A family-owned distribution company in Elizabethtown discovered something wrong on a Tuesday morning in November. Their accounting software would not open. QuickBooks files were inaccessible. Invoices, payroll records, accounts receivable data spanning eight years---all of it locked behind encryption they did not authorize.
A text file on the desktop explained the situation in plain English: pay 2.4 Bitcoin within 72 hours, or the decryption key would be destroyed.
At that moment's exchange rate, the ransom was approximately $97,000.
The business owner called us that afternoon. By then, the attackers had been inside their network for nearly three weeks.
How the Attack Started
The breach began with an email. An accounts payable clerk received what appeared to be an invoice from a vendor they regularly worked with. The PDF attachment looked legitimate. The sender address was close enough to the real vendor's domain that no one noticed the difference.
The attachment contained a malicious macro. When opened, it downloaded a remote access trojan that gave the attackers persistent access to the clerk's workstation.
From there, the attackers moved slowly. They spent days mapping the network. They identified the file server where financial data was stored. They located the backup drive connected to the owner's computer. They found credentials stored in browser password managers.
By the time they deployed the ransomware, they had already:
- Disabled the local backup software
- Deleted cloud backup snapshots older than 24 hours
- Extracted a copy of the financial database
- Identified the most critical files to encrypt
The attack was not random. It was methodical.
The Real Cost of the Attack
The ransom demand was $97,000. The actual cost was much higher.
Direct costs:
- Incident response consulting: $18,500
- Forensic investigation: $12,000
- System rebuilding and hardening: $24,000
- Data recovery attempts: $8,500
- Legal consultation: $6,500
- Total direct costs: approximately $69,500
Indirect costs:
- Business interruption: 11 days of reduced operations
- Lost revenue during downtime: estimated $45,000
- Staff overtime for manual processes: $12,000
- Customer notification and relationship repair: ongoing
- Increased insurance premiums: $4,200 annually
What they did not pay: The ransom itself.
The business owner decided against paying. This was the right decision for multiple reasons, but it came with consequences. Without the decryption key, three years of accounts receivable aging reports and customer payment histories were permanently lost. The data had to be reconstructed from bank statements, partial paper records, and customer communications.
Total estimated impact: over $130,000, not counting the owner's time or the stress on employees.
Why Small Businesses Are Targets
A common misconception is that ransomware operators only target large enterprises with deep pockets. The data tells a different story.
Small and medium businesses account for over 60% of ransomware victims. The reasons are straightforward:
Limited security resources. Most small businesses do not have dedicated IT security staff. They rely on part-time IT support, a tech-savvy employee, or managed service providers with varying levels of security expertise.
Valuable data. Small businesses hold the same types of sensitive data as large ones: financial records, customer information, employee data, business contracts. This data has value to attackers, either for extortion or resale.
Higher likelihood of payment. Small businesses often lack robust backup systems. When critical data is encrypted, paying the ransom may seem like the only option to resume operations.
Less scrutiny. Attacking a hospital or pipeline company attracts federal attention. Attacking a distribution company in Elizabethtown does not make national news.
The Elizabethtown business fit this profile precisely. Eight employees, $2.3 million in annual revenue, one part-time IT contractor who visited once a month. They were not careless. They simply had the same blind spots that most small businesses have.
The Attack Chain: Step by Step
Understanding how ransomware attacks unfold helps explain why traditional security measures often fail.
Phase 1: Initial Access (Day 0)
The phishing email that started the attack was carefully crafted. The attackers had researched the company's vendors and mimicked a legitimate invoice email. The malicious attachment exploited a known vulnerability in the document reader software.
What could have helped: Email filtering that blocks macro-enabled documents from external senders. Security awareness training that teaches staff to verify unexpected attachments through a separate communication channel.
Phase 2: Persistence and Discovery (Days 1-14)
Once inside, the attackers established multiple ways to maintain access. They created a hidden administrator account. They installed a legitimate remote desktop tool that would not trigger antivirus alerts. They set up scheduled tasks to reestablish access if their primary method was disrupted.
During this period, they mapped the network, identified valuable targets, and harvested credentials.
What could have helped: Endpoint detection and response (EDR) software that monitors for suspicious behavior, not just known malware signatures. Network segmentation that limits lateral movement. Regular review of administrator accounts and installed software.
Phase 3: Backup Destruction (Days 15-18)
Before encrypting files, the attackers systematically disabled backup systems. The local backup drive was formatted. Cloud backup retention policies were changed to delete older snapshots. Shadow copies on the file server were purged.
This is standard practice for ransomware operators. Backups are the primary defense against ransomware. Attackers know this and target backup systems first.
What could have helped: Offline or air-gapped backups that cannot be accessed from the production network. Immutable cloud backups that cannot be deleted without additional authentication. Backup monitoring that alerts when backup jobs fail or retention policies change.
Phase 4: Data Exfiltration (Days 18-20)
Modern ransomware attacks do not just encrypt data. They steal it first. This enables double extortion: pay the ransom, or we will publish your sensitive data.
The attackers copied the company's financial database, customer lists, and several years of tax documents to an external server.
What could have helped: Data loss prevention (DLP) tools that detect large outbound data transfers. Network monitoring that identifies unusual traffic patterns. Encryption of sensitive data at rest, limiting what attackers can use even if exfiltrated.
Phase 5: Encryption and Ransom Demand (Day 21)
The ransomware was deployed on a Tuesday morning, timed to maximize disruption at the start of the business week. Within minutes, financial files, accounting software databases, and critical documents were encrypted with strong cryptography.
The ransom note appeared on every affected system.
