Ransomware in 2026: How It Actually Gets In, and What Stops It

It usually starts on a Tuesday morning at 4:17am. Someone in accounting walks in at 7am and the printers are spitting out a ransom note. The file shares are gone. The ERP is down. The phones still work because the ransomware crew did not bother with the VoIP, but everything else is encrypted, and there is a Bitcoin address on every screen.

By the time anyone calls me, the attackers have been inside for somewhere between 3 days and 3 months. Encryption is the last act, not the first one. By then it is mostly cleanup.

Here is what 2026 ransomware actually looks like, in the order it actually happens, and the controls that actually stop it. No fearmongering, no "you need our magic AI tool." Just what works, based on the small business networks I have helped clean up and the DoD networks I trained on before that.

How they actually get in

Five vectors account for almost every ransomware case I see in small business right now. None of them are exotic.

1. Stolen email credentials, no MFA

The most common path in 2026 is still the most boring one. An employee's email password ends up in a credential dump because they reused it on some site that got breached. This is why identity controls sit at the center of any small-business security plan. The attacker logs into the email account. There is no multi-factor authentication. They sit in the inbox for a few weeks, learn the business, and pivot from there.

From an inbox an attacker can set up forwarding rules, intercept invoices to redirect wire transfers, harvest more credentials from internal emails, and impersonate the user to ask other employees to open attachments. Plain inbox access is enough to ruin a small business. I have watched it happen.

2. Phishing with a payload (or a fake login page)

Modern phishing is not the Nigerian-prince era anymore. It is a perfect-looking Microsoft 365 login page hosted on a domain that looks like yours, sent from a vendor whose email account got popped last month. The user types their password. Now the attacker has it. If MFA is on, they may try a "MFA fatigue" attack where they hammer the user's phone with prompts at 11pm hoping someone clicks Approve to make it stop.

Some of these emails carry malware. Most do not. The credentials are the prize.

3. Unpatched edge devices

Your firewall, your VPN, your Remote Desktop Gateway, the device that lets your remote workers in. Every one of those has had at least one critical vulnerability published in the last 18 months, and a lot of small businesses have not patched. CISA publishes a list of actively exploited vulnerabilities and the same names show up over and over: Fortinet, SonicWall, Citrix, Ivanti, ConnectWise. If your edge device has not been touched since you bought it, an attacker probably already has a way in. They just have not gotten around to using it yet.

4. Compromised vendors and supply chain

Sometimes the attacker does not get in through your front door. They get in through a vendor you trust. Maybe your IT provider's RMM tool. Maybe your accounting software's auto-updater. Maybe a contractor's laptop that connects to your VPN. The 2024 Kaseya and 2024 ConnectWise incidents made this mainstream. In 2026, the attackers know small businesses do not audit their vendors, so this lane is wide open.

5. Misconfigured cloud, mostly Microsoft 365

A fresh Microsoft 365 tenant out of the box is not secure. Default settings allow legacy authentication protocols that bypass MFA, give every user the ability to install applications that can read mail, leave guest sharing wide open, and skip conditional access entirely. If Microsoft 365 is where your mail and files live, treat it like production infrastructure and manage it through a real cloud services baseline. Most small businesses sign up, get email working, and never touch the security settings. Attackers know this and target the gaps directly.

What happens after they get in

Once an attacker has any foothold, the same playbook plays out. It takes anywhere from 24 hours to several months. They are patient because they have to be: the longer they sit, the more they learn, the bigger the eventual payday.

• Reconnaissance. They map your network, identify your domain controllers, find your file shares, locate your backup system.
• Privilege escalation. They find a service account with too many permissions, a help-desk admin with a weak password, or an unpatched server with a known privilege escalation bug. Now they are domain admin.
• Persistence. They install backdoors. Multiple. So that even if you find one, the others stay. Often they create new admin accounts with names that look legitimate.
• Data exfiltration. Before encrypting, they steal your data. This is the leverage. Even if you restore from backups, they will threaten to publish your client list, your financials, your employee records. Welcome to "double extortion."
• Backup destruction. They go after your backups specifically. They delete shadow copies, wipe the backup server, sign into your cloud backup admin panel with stolen creds.
• Encryption. Last. Always last. By the time the printers are spitting ransom notes, the actual attack happened weeks ago.

What actually stops it

Here is where most cybersecurity vendors lose me: they will sell you 12 tools to stop ransomware and skip the 5 that actually matter. I am going to flip that. Here are the controls that actually move the needle, in the order I would deploy them at a small business.

