What we learned from 412 ransomware reports

Between January 2023 and June 2024, our incident response queue logged 412 ransomware-related cases from small businesses across Monterey, San Benito and Santa Cruz counties. We anonymized the data and pulled out the patterns that surprised us most.

Initial access was almost never exotic

72% of cases began with one of three things: a re-used password exposed in a previous breach, a phishing email opened on an unmanaged personal device, or an unpatched remote-desktop service exposed to the public internet. Sophisticated zero-days were a rounding error.

Median dwell time: 11 days

The attacker was already inside the network for a week and a half, on average, before encryption began. That window is exactly where good detection earns its keep.

Backups were the single biggest predictor of recovery

Of the businesses with offline, tested backups, 94% recovered without paying a ransom. Of those without, 31% paid — and a quarter of those who paid never received a working decryptor.

What we recommend now

• Disable RDP on the public internet. Use a VPN or a managed remote-access tool instead.
• Enforce password manager usage on every employee account.
• Keep at least one backup that is offline and tested monthly.
• Run a real-world phishing drill twice a year. Most insurers now require it.

If your business needs help putting any of this in place, our small-business team can walk you through it on the phone — call (831) 869-7424.

← Back to all articles