What Is Ransomware? A 7-Layer Defense Against Encrypting Malware
Summary: Ransomware is an organized attack pattern that can start with opening a fake shipping email and lock down an entire SME's files within hours. In this article we cover how ransomware works, the most common infection vectors, what to do in the first 30 minutes of an attack, and a 7-layer defense SMEs can deploy: email security, endpoint protection, 3-2-1 backups, access control, two-factor authentication, patch management, and log monitoring.
A fake shipping email opened by the accounting manager can lead to every company file being encrypted overnight. The team arriving at the office in the morning sees only the ransom note on their screens. This scenario has become a real picture in Turkish SMEs week after week.
In this article we examine what ransomware is, how it spreads, and a 7-layer defense strategy you can apply at SME scale. The audience is IT managers, office leads, and every business owner who does not consider cybersecurity "an enterprise problem."
What Is Ransomware, and How Does It Work?
Ransomware is a type of malware that encrypts files on a computer, server, or network, depriving the user of their data. The attackers typically demand a ransom in cryptocurrency in exchange for the decryption key. New-generation attacks use a double extortion model: data is exfiltrated before encryption, with the added threat "pay or we will leak your customer data."
The Typical Attack Path
- Initial access: Phishing email, exposed RDP, unpatched vulnerability, or weak VPN
- Privilege escalation: Reaching domain accounts, network discovery
- Lateral movement: Spreading to other servers and clients
- Data exfiltration: Copying sensitive files to attacker servers
- Encryption: Locking down all targeted files
- Ransom note: Payment instructions on the screen, countdown timer
Ransomware Infection Vectors
Attackers usually do not bring complex zero-day exploits; they enter through known, easy-to-close open doors.
1. Email — the Most Common Vector
Fake invoices, payment receipts, shipping notifications, and CV-looking attachments. They arrive inside Word, Excel, PDF, or compressed archives (ZIP, RAR). Office macro content and PDFs using HTML smuggling are the most common formats.
2. Weakly Configured Remote Access
Internet-exposed RDP (port 3389), VPNs without two-factor authentication, and remote-support tools are the first targets of automated scanners. Even with a strong password, without MFA you remain weak against brute-force attacks.
3. Unpatched Systems
Old Windows versions, unpatched firewall software, forgotten NAS firmware widen the attack surface. A known vulnerability is typically being actively exploited within 72 hours of public disclosure.
4. Privilege Sprawl
If every employee has full rights on shared folders, ransomware infecting a single computer can encrypt hundreds of users' files. Daily use of domain admin accounts is another frequent mistake.
Why Are the First 30 Minutes of an Attack Critical?
Decisions made in those first 30 minutes determine whether recovery takes hours or days.
Do NOT Do
- Panic-reboot computers: Encryption may speed up; forensic evidence in RAM is wiped
- Immediately reformat: You lose evidence; without knowing which variant infected you, you cannot find the right decryption tool
- Post on social media: The attackers see the brand is panicking and raise the ransom
First Response Steps
- Network isolation (first 5 minutes): Unplug the Ethernet on affected devices, disable Wi-Fi, drop VPN connections
- Protecting backup systems: Disconnect the backup NAS or cloud backup account — the attacker may not have reached your backups yet
- Scope assessment: Which account is affected? Who opened which email? Which servers are encrypted? When was the last clean backup?
- Call professional help: Your incident-response team or MSP should be called immediately
- Communication chain: Management, legal counsel, insurance company are informed
The Invisible Risks of Paying the Ransom
Even if you pay, the decryption key may not work, you may get a half-broken tool, and the data-leak threat does not disappear because the data was already exfiltrated. On top of that, paying puts you on the "customer who pays" list for future attacks.
The 7-Layer Defense Against Ransomware
No single measure fully prevents ransomware. Effective defense is layers stacked on top of each other.
1. Email Security
Configure SPF, DKIM, DMARC records correctly for your domain. A corporate mail gateway, or the built-in security features of M365/Workspace, should enable additional scanning, attachment-type restrictions, and suspicious link rewriting. Sandbox-based attachment analysis comes with enterprise licenses.
2. Endpoint Security
Classic antivirus is signature-based and detects new variants late. EDR (Endpoint Detection & Response) or XDR solutions do behavior analysis: a process encrypting hundreds of files in seconds, deleting shadow copies (VSS), and similar events are blocked in real time. At SME scale, Microsoft Defender for Business, Bitdefender GravityZone, and SentinelOne are reasonable choices.
3. Backup Strategy — The 3-2-1 Rule
- 3 copies of the data (production + 2 backups)
- 2 different media (local NAS + cloud)
- 1 copy offline or immutable — a location ransomware cannot reach
Backups are not backups until they are tested. Run at least one restore drill per month and measure whether RTO and RPO targets are met.
4. Access Control — Least Privilege
Every user should have access only to the folders their job requires. The "Everyone — Full Control" combination on shared folders should be removed. Admin accounts should not be used day to day; a separate admin account should only be used when needed.
5. Two-Factor Authentication (MFA)
MFA should be mandatory on VPN, email, cloud panels, RDP, and remote access accounts. Prefer an authenticator app or a FIDO2 hardware key over SMS. Microsoft's analyses indicate that MFA blocks around 99% of account takeover attacks.
