Ransomware Protection for Small Businesses: A Step-by-Step Guide

Ransomware is no longer a threat reserved for large enterprises. Small businesses across Ohio — including those in Greater Cleveland and the surrounding communities — are now primary targets. In 2025, over 88% of all ransomware incidents involved businesses with fewer than 500 employees, and the average recovery cost reached $1.53 million per incident. For many Ohio SMBs, a single attack means permanent closure.

This step-by-step guide was developed by the cybersecurity team at Ashton Solutions, a managed IT and security provider headquartered in Beachwood, Ohio, serving small and mid-sized businesses throughout the Greater Cleveland region. Whether you are building your first security program or hardening an existing one, this guide gives you an actionable framework for ransomware protection.

What Is Ransomware and Why Are Ohio Small Businesses Targeted?

Ransomware is malicious software that encrypts your business data and demands payment — typically in cryptocurrency — in exchange for a decryption key. Modern ransomware operations also practice double extortion: threatening to publicly leak stolen data if the ransom is not paid.

Small businesses are attractive targets for three reasons:

• Valuable data, limited defenses. SMBs hold customer records, financial data, and intellectual property but typically lack enterprise-grade security teams.
• Faster payment likelihood. Cybercriminals know that a small business cannot afford 24 days of downtime — the average duration of a ransomware incident.
• Supply chain access. Attackers compromise small vendors to reach larger corporate clients.

Recent attacks in Akron, Cleveland, and other Ohio municipalities have demonstrated that geography provides no protection. Any connected business is a potential target.

How Does Ransomware Get Into Your Business? Understanding Attack Vectors

Phishing Emails

Phishing accounts for more than 70% of ransomware entry points. Attackers send convincing emails that mimic vendors, banks, or internal colleagues, tricking employees into clicking malicious links or opening weaponized attachments. Business Email Compromise (BEC) — where attackers impersonate executives — is an increasingly common variant targeting Ohio businesses.

Exposed Remote Desktop Protocol (RDP)

RDP ports left open to the internet are a direct invitation for brute-force attacks. Automated scanning tools allow ransomware gangs to find and compromise exposed RDP endpoints within minutes. During the remote-work era, thousands of Ohio businesses inadvertently left RDP exposed — and many have not closed that door.

Unpatched Software Vulnerabilities

Ransomware groups actively exploit known vulnerabilities in operating systems, VPN appliances, and business applications. The window between a vulnerability’s public disclosure and active exploitation has shrunk to less than 15 days in many documented cases. Unpatched systems are low-effort, high-reward targets.

Compromised Third-Party Vendors

Supply chain attacks occur when attackers breach a trusted vendor — an IT provider, software supplier, or payroll processor — and use that access to infiltrate connected client environments. Vetting vendor security practices is now a critical requirement for Ohio SMBs.

Step 1: Implement Email Filtering and Anti-Phishing Controls

Because phishing is the dominant attack vector, email security is your first line of defense. A layered email security stack should include:

• Advanced spam filtering with sandboxing to detonate suspicious attachments before delivery
• DMARC, DKIM, and SPF email authentication records to prevent domain spoofing
• Link rewriting and time-of-click URL analysis to catch malicious links that become active after initial scanning
• Impersonation protection to flag emails that appear to come from executives or trusted contacts

Ashton Solutions deploys enterprise-class email security for Greater Cleveland businesses, integrating directly with Microsoft 365 environments to provide protection without disrupting workflows.

Step 2: Deploy Endpoint Detection and Response (EDR)

Traditional antivirus software is insufficient against modern ransomware, which uses fileless techniques, living-off-the-land binaries (LOLBins), and polymorphic code to evade signature-based detection. Endpoint Detection and Response (EDR) is the current standard of care.

What Does EDR Do?

EDR solutions continuously monitor endpoint behavior, detect anomalous activity indicative of ransomware (such as mass file encryption events or unauthorized process injection), and can automatically isolate a compromised device to contain the blast radius of an attack.

Ashton Solutions partners with Sophos to deliver EDR with active threat hunting to Ohio businesses. Sophos Intercept X uses deep learning AI to stop ransomware before encryption begins, and the CryptoGuard feature can roll back files that have been ransomed — even if the attack is partially successful.

Step 3: Segment Your Network to Limit Ransomware Spread

Once ransomware gains a foothold, its primary objective is lateral movement — spreading across the network to encrypt as many systems as possible before detection. Network segmentation limits this spread by dividing your network into isolated zones.

