary protection. Key features required: behavioral analysis for detecting unknown threats, real-time file encryption protection, ability to roll back changes.

For home use or very small business, you can use Windows Defender if properly configured ransomware protection and controlled folder access in Windows security settings.

Level 3: Network-Level Protection

Firewall and Segmentation

Must close:

• RDP (port 3389) from internet - only through VPN
• SMB (ports 139, 445) from internet
• Any administrative ports

Network segmentation:

Network segmentation separates different parts of your infrastructure to limit lateral movement during attacks. Mission-critical servers isolated from workstations, preventing ransomware spread across entire network when one machine compromised.

Firewall Rules (example for pfSense/OPNsense)

# Block incoming RDP from internet
Block in quick on WAN proto tcp from any to any port 3389

# Allow RDP only from VPN subnet
Pass in on OpenVPN from 10.0.100.0/24 to 10.0.20.0/24 port 3389

# Block SMB from internet
Block in quick on WAN proto tcp from any to any port {139,445}

# Log all rejected packets
Block log all

Level 4: Security Policies

Password Policy

Minimum requirements:

Length minimum 12 characters, must have uppercase and lowercase letters, numbers and special characters. Password validity 90 days, prohibition of repeating last 12 passwords.

For administrators:

Minimum 16 characters, two-factor authentication mandatory, privileged access only through secured channels.

CRITICALLY IMPORTANT: NEVER store passwords in notepads, text files, emails, messenger messages (including personal Telegram chats) or phone notes. Use password managers like KeePassXC, Bitwarden or similar. In password manager, you only need to remember one master password for access to entire password database, rest is securely encrypted.

Windows GPO configuration:

Computer Configuration → Policies → Windows Settings → 
Security Settings → Account Policies → Password Policy

User Privilege Restrictions

Principle of least privilege:

Regular users work WITHOUT administrator rights. For software installation, separate administrator account used. PowerShell Execution Policy should be set to RemoteSigned or Restricted.

Disable autorun from removable media:

Registry editor:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
DWORD: NoDriveTypeAutoRun = 255

Or via GPO:

Computer Configuration → Administrative Templates → 
Windows Components → AutoPlay Policies → Turn off AutoPlay

Level 5: Employee Training

Phishing Signs

Train employees to pay attention to:

Sender: Suspicious domains imitating legitimate ones. Free email services (gmail, yahoo) for "official" communications. Small typos in domain names.

Email subject: Urgency ("Your account will be blocked"), fear ("Tax debt"), profit ("You won an iPhone").

Content: Request to follow link and enter credentials. Requirement to open attachment. Grammar errors (not always, but often).

Attachments: Double extension: file.pdf.exe. Password-protected archives. Macros in Office documents.

Security Rules for Employees

Simple rules that work:

Don't open attachments from unknown senders. Don't enable macros in documents received by email. Check links before clicking - hover mouse and look at address. At slightest doubt, call sender and verify. Don't install software without IT department approval. Don't enter passwords on sites reached through link from email.

Phishing Attack Simulation

Recommended training services: KnowBe4 (paid but very good), GoPhish (free, open-source), PhishMe (paid, enterprise level).

Conduct tests minimum once per quarter. Employees who "fall for it" - additional training.

Server Configurations for Different Tasks

File Server (Windows Server)

Small business (5-20 employees):

THE.Hosting VPS Iridium

• CPU: 4 vCore
• RAM: 6 GB ECC
• Disk: 70 GB NVMe (expandable)
• Network: 10 Gbps
• Price: €13.77/month
• OS: Windows Server 2019/2022 Standard

Medium business (20-100 employees):

THE.Hosting VPS Platinum

• CPU: 10 vCore
• RAM: 14 GB ECC
• Disk: 170 GB NVMe (expandable)
• Network: 10 Gbps
• Price: €38.77/month
• OS: Windows Server 2022 Standard
• Additional: data deduplication, VSS for versioning

Large business (100+ employees):

THE.Hosting Dedicated White Pearl

• CPU: 2× Intel Xeon E5-2697Av4 (32 cores)
• RAM: 64 GB ECC
• Disk: 2× 960 GB Enterprise SSD (RAID 1)
• Network: 10 Gbps
• Price: €170/month
• Hardware RAID with cache, backup power (UPS)
• OS: Windows Server 2022 Standard/Datacenter

1C Server (client-server architecture)

For databases up to 10 users:

THE.Hosting VPS Palladium

• CPU: 4 vCore
• RAM: 8 GB ECC
• Disk: 90 GB NVMe
• Network: 10 Gbps
• Price: €15.77/month
• OS: Windows Server 2019/2022 or Linux

For databases 10-50 users:

THE.Hosting VPS Rhodium

• CPU: 16 vCore
• RAM: 16 GB ECC
• Disk: 210 GB NVMe
• Network: 10 Gbps
• Price: €50/month
• Recommended: separate disk for temp database and logs
• OS: Windows Server 2022 or Linux

For databases 50+ users:

THE.Hosting Dedicated Graff Pink

• CPU: 2× Intel Xeon E5-2697Av4 (32 cores - 1C loves cores)
• RAM: 256 GB ECC (1C loves memory)
• Disk: 4× 960 GB Enterprise SSD (RAID 10)
• Network: 10 Gbps
• Price: €360/month
• Separate disk for PostgreSQL/MS SQL database
• OS: Linux (less overhead, better performance)

Database Server (PostgreSQL / MS SQL)

General principles:

More RAM means better, as databases cache data in memory. Fast disks required (NVMe SSD). Separate disks for data, logs and tempdb. RAID 10 for performance plus reliability.

