Ransomware, from the perspective of your documents

Ransomware has been the dominant “big” cybersecurity news story for most of the past decade. It has also changed shape over that time in ways that matter to the defenses you should pick. This article describes what modern ransomware actually does to your documents, and gives you the small-operator defense playbook that works.

What ransomware does, in 2026

Ransomware has evolved. The early wave was simple: encrypt files, demand Bitcoin, hope the victim pays. Modern variants run a more elaborate playbook:

1. Initial access. Often via a phishing email, a compromised password reused on a remote-desktop service, a vulnerable VPN appliance, or an infostealer-for-hire campaign that sold credentials to a ransomware crew.
2. Reconnaissance. The attacker explores the network, maps shares, identifies backups, profiles privileged accounts.
3. Credential theft and lateral movement. They escalate privileges, often by harvesting passwords from memory or abusing Active Directory weaknesses.
4. Data exfiltration. Before encrypting, they copy sensitive data out to their own servers — this is the “double extortion” step. Even if the victim restores from backup, the attacker threatens to publish.
5. Backup destruction. They delete or encrypt backups they can reach. This is often the most time-consuming part, because it’s where ransomware crews earn their keep.
6. Encryption. A well-orchestrated encryption job runs fast and hits every connected device at once, often at 2 a.m. local time.
7. Ransom demand. Usually in cryptocurrency; often accompanied by a leak-site posting the victim’s data as leverage.

For households and small businesses, not all of these steps apply — you typically don’t have Active Directory or privileged account structure — but steps 1, 3, 4, 5, and 6 absolutely do.

The specific threat to documents

From a documents perspective, three things happen in a ransomware incident:

• Your working files become unreadable. Everything you have on disk, in your sync folder, on connected external drives, and on any writable network shares gets encrypted.
• A copy of your sensitive documents goes to the attacker. Client files, tax records, medical documents, legal filings.
• Your cloud sync service faithfully uploads the encrypted versions on top of the clean ones, overwriting version history to whatever extent the provider allows.

That second point is a big deal for a small professional practice. Even if you recover your files from backup, the attacker still has a copy. Extortion doesn’t go away just because you restored.

The defense, in order of leverage

1. Don’t be easy to get into in the first place

Most household and small-business ransomware starts with one of a small set of initial-access methods. Each has a straightforward defense:

• Phishing for credentials → hardware security keys (WebAuthn) on email, cloud accounts, and remote access tools.
• Password reuse across services → a password manager with unique passwords everywhere.
• Exposed remote-desktop services (RDP, TeamViewer, AnyDesk) → don’t expose them to the internet; use a VPN or Zero Trust access tool; disable them if you don’t use them.
• Unpatched software → auto-update on OS and browser; review installed apps quarterly.

2. Run as a user who can’t easily destroy everything

On Windows and macOS, your day-to-day user account should not be an administrator. Create a standard user account; make your “Administrator” a separate account you only sign into when installing software. A regular desktop user on a standard account is substantially less attractive as a pivot point for ransomware — the attacker needs an elevation step.

3. Assume encryption will happen. Plan for restore

If a ransomware crew is in your environment for long enough to encrypt files, your detection capability is beside the point. What matters is what you can restore from.

The 3-2-1 backup rule is the foundation. The ransomware-specific addition is immutability: at least one backup copy that cannot be modified or deleted for a defined retention period, even by an administrator with valid credentials. On cloud object storage (S3, Backblaze B2, Wasabi), this is Object Lock. On backup software, it’s usually labeled “ransomware protection” or “immutable backup”.

For a small operator, the easiest way to get immutability:

• Backblaze Computer Backup with default settings provides versioning that is resistant to most ransomware.
• Arq or Duplicati pointed at an S3 bucket with Object Lock gives you explicit immutability.
• Cloud object storage is cheap — $5/month for hundreds of GB.

4. Treat your cloud sync folder as “in play”

Anything inside your Dropbox / Drive / OneDrive folder is within reach of an attacker who compromises your laptop. Ransomware syncs like any other change.

For the most sensitive documents, keep them in a locked Cryptomator vault or VeraCrypt container that is not mounted when you aren’t using it. An encryption payload running against your disk sees an encrypted blob it can encrypt again — it can corrupt it (still bad, restore from backup) but it cannot exfiltrate the plaintext because the plaintext isn’t on disk in readable form.

5. Have a specific “what do I do in the first 30 minutes”

plan

If you realize ransomware is running:

1. Unplug the machine from the network. Disconnect Ethernet; turn off Wi-Fi. This stops further spread to network shares and interrupts any ongoing exfiltration.
2. Do not turn the machine off if you can avoid it — encryption keys may be in memory, and a shutdown loses them.
3. Take photos of the ransom note, any file extensions being added, and any files you can see partially encrypted. These may help with later recovery or identification.
4. From a different device, sign out of every important account and rotate passwords (assume credentials were stolen).
5. Contact someone who knows what they’re doing. A local incident-response firm, or if the harm is small, someone technical you trust. Do not just “try to clean up”.
6. Do not pay the ransom without talking to someone first. Some variants have known decryptors available via No More Ransom. Payment does not always result in a working decryptor.

6. Report

• US: report to the FBI’s Internet Crime Complaint Center (IC3) and to CISA. For small businesses, stopransomware.gov is the portal.
• UK: report to Action Fraud or, for a business, the National Cyber Security Centre.
• EU: local national CERTs; Europol’s “No More Ransom” project is a coordinating resource.

Reporting matters even if you can’t recover — your report feeds into threat intelligence that helps protect others, and in some cases recovery tools become available as agencies seize decryption keys.

The small-operator short list

If you are one person or a small shop and this article is the most ransomware content you ever read:

1. Hardware security key on email and cloud storage.
2. Unique passwords in a password manager, everywhere.
3. Standard user account for daily work; admin account separate.
4. Backblaze (or equivalent) running continuously, with long retention.
5. Sensitive documents in a Cryptomator vault that you lock when not in use.
6. OS, browser, router, NAS on auto-update.
7. An incident-response contact in your phone before you need them.

That list is not glamorous; it also works. The households and small businesses that lose the most in ransomware incidents are almost always the ones that skipped items 4 through 6.