How to Segment Your Network

• Separate guest Wi-Fi from internal business networks
• Isolate critical systems (servers, point-of-sale, manufacturing controls) into dedicated VLANs
• Apply firewall rules between segments using a least-privilege model
• Implement Zero Trust Network Access (ZTNA) principles: verify every user and device before granting access, regardless of location
• Disable SMBv1 and unnecessary file-sharing protocols that ransomware uses to propagate

Proper segmentation can mean the difference between one infected workstation and a total network compromise. The Ashton Solutions network team designs and manages segmented infrastructure for Ohio businesses of all sizes.

Step 4: Build a Bulletproof Backup and Disaster Recovery Strategy

Your backup and disaster recovery (DR) strategy is your ultimate safety net when ransomware strikes. A well-designed backup architecture means you can restore operations without paying a ransom.

The 3-2-1 Backup Rule

Follow the industry-standard 3-2-1 rule:

• 3 copies of your data (production + 2 backups)
• 2 different storage media types (local + cloud, for example)
• 1 offsite or air-gapped copy that ransomware cannot reach

Critical Backup Requirements for Ransomware Resilience

• Immutable backups: Storage where data cannot be modified or deleted for a set retention period — even by an administrator with compromised credentials
• Air-gapped copies: At minimum one backup is disconnected from the network, preventing ransomware from reaching it
• Frequent backup intervals: Backup frequency should match your Recovery Point Objective (RPO) — how much data you can afford to lose. For most Ohio businesses, this means hourly or continuous data protection
• Tested restoration: Untested backups are not backups. Quarterly restoration drills validate that your recovery actually works before you need it
• Defined RTO: Know your Recovery Time Objective — how many hours of downtime your business can tolerate before catastrophic impact

Ashton Solutions operates an encrypted, redundant data center serving Greater Cleveland businesses, providing managed backup and disaster recovery with defined RTO/RPO commitments. In a ransomware scenario, this means predictable, fast recovery.

Step 5: Train Your Employees — Your Most Important Security Control

Technology controls alone cannot stop ransomware. According to the Verizon Data Breach Investigations Report, the human element is involved in 74% of all breaches. Security awareness training is not optional — it is a foundational control.

What Effective Security Training Covers

• Phishing recognition: How to identify suspicious sender addresses, urgency language, mismatched URLs, and unexpected attachments
• Safe password practices: Use of passphrases, password managers, and never reusing credentials across accounts
• Multi-factor authentication (MFA): Understanding why MFA is required and how to respond to unexpected MFA push requests (MFA fatigue attacks)
• Incident reporting: Employees must know exactly who to contact — and how quickly — if they suspect a phishing attempt or have clicked a suspicious link
• Social engineering awareness: Vishing (phone-based), smishing (SMS-based), and pretexting attacks that bypass technical controls

Ashton Solutions provides compliance and security training programs for Ohio businesses, including simulated phishing campaigns that measure real employee behavior and track improvement over time.

Step 6: Enforce Multi-Factor Authentication Everywhere

Compromised credentials are the key that unlocks ransomware attacks. Multi-factor authentication (MFA) requires a second form of verification — a code, biometric, or hardware token — before granting access. Even if an attacker steals a username and password, MFA blocks unauthorized access.

MFA must be enforced on:

• Microsoft 365, Google Workspace, and all cloud applications
• VPN and remote access systems
• Administrative and privileged accounts (where phishing-resistant MFA such as FIDO2 hardware keys is recommended)
• Email accounts (the highest-value target for attackers)
• Backup and recovery management portals

Step 7: Create a Ransomware Incident Response Plan

When ransomware strikes, the first 60 minutes determine whether you experience a contained incident or a catastrophic business disruption. An incident response (IR) plan ensures your team acts decisively rather than reactively.

