I'm Sammy, and I run SammIT out of Arlington — on-site and remote IT work for folks and small businesses across Northern Virginia. I want to talk about ransomware without the scary slideshow. You just need to understand how this actually happens and which handful of things genuinely stop it.
Here's the honest version: ransomware is software that locks up your files and demands payment to unlock them. The criminals running it aren't picking you by name. They run automated tools that knock on millions of doors and walk through whichever ones are unlocked. A dentist's office in Falls Church and a two-person law firm in Vienna are just as "in scope" as a hospital. Small shops get hit a lot precisely because they assume they're too small to bother with — so nobody locked the doors.
How small businesses actually get hit
Almost every case I've cleaned up traces back to one of three doors.
Phishing email. Someone gets a message that looks like a QuickBooks invoice, a UPS delivery notice, or a "your mailbox is full" warning. They click, type their password into a fake login page, or open an attachment that quietly runs. This is the number-one way in, and it works because the fakes have gotten genuinely good — real logos, real-looking sender names, a deadline to rush you.
Exposed Remote Desktop (RDP). This one bites shops that set up remote access years ago and forgot about it. If you can reach your office PC from home over Remote Desktop, so can the rest of the internet — and attackers run round-the-clock bots guessing weak passwords on every open RDP port they can find. When I do find RDP hanging open on a public IP, the password is almost always something like the company name plus a year. That's not bad luck. That's an unlocked front door with a sticky note on it.
Unpatched software. Windows, your VPN box, your accounting server — when a security hole gets announced, criminals start scanning for unpatched machines within days. If you've been clicking "remind me later" on updates for six months, you're running known-broken software anyone with a downloaded script can walk into.
Notice none of these require you to be a high-value target. They just require a gap.
What it actually costs
The ransom is the smallest part. A small crew might demand a few thousand dollars in cryptocurrency, but the real damage is the days you're shut down — no scheduling, no invoicing, no client files, no point-of-sale. For a small business, a week of downtime can hurt worse than the ransom check.
And paying doesn't reliably fix it. Sometimes the decryption tool they send back is buggy and only restores part of your data. Sometimes they come back for a second payment. Many crews now also steal a copy of your data before they encrypt it, so even a perfect restore doesn't stop them from threatening to leak client records — which matters a lot if you're holding patient info or financial files under any compliance rule.
I'll tell you straight: with clean backups and a little preparation, most ransomware turns from a catastrophe into a bad weekend. That's the whole game.
The prevention checklist that actually works
You don't need an enterprise security budget. You need these few things done properly.
Back up with the 3-2-1 rule. Three copies of your data, on two different types of media, with one copy off-site or offline. The off-site/offline copy is the one that saves you, because ransomware specifically hunts down and encrypts any backup it can reach — including the external drive plugged into the same PC. A backup the malware can touch is not a backup. I walk through the practical version in my guide on backing up your photos and documents, and the same principles scale up to a business.
Turn on multi-factor authentication (MFA) everywhere. Email, accounting, remote access, your Microsoft 365 or Google account. MFA means a stolen password alone isn't enough — the attacker also needs the code on your phone. This one step shuts down the majority of phishing break-ins, takes about ten minutes per account, and costs nothing.
Patch on a schedule. Turn on automatic updates for Windows and your browsers, and set a recurring reminder to check the things that don't auto-update — your router, your VPN, your line-of-business software. You don't have to install every patch the second it drops, but "this quarter" beats "never."
Lock down or kill remote access. If you don't need RDP open to the internet, close it. If you do need remote access, put it behind a VPN with MFA — never bare on a public port. This single change eliminates an entire category of attack.
Train your people in five minutes. The whole training is: slow down on anything urgent asking for money, a password, or a click; hover over a link to see where it really goes before you tap it; and when in doubt, call the sender on a number you already have. You don't need a course. You need everyone to pause.
Where I can help
If you'd rather have someone check the doors for you, that's most of what I do. My Home Network Security Checkup is $129 and covers the small-office basics — open ports, weak passwords, backup sanity, MFA gaps. For a business with servers, employees, and real data to protect, my Vulnerability Assessment ($450, $750, or $1,150 depending on scope) finds the specific holes attackers would use and hands you a plain-English fix list. Hands-on cleanup or setup runs $65/hr remote and $95/hr on-site across NoVA.
You don't have to do all of this today. Do the backup and the MFA this week — those two alone move you out of the easy-target pile. If you want a second set of eyes, call or text me at 571-680-5334 and I'll tell you straight whether you're already in good shape or where the real gaps are.
— Sammy