Ransomware almost never starts with a locked screen. By the time a small business sees the famous extortion note, the attackers have usually been inside the network for hours, sometimes days, quietly mapping shares, stealing credentials, and turning off the things that would have stopped them. The locked files are the last step, not the first one. The good news is that the earlier steps leave traces. A small business that knows what those traces look like, and where to watch for them, has a real chance to interrupt an attack while there is still something to save.
This is not about expensive enterprise tools or a 24-person security team. It is about knowing which behaviors are normal on your network and which ones are the first signs of trouble. A bookkeeper who suddenly logs in at 2 a.m. on a Saturday is a signal. A backup job that disables itself overnight is a signal. A new admin account that nobody created is a signal. Most ransomware groups follow the same playbook before they pull the trigger, and a calm response in the first few hours is what turns a near-miss into a story you tell at a conference instead of a six-figure check to a recovery firm.
What Does The Hour Before Encryption Actually Look Like?
The hour before files start locking is usually the noisiest part of a ransomware attack, even though almost nobody is looking. Attackers run scripts that scan for every shared folder, every backup target, and every machine they can reach. They try to disable antivirus services, kill backup agents, and clear Windows event logs so their tracks disappear. They escalate to a domain admin account if they have not already, and they often copy several gigabytes of data out of the network to use as extortion leverage later. All of this leaves a footprint on the systems doing the work.
An endpoint detection and response tool on every device is the layer that sees this footprint in real time. It records process trees, parent-child relationships between programs, and the command-line arguments behind every executable. When a script kicks off PowerShell to disable Windows Defender, or when a remote management tool that nobody recognizes spawns from an Outlook session, an EDR product flags it for review. A simple antivirus check looks for known bad files. EDR looks for the kind of behavior that file-based antivirus has been blind to for almost a decade now.
The footprint attackers leave behind
Common pre-encryption activity looks like this. New scheduled tasks appear on workstations that did not need them yesterday. The Volume Shadow Copy service is stopped or its snapshots are deleted. A standard user account is suddenly added to the Domain Admins group. A remote desktop or RMM agent that your IT team did not install starts running on a file server. A handful of accounts try and fail to log into the same finance workstation from different IP addresses inside a few minutes. Any one of those, on its own, can be innocent. Several of them in the same hour are not.
The reason small businesses miss this window is that nothing alerts them about it. The logs exist on the machines, but if nobody is reading them, they may as well not exist. The shift you have to make is from “we install antivirus and trust it to handle it” to “we have a system that watches for these patterns and tells someone when they happen.” That someone does not have to be on your staff, but it does have to exist somewhere.
Which Behaviors Should Set Off The Alarm?
If you cannot afford a full security operations center, you can still build a short list of behaviors that should always trigger a closer look. The point is not to catch every possible bad thing. The point is to catch the cluster of behaviors that almost always precede a ransomware payload, while ignoring the routine noise that wastes attention. A small business with a clear short list catches more real attacks than a giant enterprise with a thousand alerts that nobody reads.
The first cluster is credential abuse. A user logging in from a country your business does not operate in. A login at an hour that does not match the employee’s normal schedule. Several failed logins on the same account in a few minutes, followed by a successful one. Service accounts that should never log in interactively suddenly being used to open a desktop session. Many of these attacks start with leaked employee passwords showing up on dark web feeds from breaches at other services, and the attackers try those passwords against your Microsoft 365 or VPN before they ever launch malware.
File system and backup signals
The second cluster is what happens to data. A workstation suddenly reading and modifying thousands of files per minute across a shared drive. A backup job that completes successfully every night for two years and then quietly fails for the first time the day before encryption. A drop in free disk space on a file server that does not match any business activity. Files renamed with unfamiliar extensions in a folder where they have not changed in months. The pattern is rarely subtle once you know what it is. A laptop touching ten thousand files an hour is not somebody doing their job. It is software running on their machine, and the question is which software, and on whose behalf.
The third cluster is infrastructure behavior. Outbound network traffic to a host nobody on your team has ever heard of, especially in the middle of the night. A server that has lived behind the firewall for years suddenly opening connections to a cloud storage service it has never touched. A new administrator account on the domain controller. Security tools, scheduled tasks, or Windows services that disable themselves. If two or three of these show up inside a single shift, a small business should treat it as a probable attack in progress, not a coincidence.
Where Does A Small Business Spot Trouble First?
For a Treasure Coast small business with a handful of servers, a few dozen laptops, and Microsoft 365, three vantage points usually catch the earliest signs. The first is the endpoint. Every laptop and desktop, plus the file server, should be running an EDR agent that ships its events to a central console. That console is where unusual process trees, credential dumping attempts, and disabled antivirus events surface. If your current setup is just a free antivirus product on each machine, you do not have this vantage point at all, and the attackers know it.
The second vantage point is your identity provider. For most small businesses that is Microsoft Entra ID, the directory behind Microsoft 365. The sign-in logs there tell you who logged in, from where, from what device, and whether multi-factor authentication was actually used. Risky sign-ins, impossible-travel events, and unusual location alerts come from this layer. If your business runs Microsoft 365 and nobody has ever opened the Entra sign-in logs, that is a free vantage point sitting unused. The same is true for Google Workspace customers and their admin audit logs.
The network view between segments
The third vantage point is the network, and this is where layout decisions made months earlier really matter. If you have already split your office into security zones with separate networks for finance, general staff, guest Wi-Fi, and printers, the firewall between those zones becomes a sensor. Any time the marketing laptop suddenly tries to talk to the bookkeeping server using SMB, that is suspicious by default. Any time a printer reaches out to a server in another subnet, that is suspicious by default. A flat office network where everything can talk to everything has none of these signals because there is no boundary to cross.
