Ransomware used to be something that happened to hospitals and big corporations. Companies with data worth millions. Targets big enough to make the news.
That’s not the world we’re in anymore.
In 2026, over two-thirds of ransomware attacks target businesses with fewer than 500 employees. Not because attackers have gotten sloppy — because they’ve gotten smart. Small businesses are easier to compromise, less likely to have good defences, and often willing to pay a smaller ransom quickly just to make the pain stop.
If you run a small business in Calgary, this is worth understanding.
What ransomware actually is
Ransomware is malicious software that encrypts your files — locks them so you can’t open them — and then demands payment in exchange for the key to unlock them.
When it runs, it doesn’t just hit one file on one computer. A well-designed ransomware attack spreads across your network and encrypts everything it can reach: workstations, shared drives, cloud-synced folders, sometimes backups. You show up Monday morning and nothing opens. Every file replaced with an error. Every folder the same.
Then a message appears telling you how much to pay and where to send it.
How they get in
Three entry points account for the vast majority of attacks on small businesses:
Phishing email. Someone on your team clicks a link or opens an attachment that looked legitimate. That one click installs software that quietly establishes access. The actual ransomware deployment often happens days or weeks later, after the attacker has mapped out your network.
Stolen credentials. Your employee reused a password that was leaked in a breach somewhere else. The attacker buys that credential list — they’re sold openly on the dark web — logs into your VPN or remote desktop with a valid username and password, and walks right in.
Unpatched software. A known vulnerability in your Windows installation, your firewall, or your remote access tool hasn’t been patched. Attackers scan the internet for these. It’s automated, constant, and doesn’t care whether you’re a target or just convenient.
What all three have in common: they’re preventable. None of them require sophisticated defences.
What’s changed in 2026
A few things have shifted that make this more urgent:
Ransomware as a Service. Criminal groups now sell ransomware kits the way software companies sell subscriptions. You don’t need technical skills to launch an attack — you just need to pay for the kit and follow the instructions. This has dramatically lowered the barrier to entry, which means more attackers, more attacks, and less predictability about who’s behind them.
Double extortion. Attackers don’t just encrypt your data anymore. They copy it first. So even if you have good backups and can restore without paying the ransom, they threaten to publish your client data, your financials, your private correspondence. This pressure has changed the calculus for a lot of businesses.
AI-assisted phishing. The obvious grammatical errors that used to make phishing emails easy to spot are disappearing. AI tools now write convincing, contextually appropriate emails at scale. An email that looks like it came from your accountant, references your actual business name, and asks you to review a document — that’s the new normal.
What actually helps
The good news is that the defences against ransomware aren’t exotic. They’re the same things security professionals have been recommending for years — but they have to actually be in place, not just on a to-do list.
Multi-factor authentication on everything. Especially email, remote access, and any cloud service. A stolen password alone doesn’t work if the attacker also needs your phone.
Proper backups — including offline or immutable copies. If your backups are connected to your network, a ransomware attack can reach them too. You need at least one copy that the ransomware can’t touch. Test restores matter too — a backup that hasn’t been tested is a hope, not a plan.
Patch management. Updates applied consistently, not when someone gets around to it. The vulnerabilities attackers exploit most are usually not zero-days — they’re known issues that have been sitting unpatched for months.
Email filtering. A good spam and phishing filter catches a significant portion of malicious emails before they reach your team. Not all of them — but the ones that get through are at least the harder ones.
Staff awareness. Your team is your first line of defence and your biggest vulnerability. A fifteen-minute training session once a year isn’t enough. Regular, brief reminders — especially around what to do when something seems off — make a real difference.
If it does happen
Don’t pay immediately. Contact your IT provider or a cybersecurity incident response firm first. Payment does not guarantee decryption — roughly 40% of businesses that pay don’t fully recover their data. Law enforcement in Canada recommends reporting ransomware attacks to the RCMP’s Report Cybercrime and Fraud portal, which also gives you access to resources you may not know about.
If you have good offline backups, restoration is painful but survivable. If you don’t, your options are limited.
The time to have this conversation is before it happens.
Book a call with us and we’ll walk through where your biggest gaps are. No pressure, no alarmism — just a clear-eyed look at where you stand.