Configuration for high loads:

THE.Hosting Dedicated Hope Diamond

• CPU: 2× Intel Xeon E5-2697Av4 (32 cores)
• RAM: 384 GB ECC
• Disk: 4× 960 GB Enterprise SSD (RAID 10)
• Network: 10 Gbps
• Price: €410/month
• Setup: separate arrays for data/logs/tempdb
• Mandatory: BBU (Battery Backup Unit) on RAID controller

Backup Server

See "Backup Server Configuration" section above with THE.Hosting VPS and dedicated server options.

Action Plan During Infection

If infection still happened:

Immediately (first minutes):

Disconnect infected computer from network - pull cable. Don't shut down computer, as RAM data may help in analysis. Notify IT department or administrator. Disconnect other suspicious machines from network.

Check for Decryptor Availability

Before restoring everything from backups or even thinking about paying ransom, check - maybe free decryptor already exists for your ransomware type.

No More Ransom - international project of law enforcement agencies and cybersecurity companies providing free decryptors: https://www.nomoreransom.org/

Crypto Sheriff - service for identifying ransomware type: https://www.nomoreransom.org/crypto-sheriff.php - upload encrypted file and ransom note, system will identify ransomware type and suggest if decryptor available.

Important: download decryptors ONLY from verified sources like No More Ransom or official antivirus company websites (Kaspersky, Avast, Emsisoft). Never download "decryptors" from suspicious sites - this could be reinfection.

Decryptor availability not guaranteed, but attempt worth it - this can save days of recovery.

Within an hour:

Isolate infected network segment. Check backups and ensure they're not damaged. Change all passwords for critical systems. Temporarily disable RDP and other remote connections.

Within a day:

Analyze how infection happened. Check all other machines with antivirus. Restore data from backup. Reinstall OS on infected machine - don't try to "cure". Close vulnerability through which infection occurred.

DON'T:

• Pay ransom - no decryption guarantee
• Try manually removing virus - may damage files
• Use "decryptors" from suspicious sites
• Reboot infected system before analysis

Additional Protection Measures

DNS-Level Blocking

Use DNS with malicious domain filtering: Cloudflare for Families (1.1.1.3), Quad9 DNS (9.9.9.9), OpenDNS (208.67.222.222).

Application Whitelisting

Windows AppLocker - allow only approved application execution:

gpedit.msc → Computer Configuration → Windows Settings → 
Security Settings → Application Control Policies → AppLocker

Create rules allowing execution from Program Files and Windows directories, but blocking execution from temporary folders, AppData and Downloads where malware usually runs.

Monitoring and Alerts

SIEM systems for medium and large business:

• ELK Stack (Elasticsearch + Logstash + Kibana) - free
• Wazuh - free, good for start
• Splunk - paid, powerful

What to monitor:

Mass file changes as encryption sign. Unusual network activity. C&C server connection attempts. Changes in critical system files. Failed login attempts.

Email Security Gateway

For incoming email filtering: SpamAssassin + ClamAV (free, for self-configuration), Proofpoint (paid, enterprise), Mimecast (paid, enterprise), Barracuda Email Security Gateway.

Security Checklist

Daily:

• Backup operation check
• Antivirus alert monitoring
• Firewall log check for suspicious activity

Weekly:

• Windows update check
• Antivirus database update
• Test restore from backup (selective)

Monthly:

• Software update on all machines
• User access rights audit
• Employee training (short reminder)
• Emergency contact list verification

Quarterly:

• Phishing attack simulation
• Complete software inventory
• Network security audit
• Security policy update

Semi-annually:

• Penetration testing
• Complete DR (Disaster Recovery) plan testing
• All servers and services audit

Conclusion

Ransomware protection is not one solution but a complex of measures. Most important:

1. Backups, backups, backups - this is your insurance. Without backups you're defenseless.
2. Antivirus mandatory, preferably corporate with behavioral analysis.
3. Network segmentation limits infection spread.
4. Employee training critically important, as 93% of infections start with phishing.
5. Regular updates necessary, because most attacks use known vulnerabilities.

Real implementation costs for small business (30 employees):

• Backup server (VPS Osmium): €23.77/month
• Antivirus: Around $700/year
• Setup and implementation: $4,500-9,000 one-time
• Total: around $11,500 at start + $700/year

Compare with potential losses:

• Work downtime: from $18,000
• Data recovery: from $9,000
• Ransom (if you decide to pay): from $5,000
• Reputation losses: priceless
• Total risk: from $32,000+ per one incident

Consider this investment in business security, not expense.

Check out THE.Hosting VPS for scalable backup solutions from €9.77/month, or THE.Hosting Dedicated Servers for enterprise-level infrastructure from €170/month.

P.S. Don't wait for the email to hit you. Because it will. Only question is when. Statistics show every third small business faces ransomware within first 5 years of operation.