The fourth vantage point, and the one most small businesses skip until it is too late, is the backup system itself. Modern ransomware operators target backups before they touch primary data, because backups are what would have saved the business. The backup console should send an alert any time a job fails, any time a backup repository’s free space changes dramatically, any time someone tries to delete or change retention settings, and any time the backup agent is disabled on a protected machine. If your backup software is set up to email “success” or nothing at all, you have eliminated one of your best detection signals.
What Should Happen The Moment Something Feels Off?
The minutes after a real signal appear are not the time to figure out who does what. Decisions have to be pre-made and written down, because under pressure, people freeze, defer, or escalate to the wrong person. A small business with your written incident response steps ready to follow will move three or four times faster than a business that is improvising. Owner, ops manager, and outside IT provider should already know the first three things they personally do when an alarm fires, and there should be no debate about it in the moment.
The first move is containment. Pull suspect machines off the network instead of shutting them down. Powering them off destroys volatile memory and the evidence inside it, which is exactly what a recovery firm needs to identify the attacker, the timeline, and what was taken. Network disconnection cuts off the attacker without wiping the forensic picture. Disable the suspected user accounts in Microsoft 365 and Active Directory, especially any admin accounts that were touched, before they can be used to spread further. Change the most critical service account passwords from a clean device.
Evidence, communication, and backups
The second move is preservation. Take a snapshot of the affected machines before any changes. Pull the relevant logs off identity, email, and EDR before they roll over. Note the time you first noticed the signal and what you saw, because lawyers, insurance carriers, and any law enforcement agency you involve later will want that timeline. Do not start “cleaning up” until you have a copy of what was happening, because that cleanup work usually destroys exactly what the responders need.
The third move is to verify your backups are intact and offline. The single most painful surprise during a ransomware incident is discovering that the backup repository was reachable from the compromised network the whole time, and that the attackers got to it before the encryption ran. A small business that has an immutable cloud backup, an air-gapped copy, or a backup system that requires a separate set of credentials to delete data is in a completely different recovery posture than one that does not. Verify this is true the same hour the alarm goes off, not later.
The fourth move is communication. Notify your cyber insurance carrier within the window your policy requires. Many policies require notification within 24, 48, or 72 hours of awareness, and the clock starts when somebody on your team first saw the signal, not when you decided to escalate. Brief leadership on what you know and what you do not, and decide who is and is not communicating outside the company while the picture is still incomplete.
Frequently Asked Questions
How long is a ransomware group usually inside the network before encryption?
Industry incident reports over the last few years put the average dwell time between initial access and ransomware deployment at anywhere from a few hours to two or three weeks, depending on the group. Some financially driven crews now move within a day. Others wait long enough to find the most valuable data, copy it for extortion, and identify the backup system. Either way, there is almost always a window where signals are showing up and nobody is reading them.
Is a free antivirus product enough to catch the early signs?
Free antivirus catches known malicious files, which is a small slice of what a modern attack actually uses. Most ransomware crews now run living-off-the-land tools that ship with Windows, such as PowerShell, WMI, and remote management utilities. Those tools are not malicious files, so file-based antivirus has nothing to flag. Behavior-based endpoint detection is what catches them, and that is a different product category, usually delivered as part of a managed security service or a paid EDR subscription.
Can a small business reliably detect ransomware on its own at 2 a.m.?
Not without help. Most small businesses do not have anyone watching alerts overnight, which is exactly when ransomware groups time their final payload. The realistic answer is to feed your endpoint, identity, and backup alerts into a monitoring service that has analysts on shift around the clock, and to define which categories of alerts should wake somebody up. That is what a managed security service is for, and it is usually a fraction of the cost of one part-time security hire.
What is the single most important early signal to watch for?
Any unexpected change to your backup system. Backups are what the attacker has to defeat in order to make the ransom worth paying, so they target the backup server, the backup credentials, and the retention settings before they touch primary data. A backup job that suddenly fails, a repository whose free space drops, or a retention policy that was edited at an odd hour is the closest thing to a single-best-signal that exists. If a small business only monitored one thing, that would be it.
Should we run our own phishing simulations to spot the entry point?
Phishing simulations help measure how susceptible your team is, but they catch the entry stage, not the lateral-movement stage that this article is about. They are useful as part of a broader security awareness program. They do not replace detection at the endpoint, identity, and backup layers. Treat simulations as user-training, and treat behavior monitoring as attack detection. Both matter, and they answer different questions.
If we already have cyber insurance, do we still need detection?
Cyber insurance pays after a loss. Detection prevents a loss from happening, or shrinks a six-figure incident down to a two-hour interruption. They are not substitutes. In fact, most cyber insurance applications now require proof that you have endpoint detection, multi-factor authentication, and a tested backup process, and policies have started excluding losses where those controls were missing or disabled at the time of the incident. Detection has moved from nice-to-have to a coverage prerequisite for many carriers.
How quickly can a real ransomware crew encrypt our files once they start?
Modern ransomware payloads encrypt a typical small business file server in under an hour, sometimes in minutes for high-end groups using multi-threaded encryption. There is no time to react once that stage starts. The reaction window is the period before it begins, which is why the early signals matter so much. By the time the ransom note appears on a screen, the decision space has already collapsed to recovery options, not prevention options.
Where Should You Take The Next Step From Here?
For most small businesses on the Treasure Coast, the gap between current setup and meaningful early-warning detection is smaller than it looks. The pieces are EDR on every endpoint, sign-in monitoring on Microsoft 365 or Google Workspace, a backup system that alerts on tampering, and somebody who actually reads the alerts after hours. The hardest piece to build internally is the after-hours watch, and that is the part a managed security service watching the alerts overnight is purpose-built to handle. The signals are already on your network. The only question is whether anybody is listening when they appear.