Skip to main content

How Ransomware Actually Works in 2026

30 June 2026 | By Birender Chahal

Most owners picture ransomware as a single dramatic moment: a skull on the screen, a countdown timer, a demand for Bitcoin. That moment is real, but it is the last step in a chain that started days or weeks earlier. By the time the screen locks, the attacker has already been in your systems for a while.

Understanding that chain is the whole game. Ransomware is not one event you stop at the door. It is a sequence of stages, and you do not need to block every one. Break any link and the attack falls apart. Here is how a ransomware attack actually unfolds in 2026, and the practical control that breaks each stage for a Sydney small business.

Stage One: Getting In

Almost every ransomware case starts in one of three ways. A staff member clicks a convincing phishing email and hands over a password or runs a malicious attachment. An unpatched system, often a remote access tool or an old server exposed to the internet, is found by automated scanning and exploited. Or a password that leaked in some unrelated breach still works, because it was reused and never changed.

None of these are sophisticated. They are the path of least resistance, and attackers run software that probes thousands of businesses at once looking for whichever door is unlocked. A 30-person firm in Western Sydney gets caught in that net the same way a large company does.

The controls that break this stage are the unglamorous basics. Multi-factor authentication means a leaked or guessed password is not enough on its own, so most account takeovers simply fail. Prompt patching closes the known flaws before anyone walks through them. Good email filtering and a team that recognises a dodgy login prompt catch most of the rest. Our guide to phishing protection for business covers the email side in more detail.

Binary code on a digital screen
Ransomware is a chain of stages. Break any link and it fails.

Stage Two: Spreading Quietly

Getting onto one machine is rarely the goal. A single encrypted laptop is an inconvenience, not a crisis. The real damage comes when the attacker moves sideways across your network to reach servers, shared drives, and ideally your backups.

In this stage they are patient and quiet. They look for accounts with broad permissions, especially admin accounts that can reach everything, and they use them to map the network and position their tools. The longer they go unnoticed, the more of your business they can lock up at once.

Two controls slow this down hard. Limiting who has admin rights means a compromised everyday account cannot reach the whole environment, so the blast radius stays small. Monitoring and detection, the kind a managed provider runs, means unusual activity gets spotted while the attacker is still moving, not after the files are gone.

Stage Three: Encryption and the Lock

This is the visible part. The attacker triggers the encryption, files become unreadable across every system they reached, and the ransom note appears. Work stops. Staff cannot open documents, the accounting system will not load, and the business effectively grinds to a halt.

Here is where the businesses split into two groups. The one with tested, isolated backups restores its systems and is working again in hours or a day. The one without is staring at a choice between paying a criminal with no guarantee of recovery and rebuilding from scratch over weeks.

The control that decides which group you are in is your backup. Not just that backups run, but that at least one copy is immutable, meaning an attacker who reaches your network still cannot delete or encrypt it, and that you have actually tested a restore. A backup nobody has restored from is a guess, not a safety net. Our guides to immutable backup and the 3-2-1 backup rule explain what good looks like.

Stage Four: Extortion, and Then Double Extortion

Years ago, paying the ransom or restoring from backup ended the story. Not anymore. Modern ransomware crews steal a copy of your data before they encrypt it, then threaten to publish it or sell it if you do not pay. This is double extortion, and it changes the maths.

It means that even a perfect backup does not fully protect you, because the attacker still holds your client records, payroll, and contracts. The leverage shifts from “you cannot get your files back” to “we will leak your clients’ information.” For a firm that holds sensitive data, that threat alone can be the costly part.

This is exactly why the goal is to stop the attack at stages one and two, before any data leaves the building. You cannot negotiate your way out of stolen data, but you can keep it from being stolen in the first place. Strong access controls, monitoring, and the front-door basics are what prevent the breach rather than just helping you recover from it.

Why Small Businesses Keep Getting Hit

Small businesses are not too small to target. They are often the ideal target, because they hold valuable data and money but run with weaker defences than the corporates they work alongside. Most attacks are automated and opportunistic, so size is not protection. The deciding factor is whether the basic controls are in place and working. You can read more on why small businesses are a ransomware target.

The encouraging part is that the same short list of controls breaks the chain at multiple points. MFA, patching, restricted admin rights, monitoring, and tested immutable backups. Get those working and you have closed the routes that the large majority of attacks rely on. CIO Tech does not promise that any control eliminates risk, but done properly this set significantly reduces it.

Where to Start

If reading this raised an honest question about whether your own backups have ever been tested, or whether MFA is really on everywhere, that uncertainty is the starting point. Most owners are assuming rather than knowing, and assuming is where the gap lives.

Get a clear picture first, then close the biggest gaps in order. Our IT maturity assessment gives you a plain-English read on where you stand in a few minutes and shows what needs attention first.

We are a Sydney-based team in Bella Vista, and we help businesses across the metro area put these controls in place and keep them working. No jargon, no scare tactics, just the chain broken at every link it can be.

Take the free IT Maturity Assessment

Birender Chahal
Founder, CIO Tech

Birender founded CIO Tech and holds an IT degree from the University of Technology Sydney. He has delivered IT projects across hotels and serviced offices, covering property management systems, guest networks, and Essential Eight hardening. More about CIO Tech.

Stop putting off IT that works

Book an IT Audit

$990 one-off. 90-day deep dive into your IT environment with a prioritised action plan.

Book IT Audit

Free IT Health Check

Takes 3 minutes. See where your IT stands and what to fix first.

Free IT Health Check

Cyber Posture Snapshot

Your details 1 / 10

How exposed is your business?

Six quick questions, two short ones to tailor the result, and you'll see where your business stands. About two minutes. Plain English, no jargon.

We'll use your email to send a copy of your result. No spam, no pushy sales calls.

Question 1 of 9

When your team logs in to email and business apps, do they need a code from their phone as well as a password?

Question 2 of 9

If a ransomware attack locked all your files tomorrow, could you restore them from a backup?

Question 3 of 9

When Microsoft or Apple release a critical security update, how fast does it land on your computers?

Question 4 of 9

How many people in your business can install software or change system settings on any work computer?

Question 5 of 9

If a staff member got a fake invoice or "urgent" email pretending to be from you right now, what would happen?

Question 6 of 9

When a staff member leaves, when does their access to email, files, and apps actually get cut off?

Question 7 of 9

How many people work in your business?

Question 8 of 9

Who looks after your IT today?

Question 9 of 9

What sort of business are you?

Tailoring your result...

Hi there, here's where your business stands.

Your Cyber Posture
Critical gaps Critical
Notable exposure Notable
Mixed picture Mixed
On the right track On track

Notable exposure

Your two biggest gaps

  1. 1
  2. 2

Where this leaves you on Essential Eight

  • MFA Multi-factor authentication
  • Backups Regular backups
  • Patching Covers 2 of 8: Patch applications + Patch operating systems
  • Admin access Restrict administrative privileges

This snapshot covers 5 of the 8 Essential Eight controls. The full IT Maturity Assessment covers all 8, plus Microsoft 365 hardening, device management, and staff training.