Here's how most articles start about ransomware: a staggering statistic, a brief definition, a list of target victims, and best practices that assume you have a full security team and unlimited budget.

This isn't that article....

While we do include statistics for context, we've positioned this article with practical tips that work for the team and resources you actually have. If you're running IT for an SMB, you don't need to be scared into action and already know that the threat is real and evolving.

Below are some quick and easy ideas to start before we dive into the full framework on different items for your team to tackle.

Quick Hits:

5 things you can do this week to meaningfully reduce your ransomware risk:

• Enable MFA on every account — email, VPN, cloud apps, remote tools
• Audit admin access and remove what's unnecessary
• Test whether you can actually restore from your backups (not just that they exist)
• Patch your top 10 most critical systems
• Run one phishing simulation with your team

The rest of this article explains the framework behind these actions — and how to build on them over time.

What Is Ransomware?

The Cybersecurity and Infrastructure Security Agency (CISA) defines ransomware as "a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption."

Modern ransomware attacks rarely stop at encryption. Most threat groups now operate under a double extortion model: they first steal your data, then encrypt it — threatening to publish it publicly if you don't pay. This means that even if you have backups, you're still under pressure.

Ransomware-as-a-Service (RaaS) has further fueled the explosion in attacks. Criminal organizations now essentially franchise their tools to affiliates, who split the profits. This lowers the technical barrier for launching attacks and dramatically increases attack volume. In just one month in June 2025, the ransomware group Qilin carried out 81 attacks — a 47.3% spike from the previous period.

Attackers actively target smaller businesses precisely because they tend to have fewer security resources, weaker backup strategies, and less incident response capability than large enterprises.

Why SMBs Are in the Crosshairs

"47% of small businesses with under $10 million in revenue were hit by ransomware in the last year."

— ConnectWise State of SMB Cybersecurity Report, 2025

The old assumption that attackers only go after big targets is dangerously outdated. SMBs are actively targeted because they tend to have:

• Smaller IT teams with less capacity to monitor, patch, and respond
• Remote and hybrid workforces accessing systems from personal devices and home networks
• Cloud environments that are often misconfigured and under-monitored
• Less mature incident response — meaning attacks do more damage before they're contained

And the financial stakes have escalated sharply. The average ransom payment jumped 500% to $2 million in 2024. Recovery from a malware attack now costs an average of $2.73 million — and that's before accounting for downtime, lost customers, and reputational damage. (ConnectWise, 2025)

One more factor changing the equation: AI. 83% of SMBs say AI has raised the cybersecurity threat level for their organization. (ConnectWise, 2025) Attackers are using AI to generate hyper-convincing phishing emails, automate credential theft, and adapt malware payloads in real time. The pace of attacks has accelerated faster than most traditional defenses can track.

What is Zero Trust?

Zero trust has become a more common security term loosely used in the IT space, however, the core principle of zero trust is: trust no one, always verify. Not any user, device, or connection by default, even if it's already inside your network.

This is a fundamental shift from traditional cybersecurity, which created a secure firewall around the network and assumed everything inside was safe. The problem with that model: once an attacker gets through the wall — via a phishing email, a compromised credential, or a vulnerable remote tool — they can move freely. Zero trust removes that free pass.

The framework runs on three principles:

Verify Explicitly – Every access request should be authenticated based on who's asking, what device they're on, and where they are located. No matter if their behavior looks normal. This should happen every single time and not just once at login.

Use Least Privilege – Every person should only get access to exactly what they need to do their job and nothing more. If an account gets compromised, the damage stays in a contained environment to what the hacker can access.

Assume Breach – This is the mindset shift that matters most for SMBs. Constantly ask yourself, "What happens if they're already in?" This allows you to design your systems to limit how far they can move and the damage they can do.

The key insight for SMBs: Zero trust isn't a single layer of security. It's a whole infrastructure approach you apply progressively at every layer across your existing environment.

Zero Trust Best Practices for SMBs

Here's what no security article usually acknowledges: most SMBs can't implement all of this simultaneously. You don't have a large security team, and your budget has competing priorities. Every new tool is something someone has to manage.

That's not an excuse to do nothing. It's a reason to be deliberate and prioritize these items by the largest impact. The practices below are ordered by impact — start at the top and build from there.