1. MFA everywhere, with phishing-resistant factors where you can

Number one with a bullet. MFA on email, MFA on VPN, MFA on RDP, MFA on every cloud admin console. Use the Microsoft Authenticator or Google Authenticator app, not SMS. Even better: deploy FIDO2 hardware keys (Yubikey or built-in Windows Hello for Business) for admins and high-risk users. Phishing-resistant MFA cannot be socially engineered. The attacker would need physical access to your security key.

2. Modern EDR with behavioral detection

Not legacy antivirus. EDR (Endpoint Detection and Response) watches for ransomware behavior in real time: rapid file modifications, suspicious encryption, lateral movement attempts, command-and-control traffic. When it sees the pattern, it isolates the device automatically. The attack stops mid-execution. This is the single biggest "you got in but did not get to encrypt" defense.

3. Immutable, off-account backups

Backups that the attacker cannot delete or encrypt, even with domain admin credentials. The backup data lives in a separate cloud account or storage that the production network cannot reach. That design is the reason backup and disaster recovery planning belongs in the ransomware conversation, not after it. Daily snapshots, retention you actually control, and tested restores on a schedule. Without immutable backups, paying the ransom is sometimes the only way to recover. With them, you wipe the affected systems and rebuild.

This is where most small businesses get caught flat-footed. They have backups, but they live on the same network, share the same credentials, and get encrypted along with everything else. I covered this in detail in the cybersecurity mistakes post.

4. Patch everything, especially the edge

You do not need to be perfect. You need to not be the slowest gazelle. Patch your firewall, your VPN, your Remote Desktop Gateway within a week of a critical CVE. Patch your servers monthly. Patch your endpoints automatically. The attackers shopping for victims look for low-hanging fruit. Even moderate patch hygiene moves you off that list.

5. Network segmentation

Once they are in, you want to slow them down. Segmented networks mean they cannot just hop from a receptionist's PC to your domain controller in one step. They have to break through additional walls. Each wall buys you time, and time is what your detection tools need to catch them.

6. Email security beyond the default

Inbound filtering, attachment sandboxing, impersonation protection, and DMARC, SPF, and DKIM configured properly. Microsoft 365 Defender or a dedicated email security gateway. The default M365 settings do less than people assume. Enable the protections that are off by default, configure transport rules for your specific risks, and block legacy authentication entirely.

7. Security awareness training (the human layer)

Short, practical, recurring. Simulated phishing campaigns to measure improvement. Not annual compliance theater. The human layer is your largest attack surface; you cannot fix it without training. But trained users plus the technical controls above means an attacker has to beat both layers, and that is how ransomware campaigns die.

What to do this week if none of this is in place

If you read this and realized your business has gaps, here is the order to fix them.

1. Today: Turn on MFA for every email account. Use the authenticator app, not SMS. Force a password reset on any account without MFA right now.
2. This week: Audit your edge devices. Make a list. Check the vendor's CVE page. Patch anything critical.
3. This week: Confirm your backups are real. Try a restore. If you cannot restore, you do not have backups.
4. This month: Deploy real EDR, not legacy antivirus. Common picks for small business include CrowdStrike, SentinelOne, Microsoft Defender for Business, and Huntress.
5. This month: Move backups to an immutable, off-account location.
6. This quarter: Run a written incident response plan exercise with your team. 60 minutes. You will find the gaps fast.

What to do if you actually get hit

If you are reading this with a ransom note on your screen, stop and take a breath.

• Do not pay yet. Paying does not guarantee recovery. It funds the next attack. It often makes you a target for the same crew six months later.
• Disconnect, do not power off. Pull network cables. Disable Wi-Fi. But do not power off, because forensic evidence lives in memory and you will lose it.
• Call your cyber insurance carrier first. They have an incident response panel. Many have specific requirements about what you do and do not do.
• Then call us, or your IR firm. The faster a real responder is on it, the more options you have.
• Preserve evidence. Do not start "fixing" things until someone qualified has documented what happened. You will need this for insurance, for legal, and possibly for law enforcement.

The honest truth about small business and ransomware

Most small business ransomware victims I have worked with were not targeted specifically. They were swept up in opportunistic campaigns that found a weak point and walked through it. The attackers do not care about your industry, your size, or whether you have something worth stealing. They care that they got in. That is the whole bar.

The good news: the controls above are not expensive, not exotic, and not rocket science. They require discipline and a partner who actually deploys them properly. Done correctly, you become a hard target, and hard targets get skipped because the attackers have a list of soft ones below you. For many small businesses, the simplest path is folding patching, EDR, backups, and identity checks into managed IT services with accountable monthly reporting.

If you want a second pair of eyes on whether your business is hard or soft, that is what our free cybersecurity assessment is for. 30 minutes, no sales pitch, written punch list of what to fix in priority order. You can read more about our cybersecurity services or just get in touch.