Back to Blog
Threat Intel February 2026 9 min read

Would Your Company Survive a Ransomware Attack?

Ransomware is no longer just a problem for large enterprises. Small and mid-sized businesses now represent the majority of ransomware victims — because attackers know they're more likely to pay, less likely to have backups, and least likely to have a tested incident response plan. How prepared is your company, really?

In 2025, the average ransom payment for small to mid-sized businesses exceeded $800,000. More than 60% of SMBs that experience a significant ransomware attack close within 18 months. These aren't scare statistics — they're the operational reality of what happens when organizations without adequate resilience get hit.

The good news: ransomware survivability isn't about having an unlimited security budget. It's about making the right decisions in a handful of critical areas. Let's run through the honest assessment questions every business should be able to answer.

The 8 Questions That Determine Ransomware Survivability

1. Do you have verified, tested, offline backups?

This is the single most important factor in ransomware recovery. Ransomware operators specifically target and encrypt backup systems before triggering the final payload — because backup destruction is what forces payment. If your backups are network-connected and haven't been tested for restoration, they may not save you.

The 3-2-1 backup rule: 3 copies of data, on 2 different media types, with 1 copy stored offline (air-gapped). The offline copy is what ransomware can't reach.

Critical questions: When did you last successfully restore from backup? How long would full restoration take? Have you tested restoration of your most critical systems specifically?

2. How quickly would you detect an attack in progress?

Modern ransomware operators spend an average of 5–10 days inside a network before deploying the final encryption payload. During that time they're mapping the environment, locating backups, exfiltrating data, and ensuring maximum impact. Organizations with strong detection capabilities catch attackers during this reconnaissance phase — before encryption begins. Organizations without it wake up to a screen full of ransom notes.

Do you have endpoint detection and response (EDR) deployed across all endpoints? Is your log data centralized and monitored? Do you have alerts configured for unusual file encryption activity, mass file modifications, or suspicious lateral movement?

3. Do you have an incident response plan — and have you tested it?

An incident response plan that lives in a PDF on a SharePoint site nobody knows about is not a plan. When ransomware hits, decisions need to be made in minutes and hours: Who is notified? Who has authority to take systems offline? Who contacts law enforcement? Who engages your cyber insurance provider? Who communicates with customers?

Common mistake: Storing your incident response plan only in systems that will be encrypted during an attack. Keep a physical copy and an offline digital copy that key personnel can access even if your entire network is down.

4. Are your privileged accounts properly protected?

Ransomware attacks almost universally involve compromised privileged credentials. Attackers steal or guess a privileged account password and use it to spread laterally and disable defenses before the final payload. The most common initial access vectors are phishing emails, brute-forced RDP access, and stolen credentials from previous breaches.

Key controls: Is MFA enforced on all administrative accounts? Are your administrator accounts different from your day-to-day user accounts? Is RDP (port 3389) exposed to the internet? Have you checked if any of your credentials appear in breach databases?

5. Is your network segmented?

In a flat network — where any device can reach any other device — ransomware can spread from a single compromised endpoint to every system in the organization within minutes. Network segmentation creates barriers that limit the blast radius of a compromise. A ransomware infection on a contractor's laptop shouldn't be able to reach your financial systems or backup infrastructure.

At minimum: separate corporate IT from operational technology (OT) if you have it, segment servers from endpoints, and restrict east-west traffic between network zones.

6. Do you have cyber insurance — and does it actually cover ransomware?

Cyber insurance has become an essential component of ransomware resilience for SMBs — but policies vary enormously. Some policies cover ransom payments, incident response costs, business interruption, and breach notification. Others have exclusions that leave organizations exposed when they need coverage most.

Review your policy specifically for: ransomware coverage limits, exclusions for state-sponsored attacks, whether MFA requirements are listed as conditions for coverage, business interruption coverage and waiting periods, and whether incident response services are included or must be arranged separately.

7. Have you trained employees to recognize phishing?

The majority of ransomware attacks start with a phishing email. Despite years of security awareness training, phishing remains effective — because attackers have gotten much better at it, and AI-generated phishing content has raised the quality bar significantly. Effective training isn't a once-a-year PowerPoint presentation. It's regular simulated phishing exercises with immediate feedback, combined with a culture where employees feel comfortable reporting suspicious emails without fear of reprimand.

8. What is your RTO (Recovery Time Objective)?

Recovery Time Objective is how long it would take to fully restore business operations after a ransomware attack. Most SMBs have never calculated this number. When we ask organizations how long full recovery would take, the honest answer is usually "weeks" — and for some, "we're not sure."

Calculate your RTO for a worst-case scenario: every system encrypted, backups require full restoration, all endpoints need reimaging. Then ask: can your business survive that many weeks of disruption?

If You Were Attacked Tomorrow: The First 24 Hours

Knowing what to do in the first hours of an attack is critical — chaos and panic in the early hours often makes outcomes significantly worse. Your first 24-hour response should include:

  1. Isolate affected systems immediately — disconnect from the network to stop lateral spread
  2. Do not reboot or attempt to decrypt — this can destroy forensic evidence
  3. Activate your incident response plan — notify key stakeholders, engage your IR team
  4. Contact your cyber insurance provider — they typically have 24/7 breach response hotlines
  5. Preserve evidence — take screenshots, document what you see, preserve logs before they're overwritten
  6. Notify law enforcement — FBI IC3, CISA — they have resources to assist and may have decryption keys for known ransomware variants
  7. Do not pay ransom without expert guidance — payment doesn't guarantee data recovery, and in some cases violates OFAC sanctions regulations

Building Ransomware Resilience Without Breaking the Budget

You don't need a million-dollar security stack to be meaningfully more resilient. The highest-ROI investments for SMBs are:

How resilient is your organization today?

Truva Solutions offers ransomware readiness assessments that give you an honest picture of your current resilience, prioritized gaps, and a practical roadmap to close them — without unnecessary complexity or cost.

Request a Ransomware Readiness Assessment
RansomwareIncident ResponseBusiness ResilienceBackupsCyber Insurance