1. Enable Multi-Factor Authentication (MFA) Everywhere

This is the single highest-leverage action you can take today.

If a credential gets phished, MFA is what stops an attacker from walking straight in. Enable it on email, VPN, cloud applications, remote desktop tools, and anything that touches sensitive data.

Prioritize app-based authenticators (like Microsoft Authenticator or Google Authenticator) over SMS codes, which can be intercepted. This is a half-day project that can prevent a catastrophic breach.

2. Apply Least Privilege Access

Start with one question: does this person actually need admin rights?

For most SMBs, the honest answer for the majority of accounts is no. Review your admin access list. Remove standing privileges where they aren't needed daily. Use time-limited or just-in-time access for elevated permissions when possible.

This alone dramatically limits what an attacker can do with a compromised account. If they get in as a standard user, they can't install ransomware, modify automations, or move across your network. Containment by design.

3. Segment Your Network

If ransomware gets in, micro-segmentation determines how far it spreads.

Think of your network like a ship with compartments. A breach in one section doesn't have to sink the whole vessel. For SMBs, this doesn't require enterprise-grade complexity — practical starting points include:

• Separating employee workstations from servers
• Isolating guest Wi-Fi from internal systems
• Ensuring your point-of-sale or financial systems can't communicate with HR or operations data

Real-world example: A 35-person manufacturing company experienced a ransomware infection through a contractor's laptop. Because they had segmented their network the year before, the attack was contained to one zone. Recovery took hours. Without segmentation, it would have taken weeks — and likely cost the business far more than the recovery effort.

4. Always Patch Consistently

Unpatched software is an open door. Attackers know your patch cycle better than you think.

Exploited vulnerabilities are one of the leading causes of ransomware infections — accounting for 32% of incidents in financial services alone. (Sophos, 2025) The challenge for SMBs isn't knowing that patching matters. It's doing it consistently across every OS, application, firmware, and cloud service when you're also handling everything else.

Automate patching wherever your tools allow it. For what can't be automated, set a fixed schedule and stick to it. Tools that give you real-time visibility into which endpoints are out of date turn this from a manual scramble into a managed process.

5. Adopt a "Never Trust, Always Verify" Culture

Technology only goes so far. The human layer matters.

The FBI received 193,407 phishing and spoofing complaints in 2024, resulting in over $70 million in losses. And with AI-generated phishing now making up 82.6% of phishing content, these emails are getting harder to spot even for trained eyes.

Regular, brief security awareness training even if it's only 15 minutes a quarter, can make a meaningful impact to reduce the likelihood of a successful phishing attack. Pair it with occasional simulated phishing tests so employees build recognition through practice, not just instruction.

Zero trust as a culture means your team understands why these policies exist, not just that they're required to follow them.

6. Monitor Continuously — Don't Wait for the Ransom Note

Attackers often spend weeks inside a network before triggering ransomware. Monitoring catches them first.

Behavioral analytics tools can flag when an account starts acting unusually — accessing files it never touches, logging in at abnormal hours, attempting lateral movement. That early signal is what separates a contained incident from a full-scale breach.

At minimum, ensure you have logging enabled across your critical systems and that someone is reviewing alerts regularly. If your team doesn't have capacity to monitor around the clock, this is one of the strongest arguments for managed detection and response support.

Securing Cloud and Remote Access: Where Most Attacks Start

Remote access tools and cloud environments have become the primary entry points for ransomware — and they deserve specific attention in your zero trust strategy.

Remote access is a high-value target precisely because the tools involved have elevated privileges across your endpoints. Attackers exploit poorly secured VPNs, Remote Desktop Protocol (RDP) exposures, and vulnerabilities in IT management software to gain access to multiple systems at once.

Zero trust applied to remote access means:

• Every remote session requires re-authentication — not just initial login
• Access is scoped to specific systems, not the entire network
• Every session is logged and auditable
• Sensitive automated tasks require a verified signature before execution — so even if an attacker compromises the backend, they can't trigger new automations without the right credentials

Cloud environments carry similar risk. Misconfigurations — open storage buckets, excessive permissions, unused service accounts — are consistently exploited. Apply the same least privilege and verification principles to your cloud resources that you apply to your on-premises environment.