6. Patch Management
Windows, server software, firewall firmware, NAS, accounting, and ERP software should be patched regularly. Emergency patches within 48 hours; routine patches go through a test environment and are rolled out in monthly maintenance windows.
7. Monitoring and Log Management
Firewall logs, failed login attempts, suspicious network traffic, EDR alerts, and domain controller event logs should be reviewed regularly. A SIEM or managed MDR service makes "detect within half an hour" possible at SME scale.
A Practical Checklist for SMEs
| Area | Action | Frequency |
|---|---|---|
| Inventory | List of all devices (OS, user, software, remote access) | Quarterly |
| Permissions | Review folder permissions, close old accounts | Monthly |
| Backup test | Real restore drill on critical systems | Monthly |
| Training | 10 phishing examples, reporting procedure | Every 6 months |
| Patching | Emergency + routine patch rollout | Monthly |
| MFA audit | Any account without MFA? | Monthly |
| Drills | Scenario-based incident response drill | Twice a year |
When Do You Need Professional Support?
If any of the following applies, professional cybersecurity support is the most cost-effective investment for the business:
- You use a file server, NAS, or enterprise ERP/accounting software
- You have remote staff or multiple locations
- External access is provided via VPN, RDP, or a cloud panel
- You process personal data in scope of KVKK
- IT is handled by a single person in the office (no backup)
Yamanlar Bilişim provides SME-scale security audits, backup planning, firewall configuration, endpoint protection, and post-incident recovery support.
Frequently Asked Questions
Conclusion
The defense against ransomware lies in a layered architecture set up before the attack. Email hygiene, EDR, tested 3-2-1 backups, strict permission management, MFA, regular patching, and monitoring — when these seven layers stack, the attack's chance of success drops dramatically.
No single measure gives 100% protection; but a correctly built defense turns the worst case from a "catastrophe" into a "controlled incident." Yamanlar Bilişim helps you build these seven layers in practical steps at SME scale.
Frequently Asked Questions
Why Are SMEs So Often Targeted?
Did you know SMEs — not large enterprises — receive the bulk of these attacks? The reason is simple: shared passwords, backups permanently on the network, inadequate security monitoring, and often a lone IT lead working without external support. For the attacker, the equation works out as low effort, reasonable payout.
If I already have antivirus, why do I need EDR?
Antivirus is signature-based — it recognizes new variants late. EDR is behavior-based and stops events in real time like many file changes in a short period, shadow copy deletion, or suspicious process launch. EDR also keeps detailed logs for post-incident forensic analysis.
Can I use just cloud backup instead of 3-2-1?
Cloud backup alone is insufficient. If the cloud backup runs over the network, ransomware can reach your cloud account too. The point of 3-2-1 is the part where 1 copy is offline or immutable — a copy the attacker cannot reach under any condition.
Is SMS MFA enough, or should I use an authenticator app?
If possible, use an authenticator app (Microsoft Authenticator, Google Authenticator, Authy) or a FIDO2 hardware key. SMS is weak against SIM swap attacks and mobile-network intermediaries. Still, it is many times better than no MFA at all; turn on SMS MFA on every account at the minimum.
I'm an SME with no budget for EDR and SIEM — what do I do?
First, complete the free or near-free steps: MFA on every account, SPF/DKIM/DMARC records, take RDP off the internet (put it behind a VPN), configure Windows Defender, run 3-2-1 backups. These steps cost no money and drop the risk significantly. Plan EDR and managed MDR as the next step.
Does employee training actually work?
Yes — but only when it is continuous, not a one-off. At least twice-yearly training with current phishing examples, real phishing simulations, and a reporting channel (e.g., a report suspicious email button) substantially reduces the attack success rate. An untrained employee is the weakest layer; a trained, alert employee is the strongest defensive layer.
I have been attacked — do I need to report it to law enforcement or another authority?
If personal data is affected under KVKK, notifying the Personal Data Protection Authority within 72 hours is a legal requirement. Reporting to USOM (the National Cyber Incident Response Center) is recommended. Filing a criminal complaint matters both for the legal process and for insurance claims.
Author
Serdar
Yamanlar Bilişim Expert
Writes content on IT infrastructure, cybersecurity, and digital transformation at Yamanlar Bilişim. Get in touch for any questions.
Professional Support
Get help on this topic
Let's design the Cybersecurity solution you need together. Our experts get back to you within 1 business day.
support@yamanlarbilisim.com.tr · Response time: 1 business day
Keep Reading
Related Articles
Insider Threat: Detection in SMEs
What insider threat is, how it's detected in SMEs, and the scenarios of leaving employees, negligence, and deliberate malice.
NDR (Network Detection & Response): Do SMEs Need It?
What Network Detection & Response (NDR) is, how it differs from EDR and SIEM, whether it's needed at SME scale, and how to evaluate solutions.
Web Filtering and URL Control: A Policy for the SME Office
Designing a web-filtering policy for the SME office — URL category management, the productivity-vs-security balance, and KVKK alignment.