June 20, 2026
Ransomware stopped being a "big company problem" five years ago. Today, more than 60% of ransomware payouts come from small and mid-sized businesses — partly because the attacks are easier (less mature defenses), partly because the ransoms are still high relative to the SMB's ability to recover without paying.
This is a practical, jargon-free playbook for Louisiana business owners. What to do before you're attacked, and what to do if you are.
Before the attack: the eight controls that actually prevent ransomware
1. MFA on every external-facing system
Email, VPN, remote desktop, line-of-business cloud apps, payroll, accounting. No exceptions. This single control blocks the majority of ransomware delivery vectors because it stops account takeovers.
2. EDR (endpoint detection and response) on every computer
Not consumer antivirus. EDR uses behavioral analysis to catch ransomware in the early stages of execution — before encryption begins — and can automatically isolate the affected machine from the network. The market leaders (SentinelOne, CrowdStrike Falcon, Microsoft Defender for Endpoint, Sophos Intercept X) all have automatic ransomware rollback capabilities now.
3. Patch your VPN and firewall firmware monthly
VPN appliances (Fortinet FortiGate, SonicWall, Cisco) have been the single most common entry point for ransomware attacks against SMBs over the past three years. Critical CVEs land roughly every 60 days. Patch within 72 hours of release.
4. Eliminate exposed RDP
Remote Desktop Protocol exposed directly to the internet is one of the highest-risk configurations possible. Replace with: a VPN tunnel, a remote desktop gateway, or a Zero Trust Network Access (ZTNA) solution. The number of compromises we've seen that traced back to an "I just exposed RDP for one weekend" decision is staggering.
5. Immutable backups with off-site copies
Backups are your insurance policy against ransomware. But modern ransomware groups specifically target backup systems first — they know if they delete the backups, you have to pay. "Immutable" means the backup data physically cannot be modified or deleted, even by an administrator, for a configured retention period. Datto, Veeam with hardened repositories, Microsoft 365 Backup, and AWS S3 Object Lock are common options.
6. Network segmentation
A flat network where every computer can reach every other computer is a ransomware multiplier. Segment guest Wi-Fi, IoT devices, production servers, and finance workstations on separate VLANs. A good managed firewall handles this. Read about our managed firewall services.
7. Security awareness training with phishing simulations
Most ransomware starts with a phishing email. Training your team to recognize them — and simulating real phishing attempts to test their behavior — reduces successful phishing rates by 60–90% within six months. KnowBe4, Hoxhunt, and Microsoft Attack Simulator are common platforms.
8. Documented incident response plan
A simple written plan that says: "if we suspect ransomware, here's who to call, in what order, with what phone numbers." Most businesses we work with don't have this until after an incident.
If it happens: the first 24 hours
Hour 0–1: Contain
- Disconnect the affected machine(s) from the network. Pull the Ethernet cable. Turn off Wi-Fi. Don't power down — forensics evidence lives in RAM.
- Disconnect backups from the network. If your backup target is reachable from the compromised network, isolate it before the attacker can encrypt it too.
- Call your IT provider's emergency line. Or your cyber insurance carrier, if you have one — their incident response panel includes pre-vetted forensics and recovery firms.
- Do not turn on or shut down affected machines until forensics has had a chance to capture state.
Hour 1–6: Assess
- Determine the scope — how many machines, how many users, what data was accessible from each affected account.
- Identify the ransomware variant if possible. Some are decryptable for free (check nomoreransom.org); most are not.
- Determine if the attackers also exfiltrated data — modern "double extortion" ransomware steals data before encrypting, and threatens to publish it if you don't pay.
- Engage your cyber insurance carrier formally. Most policies have notice requirements within 24–72 hours.
Hour 6–24: Decide
- Can you restore from backups? If your backups are intact and the recovery time is acceptable, this is almost always the right path.
- Should you pay? This is genuinely a business decision, made with insurance, legal counsel, and your IT/forensics team. We don't recommend paying as a default — but the decision depends on your specific situation, the data at risk, and the alternative recovery cost.
- Notification obligations. If ePHI, payment card data, or significant personal information was accessed, you may have legal notification obligations to customers, patients, regulators, and law enforcement.
To pay or not to pay
The FBI publicly opposes paying ransoms. In practice, businesses pay when:
- Their backups were also encrypted (most common reason)
- The recovery time without paying is unacceptably long (a hospital, for example, can't be down for 2 weeks)
- The data at stake is irreplaceable (contracts, intellectual property, regulatory records)
- The threat actor's reputation suggests they'll actually decrypt after payment
The arguments against:
- Decryption keys don't always work, and the recovery process is rarely fast even with keys
- Payment marks you as a "payer" and increases the likelihood of being targeted again
- Paying funds the ecosystem and makes everyone less safe long-term
- Some sanctioned threat actors create legal exposure when paid (OFAC violations)
If the question is "would we pay if it came to that?", you can answer it in writing now — documented in your incident response plan with the criteria and decision authority. That makes the actual moment less chaotic.
The recovery week
Even with intact backups, recovering from ransomware typically takes 3–14 days for a small business:
- Day 1–2: containment, forensics, scope assessment
- Day 2–5: rebuilding endpoints from clean images, restoring from backups
- Day 5–7: verifying restored systems are clean, re-deploying users in stages
- Day 7–14: hardening the environment to close the entry point, completing notification obligations, lessons-learned review
Plan for the operational impact, not just the IT impact: payroll, customer communication, vendor obligations, contractual commitments. The IT recovery is often the easier part of getting back to business.
Local context: Louisiana-specific notes
Three things worth knowing if you're in Louisiana:
- Louisiana Database Security Breach Notification Law (La. R.S. 51:3074) requires notification of affected residents and the Louisiana Attorney General within 60 days of discovering certain types of data breaches. This applies whether you pay the ransom or not.
- Cyber insurance availability is tightening. If your business hasn't been through a cyber insurance application recently, prepare for stricter underwriting — insurers now expect MFA, EDR, immutable backups, and documented training as a baseline.
- Hurricane season + ransomware. Threat actors actively target businesses during natural disasters when defenses are stretched. Your DR planning should explicitly account for the case where both happen in the same 30-day period.
Worried about your cybersecurity posture?
We offer a free, no-pitch cybersecurity assessment for Louisiana businesses. We tell you honestly where you stand. You decide what to do next.