Ransomware targets BC small businesses directly. This guide covers how ransomware works, what defences matter most, and what to do if an attack occurs.
Ransomware is a type of malicious software that encrypts files on infected systems, making them inaccessible until a ransom is paid to the attacker. In 2025, it remains one of the most financially damaging cyber threats facing Canadian small and medium businesses.
The Canadian Centre for Cyber Security has published detailed guidance on ransomware for Canadian organizations. BC businesses across manufacturing, professional services, construction, and non-profit sectors have experienced attacks in recent years.
Why Small Businesses Are Targeted
A common misconception is that attackers prefer large enterprise targets. The reality is more nuanced. Large enterprises have dedicated security teams, enterprise-grade detection tools, and legal and PR resources to manage an incident. Small businesses often have none of these.
Attackers operating at scale run automated campaigns that scan for vulnerable systems without regard to business size. A BC manufacturer running an unpatched remote desktop service is as visible to an attacker’s scanning tool as a corporation. The response capability differs significantly.
Additionally, small businesses are more likely to pay quickly to restore operations. Businesses that cannot operate without their systems, have no tested backup, and face immediate financial consequences from downtime have a higher probability of payment.
How Ransomware Enters Your Environment
Understanding the entry points is necessary for understanding where defences should focus.
Phishing email with malicious attachment or link. The most common initial access method. An employee receives an email that appears legitimate, opens an attachment or clicks a link, and unknowingly executes the malware. Modern phishing emails are convincing. Training alone is not sufficient defence, but it is a meaningful layer.
Compromised remote desktop protocol (RDP). Many businesses have RDP exposed to the internet to allow remote access. RDP with weak passwords or without multi-factor authentication is a well-documented entry point for ransomware. Attackers scan for exposed RDP services and attempt credential stuffing attacks at scale.
Exploitation of unpatched software vulnerabilities. When a security vulnerability is disclosed in widely-used software, attackers develop exploits quickly. Businesses that do not apply patches promptly after vulnerabilities are disclosed provide a window of exposure.
Compromised managed service provider. In some incidents, attackers have gained access to an MSP’s management tools and used that access to deploy ransomware across multiple client environments simultaneously. This is a less common entry point but illustrates why MSP security practices matter.
The Defences That Matter Most
Ransomware defence is layered. No single control eliminates the risk, but the combination of controls below addresses the major entry points and limits the impact if an attack does succeed.
Multi-factor authentication everywhere. MFA prevents compromised credentials from being sufficient for access. It should be enforced on email, remote access, cloud services, and any system accessible from outside your network. This is one of the highest-impact controls available to small businesses and is deployable without specialized security tools.
Endpoint detection and response (EDR). EDR tools monitor endpoint behaviour in real time and can detect ransomware activity early in the attack chain, before files are fully encrypted. Traditional antivirus software detects known malware by signature. EDR detects behavioural patterns associated with malicious activity, including novel ransomware variants.
Tested, offsite backups. A tested backup that is not connected to your primary network is the most important recovery control. Ransomware specifically targets network-connected backup systems. Backups stored in an isolated cloud location (Azure Blob, for example) and verified by regular restore tests provide a recovery path that ransomware cannot easily reach. The word “tested” matters: an untested backup cannot be relied upon for recovery.
Patch management. Applying operating system and application patches promptly after vulnerabilities are disclosed is table stakes. Known vulnerabilities that have available patches are well-documented entry points. A managed patch program addresses this systematically.
Email security filtering. Filtering that identifies and quarantines phishing email before it reaches user inboxes reduces the volume of malicious content employees encounter. No filter catches everything, but filtering significantly reduces the exposure surface.
Network segmentation. Separating critical systems from general-purpose workstations on distinct network segments limits lateral movement. If an attacker gains access through one workstation, segmentation prevents them from immediately reaching servers containing critical data.
What to Do If Ransomware Strikes
If you discover that systems are encrypted, a few immediate actions reduce further damage.
Disconnect affected systems from the network immediately. Ransomware spreads across connected systems. Physical disconnection or disabling network interfaces stops lateral movement.
Do not pay before exhausting other options. Payment does not guarantee file recovery. Some ransomware variants provide decryption tools that do not work correctly. Payment also signals to attackers that your organization is a viable target for future attacks.
Contact your MSP or incident response provider immediately. They can assess the scope of the infection, determine whether an isolated backup is viable, and guide the recovery process.
Report to the Canadian Centre for Cyber Security and, if personal information is involved, assess whether breach notification obligations apply under PIPEDA or BC PIPA.
Working with a Managed IT Provider
A managed IT provider with security expertise addresses most of the controls above as part of the managed services engagement. Patch management, endpoint protection, backup monitoring, and MFA enforcement are standard deliverables. The value is in consistent implementation and ongoing management, not one-time setup.
