The Day a Small Business Got Ransomware: A Post-Mortem

Updated on May 5, 2026

It Started With a Tuesday Morning Email

Meridian Print Co. had been running for eleven years. Twelve employees, a loyal regional client base, and a server room the size of a large closet — two rack-mounted boxes humming behind a locked door nobody visited unless the internet went down. That Tuesday in March, the office manager arrived at 7:42 AM, poured her coffee, and discovered that every file on the shared drive had been renamed with a .lock3d extension. On the screen: a red-and-black ransom note demanding $18,500 in Bitcoin within 72 hours.

This is the reconstruction of what happened, how the attackers moved, and what Meridian learned — the hard, expensive way — about backup architecture and network segmentation.

The Initial Entry Point: A Forgotten RDP Port

When the incident response consultant pulled the firewall logs, the story became painfully clear. Eight months earlier, an IT freelancer had opened Remote Desktop Protocol (port 3389) on the router to troubleshoot a QuickBooks issue remotely. He fixed the problem, invoiced Meridian, and never closed the port.

For eight months, that open port sat exposed to the internet. Automated scanners — the kind criminal groups run 24 hours a day — found it within days. The logs showed thousands of failed login attempts beginning in October, trickling along at a low rate designed to avoid triggering account lockouts. Then, in early March, the attempts stopped. Not because the attackers gave up. Because they succeeded.

The compromised account belonged to a part-time bookkeeper whose RDP credentials were identical to her email password — a password she'd used since 2019 and that had appeared in a credential dump from a breached coupon website. The attackers likely paid a few dollars for that combo on a dark-web marketplace and tried it. It worked on the first attempt.

Hours One Through Six: Quiet Reconnaissance

Once inside via RDP, the attacker didn't deploy ransomware immediately. That's the part most people don't realize. Modern ransomware operators are patient. They spent roughly six hours exploring the network:

  • Mapping shared drives and identifying where the most valuable files lived (design assets, client contracts, financial records)
  • Locating the backup software — in this case, a Windows Server Backup job that wrote to an external USB drive plugged directly into the server
  • Checking whether any endpoint detection or antivirus was active (Meridian ran an outdated version of a consumer-grade AV product, last updated four months prior)
  • Enumerating administrator accounts and attempting privilege escalation

The attacker found the domain admin password stored in a plaintext note on the compromised desktop. It had been left there by the same freelancer who'd opened the RDP port — a temporary credential that was supposed to be changed and never was.

With domain admin access, the attacker now owned the network completely.

The Killing Blow: Backup Destruction Before Encryption

This is the detail that cost Meridian the most. Before a single file was encrypted, the attacker deleted the shadow copies using a standard Windows command, then unmounted and wiped the USB backup drive. The cloud backup — a service Meridian had signed up for two years earlier — had silently stopped syncing after a storage quota was hit in November. Nobody had checked. The dashboard showed a red warning badge that had been ignored for four months because it appeared alongside a dozen other notification emails nobody read.

By the time the ransomware binary executed at approximately 3:00 AM — timed to run while nobody was present — there was no recoverable backup of any kind.

Encryption completed in under forty minutes. All mapped network drives, the server shares, and the accounting software database. When the office manager sat down with her coffee, the damage was already complete and seven hours old.

The Recovery: What It Actually Cost

Meridian made the difficult decision not to pay. Their reasoning: no guarantee files would be restored, and payment would expose them to potential OFAC sanctions risk depending on the ransomware group's origin. Instead, they hired an incident response firm.

The final tally looked like this:

  1. Incident response consulting: $9,200 (forensic investigation, containment, clean rebuild)
  2. New hardware: $3,100 (replacement server, properly configured this time)
  3. Downtime losses: Approximately $22,000 over eleven business days of reduced or zero operations
  4. Client remediation: Two clients required rush-printed materials on expedited timelines after delays; Meridian absorbed those costs
  5. Data permanently lost: Eighteen months of archived project files and the last six weeks of accounting records (reconstructed partially from bank statements)

Total damage: somewhere north of $34,000 — nearly double the original ransom demand. And that number doesn't include the intangible cost: one long-term client quietly moved their account to a competitor.

The Lessons: What Actually Needs to Change

Meridian's story isn't unusual. It's almost a template. But the lessons are specific, not generic, and they're worth examining one by one.

Lesson 1: The 3-2-1-1 Backup Rule Is Non-Negotiable

The classic 3-2-1 rule says three copies of data, on two different media types, with one offsite. Meridian violated every clause simultaneously. But there's now a fourth "1" worth adding: one copy that is completely air-gapped or immutable — meaning it cannot be modified or deleted by any process running on your network, not even with admin credentials.

Practically for a small business, this means:

  • A cloud backup service that supports immutable/versioned storage (Backblaze B2 with Object Lock, Wasabi with immutability enabled, or AWS S3 with Object Lock in Compliance mode)
  • Offline rotation of physical drives — USB drives that are disconnected from the server except during the backup window
  • Backup monitoring with alerts sent to a separate email account (not the same inbox as everything else) and reviewed by a named human weekly

A backup that isn't tested and monitored isn't a backup. It's a hope.

Lesson 2: RDP Should Never Be Directly Exposed to the Internet

This one is blunt. If you need remote access to Windows machines, put it behind a VPN. Full stop. RDP on an open port is one of the most reliably exploited entry points in small business ransomware attacks — it has been for six consecutive years. A WireGuard or OpenVPN setup takes a few hours to configure and would have stopped this attack entirely at step one.

If a VPN feels too complex, at minimum enable Network Level Authentication, restrict RDP to a specific IP allowlist, and enable account lockout policies after five failed attempts.

Lesson 3: Network Segmentation Limits Blast Radius

In Meridian's environment, once the attacker had domain admin access, they could reach everything. The design workstations, the accounting server, the file server — all on the same flat network with no internal firewall rules separating them.

Segmentation doesn't require enterprise hardware. A small business with a modern router (UniFi, pfSense, even some consumer gear) can create separate VLANs for:

  • General workstations
  • Servers and NAS devices
  • Accounting and financial systems
  • Guest/IoT devices

Had the bookkeeper's workstation been on a segment with no direct access to the server shares — requiring specific authenticated connections — the attacker's lateral movement would have been dramatically constrained. They might have encrypted one machine instead of the entire business.

Lesson 4: Privileged Credentials Deserve Privileged Treatment

A domain admin password in a plaintext sticky note on a desktop is not a fringe mistake. It's common. The solution isn't to shame anyone — it's to build a system where storing credentials that way is unnecessary and awkward.

A password manager (Bitwarden, 1Password, or even KeePass for offline use) with a shared vault for business credentials solves this. Pair it with a policy that temporary admin credentials are rotated immediately after use, and you've closed a massive category of risk.

Where Meridian Stands Now

Eighteen months later, Meridian Print Co. has rebuilt. Their current stack includes a properly configured VPN for all remote access, daily encrypted backups to Backblaze B2 with object lock enabled, weekly offline rotation of a physical drive stored in a fireproof box offsite, and a quarterly review of all open ports and external-facing services.

The office manager now runs a monthly check that involves actually restoring a random file from backup to confirm it works. It takes ten minutes. After everything they went through, she says it's the ten minutes she's most protective of in her entire month.

The attack that cost them over $34,000 and eleven days of operations could have been prevented — or at least dramatically contained — by a VPN setup, an immutable backup target, and a firewall policy that someone checked once a year. None of those things are expensive. None of them are technically complex beyond the reach of a small business with a part-time IT person.

The complexity was always the assumption that it wouldn't happen to them.