Your Ransomware Response Playbook

1. Detect and confirm: Identify the scope of infection. Which systems are affected?
2. Isolate immediately: Disconnect infected devices from the network — unplug Ethernet cables, disable Wi-Fi. Do not power off machines.
3. Activate your IR team: Contact your managed IT provider or internal IT security team. Ashton Solutions provides emergency incident response for its Ohio clients with defined response time commitments.
4. Preserve evidence: Capture system memory, logs, and ransom notes. This data is critical for forensic analysis and law enforcement reporting.
5. Notify stakeholders: Inform leadership, legal counsel, and your cyber insurance carrier. Many policies require notification within 24-72 hours.
6. Report to authorities: File a report with the FBI Internet Crime Complaint Center (IC3) at ic3.gov and CISA at cisa.gov. Ohio businesses should also notify the Ohio Attorney General’s Cybercrime Unit.
7. Assess ransom decision carefully: Do not pay without consulting legal counsel and your IR provider. Payment does not guarantee decryption, may violate OFAC sanctions regulations, and funds criminal organizations.
8. Restore from clean backups: Use verified, clean backup copies to rebuild affected systems.
9. Conduct post-incident review: Identify the attack vector, remediate the vulnerability, and update your IR plan.

Step 8: Implement Privileged Access Management and Least Privilege

Ransomware that compromises a standard user account is damaging. Ransomware that compromises a domain administrator account is catastrophic. Privileged Access Management (PAM) and the principle of least privilege limit the damage of any single compromised account.

• Never use domain administrator accounts for day-to-day tasks
• Maintain a privileged access workstation (PAW) for administrative tasks
• Implement just-in-time (JIT) access — grant elevated privileges only when needed, for defined time windows
• Audit all privileged accounts quarterly and remove unnecessary access
• Monitor and alert on unusual privileged account activity

How Ashton Solutions Protects Ohio Businesses from Ransomware

Ashton Solutions has protected small and mid-sized businesses across Greater Cleveland and Ohio for years, with a security-first managed IT approach built on the principle that your technology just works — even when threats do not stop.

Our ransomware protection stack for Ohio clients includes:

• Sophos EDR with AI-powered threat detection and CryptoGuard ransomware rollback
• Managed email security with advanced filtering, sandboxing, and impersonation protection
• Network security monitoring with 24/7 threat detection and response
• Managed backup and disaster recovery from our encrypted, redundant Ohio data center
• Employee security awareness training and simulated phishing campaigns
• IT and security audits to identify vulnerabilities before attackers do
• Incident response support when you need it most

Located at 23625 Commerce Park, Suite 130, Beachwood, Ohio 44122, Ashton Solutions serves businesses throughout the Greater Cleveland metropolitan area and across the United States.

Frequently Asked Questions: Ransomware Protection for Small Businesses

How much does a ransomware attack cost a small business?

Recovering from a ransomware attack costs businesses an average of $1.53 million, excluding the ransom itself. Nearly one in five SMBs that experience an attack file for bankruptcy or permanently close. Average downtime is 24 days.

What are the most common ransomware attack vectors for small businesses?

Phishing emails account for over 70% of ransomware entry points, followed by exposed RDP ports, unpatched software, and compromised third-party vendors. Ohio businesses face an elevated risk from Business Email Compromise (BEC) attacks.

Do small businesses in Ohio need cybersecurity protection?

Absolutely. Ohio is an active target, with confirmed ransomware attacks disrupting businesses and municipalities in Cleveland, Akron, and communities across the state. Only 17% of small businesses have cyber insurance, leaving the majority exposed to catastrophic financial loss.

What backup strategy protects against ransomware?

The 3-2-1 rule: 3 copies of data, on 2 different media, with 1 offsite or air-gapped copy. Immutable backups — which cannot be altered or deleted even with compromised credentials — are essential. Backups must be tested regularly through restoration drills.

What should a small business do immediately after a ransomware attack?

Immediately isolate infected systems from the network, contact your managed IT provider or incident response team, preserve system logs, notify your cyber insurance carrier, and report the incident to the FBI IC3 and CISA. Do not pay the ransom without expert legal and security consultation.

Take Action Before Ransomware Strikes

Ransomware protection is not a one-time project — it is an ongoing program. The good news is that with the right managed security partner, even small businesses in Ohio can achieve enterprise-grade protection at a predictable monthly cost.

Do not wait for an attack to discover your vulnerabilities. Contact Ashton Solutions today for a no-obligation IT and security assessment for your Greater Cleveland business.

Call: 216-397-4080
Email: sales@ashtonsolutions.com
Visit: 23625 Commerce Park, Suite 130, Beachwood, Ohio 44122

---

Statistics sourced from: Programs.com SMB Ransomware Statistics, Sophos State of Ransomware 2025, Verizon DBIR. Data current as of 2025.