The bottom line on remote tools: The platform you use to manage your endpoints has the keys to your kingdom. Make sure it was built with zero trust principles embedded — not bolted on as an afterthought.

When Prevention Isn't Enough: Building Ransomware Resilience

Even with strong zero trust controls, resilient organizations plan for the possibility that something gets through. Here's the core of a practical resilience strategy for SMBs:

Know Where You're Exposed

Before you can defend against what's coming, you need an honest picture of where you stand today. A vulnerability assessment identifies weaknesses across your systems before attackers find them. A risk assessment maps your most critical assets and helps you prioritize where to invest first. Neither has to be a massive project — many tools provide automated scanning with prioritized findings your team can act on.

Back Up Your Data — And Test the Restore

This sounds basic. It isn't always practiced correctly. Effective backups are:

• Automated and frequent — not a manual process someone does when they remember
• Stored in multiple locations, including one offline or air-gapped copy ransomware can't reach
• Tested regularly — you need to know you can actually restore, not just that the backup exists

Ransomware groups increasingly target backup systems specifically because eliminating recovery options makes payment more likely. Protect your backups with the same rigor as your production systems.

Have a Written Incident Response Plan

When an attack happens, confusion and delay amplify damage. A simple, documented plan — who declares the incident, who isolates affected systems, who contacts law enforcement, who handles communications — can be the difference between a contained incident and a business-ending event. You don't need a 50-page playbook. You need a one-page runbook your team has actually read.

Use DLP to Stop Data Exfiltration

Because modern ransomware steals data before encrypting it, Data Loss Prevention (DLP) tools add an important layer — monitoring how sensitive data moves and blocking unauthorized exfiltration attempts. This is especially important if you handle customer PII, financial records, or healthcare data where a breach carries regulatory consequences.

Building Your Zero Trust Architecture: A Practical Starting Point

Zero trust is not a project with a finish line. It's a direction — and the goal is consistent forward progress, not perfection.

Here's a practical sequence for SMBs building toward zero trust:

• Step 1 → Inventory your assets, accounts, and access (you can't protect what you can't see)
• Step 2 → Enable MFA on everything
• Step 3 → Audit and restrict admin and privileged access
• Step 4 → Segment your network
• Step 5 → Establish automated patching and regular vulnerability scanning
• Step 6 → Set up continuous monitoring and alerting
• Step 7 → Test your backups and document your incident response plan
• Step 8 → Train your team — and repeat regularly

The businesses that weather ransomware attacks aren't necessarily the ones with the biggest budgets. They're the ones that made deliberate, consistent choices about layering their defenses — and didn't wait for a breach to take it seriously.

You don't have to do this alone, and you don't have to do it all at once. What matters is that you start — and that the tools you rely on to manage your environment have security built into how they work, not added on top.

How LogMeIn Resolve Supports Your Zero Trust Strategy

LogMeIn Resolve's zero trust security architecture deploys a strict security protocol that takes a "trust no one, verify everyone" approach within software or an IT environment. It goes well beyond traditional cyber security, which allows unlimited access within the trust zone; once inside, a malicious actor can wreak havoc.

LogMeIn's approach to security goes by the assumption that there are multiple entry points into a piece of software or an IT infrastructure—not just a traditional user login, but potentially through software backdoors, APIs (Application Program Interfaces) and more. As such, any sensitive actions or information should invoke an additional verification point.

The result: each endpoint is protected by having to reauthenticate before each and every automated task is performed. More specifically LogMeIn Resolve's security process follows:

• The applet on a remote device accepts commands from authorized agents only.
• Agents must create and use a unique signature key to reauthenticate sensitive tasks.
• This key is only known to the agent, not to LogMeIn, and cannot be compromised online.
• Even if a malicious actor hacks into the backend or phishes login credentials, the attacker cannot change or create new automations for endpoints without the signature key.
• Endpoints obey only their signed commands.

Think of this as if someone attempts to rob a bank; they break into the vault, but are met with hundreds of security boxes that all have individual keys that only the owners have.

Discover more about LogMeIn Resolve's approach to zero trust security in our fireside chat with our Chief Information Security Officer, Attila Torok, and VP of Engineering, David Bisztrai to learn how applying its principles can help defend your organization from ransomware, supply chain attacks, and other vulnerabilities impacting businesses large and small.