What could have helped: By this point, most preventive measures have already failed. The only remaining options are recovery from backups (which had been destroyed) or paying the ransom (which does not guarantee recovery and funds criminal operations).
What the Business Did Right
Despite the significant impact, the Elizabethtown business made several good decisions during and after the incident.
They did not panic-pay. The 72-hour deadline in ransom notes is designed to create urgency and prevent rational decision-making. The business owner took time to assess the situation, consult with experts, and make an informed decision.
They engaged professional help immediately. Ransomware incidents are not DIY projects. The business contacted incident response professionals who could properly assess the situation, preserve evidence, and guide recovery.
They reported the incident. The attack was reported to the FBI's Internet Crime Complaint Center (IC3) and local law enforcement. While this rarely leads to immediate recovery, it contributes to the broader effort to track and disrupt ransomware operations.
They learned from the incident. After recovery, the business invested in proper security controls. They implemented offline backups, deployed endpoint protection, and established a relationship with a managed security provider.
Preventing Ransomware: What Actually Works
Security vendors sell dozens of products that claim to prevent ransomware. Many are useful. None are sufficient alone. Effective ransomware prevention requires multiple layers working together.
Backup Strategy That Survives Attacks
Your backup strategy must assume attackers have full access to your network.
Requirements:
- At least one backup copy offline or air-gapped (physically disconnected from the network)
- Immutable backups that cannot be deleted or modified, even by administrators
- Regular backup testing to verify data can actually be restored
- Backup monitoring with alerts for failures or configuration changes
The 3-2-1 rule remains valid: three copies of data, on two different media types, with one copy offsite. Add immutability to this formula for ransomware resilience.
Email Security Beyond Spam Filtering
Most ransomware attacks start with email. Basic spam filtering is not enough.
Effective controls:
- Block macro-enabled documents from external senders
- Sandboxing that detonates suspicious attachments before delivery
- URL rewriting and click-time analysis for links
- Impersonation protection that detects spoofed sender addresses
Microsoft 365 Defender, Proofpoint, and Mimecast all offer these capabilities. If you use Microsoft 365, ensure Safe Links and Safe Attachments are enabled and properly configured.
Endpoint Protection That Detects Behavior
Traditional antivirus looks for known malware signatures. Modern attackers use legitimate tools and custom malware that signature-based detection misses.
What to look for:
- Behavioral detection that identifies suspicious activity patterns
- Ransomware-specific protection (monitoring for mass file encryption)
- Automated response capabilities (isolating infected machines)
- Cloud-based threat intelligence for real-time updates
CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint provide these capabilities. For small businesses, managed detection and response (MDR) services can monitor endpoints without requiring in-house security staff.
Network Segmentation
If attackers cannot move from an infected workstation to your file server, they cannot encrypt your files.
Basic segmentation for small businesses:
- Separate guest WiFi from business network
- Place financial systems on a restricted network segment
- Limit which machines can access backup systems
- Use firewalls between network segments, not just at the perimeter
Credential Management
Attackers in the Elizabethtown case harvested credentials from browser password managers and reused them across systems.
Protective measures:
- Use a proper password manager (1Password, Bitwarden, or enterprise options)
- Require multi-factor authentication for all critical systems
- Disable password saving in browsers
- Use unique passwords for every account
- Implement privileged access management for administrator accounts
Staff Training
The attack started because an employee opened a malicious attachment. Training does not eliminate this risk, but it reduces it.
Effective training includes:
- Recognition of phishing indicators (suspicious senders, urgent requests, unexpected attachments)
- Verification procedures for unusual requests (call the vendor to confirm before opening unexpected invoices)
- Clear reporting channels (employees should know exactly who to contact and feel safe reporting mistakes)
- Regular simulated phishing exercises to maintain awareness
If Ransomware Happens: Immediate Response Steps
Despite best efforts, ransomware incidents still occur. Knowing how to respond can significantly reduce damage.
1. Isolate affected systems. Disconnect infected machines from the network immediately. Do not shut them down---forensic evidence may be lost. Unplug the network cable or disable WiFi.
2. Do not pay immediately. The deadline in ransom notes is artificial. Paying quickly does not guarantee faster recovery and may mark you as an easy target for future attacks.
3. Contact professionals. Ransomware incidents require specialized expertise. Contact your cyber insurance provider (if you have coverage), a reputable incident response firm, and law enforcement.
4. Assess the damage. Determine what systems and data are affected. Check whether backups are intact. Identify whether data was exfiltrated in addition to being encrypted.
5. Preserve evidence. Do not attempt to clean or restore systems until forensic evidence has been collected. This evidence is important for insurance claims, law enforcement, and understanding how to prevent future attacks.
6. Communicate carefully. Inform employees on a need-to-know basis. Prepare messaging for customers and vendors if the incident will affect them. Consult legal counsel before making public statements.
What Happened Next
The Elizabethtown business spent eleven days in crisis mode. They operated from paper records and personal memory. They rebuilt their accounting system from bank statements and fragments of data recovered from employee email attachments.
Six months later, they are fully operational with security controls they should have had before the attack. They spend approximately $800 per month on managed security services---a fraction of what the incident cost.
The owner told us something that stuck: "We thought ransomware was something that happened to big companies. We learned that we were exactly the kind of target attackers look for."
Small businesses in Elizabethtown, Lancaster County, and across Central Pennsylvania face the same risks. The threat is not theoretical. It is active, profitable for attackers, and devastating for victims.
Preparation costs less than recovery. Every time.
StencilWash helps small businesses implement practical cybersecurity protections before incidents occur. If you want to assess your ransomware resilience, contact us.
Sources:
The engineering team at StencilWash, building agentic systems for the real world.