The call arrives on a Monday morning. Not because something just happened. Because someone finally realized something happened on Friday, and spent the weekend hoping it would fix itself.
That is how most ransomware events actually start. There is no alarm. No dramatic notification. It starts with an employee who can’t open a file and assumes it’s a software glitch. Another employee reports the same problem. A manager tries to log into the server and finds something unexpected waiting.
By Monday morning, “something weird with the computers” has become a business continuity crisis.
Attackers Aren’t Looking for Famous Targets.
They’re Looking for Undefended Ones.
The mental image most business owners carry is a foreign government hitting a hospital system. A headline event. Something that happens to someone else. The reality is quieter and considerably closer to home.
An operation with 40 employees, a shared drive, and a backup system nobody has tested in two years is a more attractive target than a Fortune 500 company with a full security team. Smaller ransom demands are more likely to get paid. Smaller operations have fewer resources to mount a defense or a recovery.
According to Verizon’s 2025 Data Breach Investigations Report, ransomware appeared in 44 percent of all confirmed breaches last year. For small and mid-size businesses specifically, ransomware appeared in 88 percent of breaches, compared to 39 percent for large enterprises. The median ransom payment reached $115,000. Attainable enough to get paid. Low enough to avoid serious regulatory attention.
Indiana is not immune. Organizations across the state, including manufacturers, government offices, and small businesses, have already been hit. We have compiled links to documented incidents at the bottom of this article. We are not in the business of calling anyone out. What we do believe is that Indiana businesses deserve accurate information about what is happening in their own backyard.
Why Smart People Let This Happen
Most operations managers we talk to know, at some level, that their security posture isn’t where it should be. They inherited the environment. They’re running a business with tight margins and limited staff. The IT vendor they have is responsive enough when something breaks. The backup system is probably fine.
“Probably fine” is where most ransomware events are born.
This is not carelessness. Most businesses focus on the problems they can already see. Nothing bad has happened yet. The operation is running. The assumption is that the current setup is working because nothing has proven otherwise.
Until the Monday morning we’re talking about here.
What the First 72 Hours Actually Look Like
Hour one: Discovery. An employee reports they can’t access files. IT is called. The shared drive is encrypted. Possibly the backup server too, if it was connected to the same network segment. The ransom note appears on affected machines.
Hours two through six: Isolation and assessment. If the business has an IT partner with a documented incident response plan, they’re already engaged. If not, this is when the frantic calls begin. Who do we contact? What do we do first? Can we just pay it and get back to work?
That last question is more complicated than it sounds. Paying the ransom doesn’t guarantee data recovery. Many organizations that pay still experience prolonged outages and permanent data loss. Paying also doesn’t remove the attacker. Organizations known to pay are frequently targeted again.
When the Real Cost Becomes Visible
Manufacturers watch production stop. A 3PL sees customer shipments delayed while the phones start ringing. Construction companies find project management systems and financial records inaccessible, with a job site waiting on information nobody can reach.
Customer communication becomes a crisis of its own. If the attack exposed customer or employee data, regulatory notification requirements apply. Insurance carriers need notification within specific timeframes.
The Cost Is More Than the Ransom
This is the part most businesses do not fully reckon with until they are living it. The ransom itself represents roughly 15 percent of the total financial impact of a ransomware event. The rest is everything else: the days you cannot operate, the customers you cannot serve, the payroll you still owe, the forensic investigators, the legal counsel, the mandatory breach notifications, and the systems that need rebuilding from scratch.
The average ransomware event takes 24 days to recover from (Huntress, 2026). For a business running on tight margins, 24 days of degraded or suspended operations is not an IT problem. It is an existential one. The total incident costs for small and mid-size businesses range from $120,000 to $1.24 million per event (VikingCloud, 2025). To put that in context: 40 percent of SMBs say an unexpected expense of $100,000 would likely end their business (VikingCloud, 2025). A Mastercard study of more than 5,000 SMB owners found that nearly one in five businesses that experienced a cyberattack went bankrupt or closed entirely (Mastercard, 2025).
The ransom demand is the number attackers put in front of you. The number that actually determines whether your business survives is the one that never appears in the ransom note.
A Backup Connected to the Same Network, Is a Problem
When backups are clean, tested, and isolated from the primary network, recovery is painful but manageable. Systems come back online, operations resume, and the incident becomes a forcing function for better practices.
When backups are encrypted alongside the primary systems, which happens when backup storage sits on the same network without segmentation, the options narrow fast. Pay and hope. Attempt forensic recovery. Rebuild from scratch.
Most businesses in that position have never thought through which option they would choose. Because they have never had to.
What You Can Do About This Before Monday Morning
Three things separate the businesses that recover fast from the ones that don’t.
Start with a documented incident response plan, with a named person responsible for each step. Not a general idea. A written document, reviewed at least once a year.
Next, verify that your backup systems are tested, isolated, and confirmed to actually restore. A backup that has never been tested is not a backup. It’s an assumption.
Finally, get a clear picture of where your biggest exposures actually are. Remote desktop access, reused credentials, and unpatched systems cover most of the attack surface we see in Indiana SMB environments. The CIS Community Defense Model v2.0 identifies Remote Desktop Protocol and unsecured credentials as the top two attack vectors by frequency across ransomware incidents. The Fortinet 2025 Global Threat Landscape Report found that in 88 percent of observed lateral movement cases, attackers used RDP to move through a victim’s network. All three exposures are identifiable, fixable, and none require a major budget to address.
One More Thing Worth Saying
If you’re not certain what your organization would do in the first six hours of an event like this, that uncertainty is worth resolving before it becomes urgent.
DTS offers complimentary cyber risk assessments for Indiana businesses. No sales pitch. No commitment. Just a clear, honest look at what’s actually happening in your environment. If you want that clarity before it becomes urgent, start at diversetechservices.com/cyber-risk-assessment.
Diverse Tech Services has been providing managed IT and cybersecurity to Indiana businesses for more than 25 years. We are Indiana’s largest MBE-certified managed IT solutions provider, serving manufacturers, logistics companies, construction firms, and small businesses across the state. Learn more at diversetechservices.com.
Indiana Incidents and Related Resources
Ransomware is not a distant threat. It is happening to Indiana organizations right now. The links below point to publicly reported incidents and current threat analysis. We are not highlighting these to shame anyone. Ransomware can hit any organization, regardless of size, industry, or how carefully they have managed their technology. Our goal is simply to make clear that this is a local issue, not a distant one, and that Indiana businesses deserve access to accurate information about the threat environment they are operating in.
Ransomware Attack Forces Full Network Rebuild at Indiana Law Enforcement Agency, IDS News, March 2026
Indiana Manufacturer Responds to Ransomware Attempt and Employee Data Exposure, The Reporter, December 2024
Why Ransomware Targets SMBs and Its Impact in 2026, Portland Managed Services, February 2026
The State of Ransomware 2026: Q1 Analysis, BlackFog, 2026
Works Cited
Huntress. “Ransomware Attack Statistics.” Huntress, 2026, www.huntress.com/ransomware-guide/ransomware-attack-statistics.
Mastercard. “Cybersecurity Assessment Report: U.S. SMB Study.” Mastercard, 2025, www.mastercard.us/content/dam/public/mastercardcom/na/us/en/documents/cybersecurity-assessment/report-us-basic-3.pdf.
VikingCloud. Cited in “Small Business Cybersecurity Statistics 2025.” StationX, 2025, app.stationx.net/articles/small-business-cybersecurity-statistics.
Verizon Business. 2025 Data Breach Investigations Report. Verizon, 2025, www.verizon.com/business/resources/reports/dbir/.
Center for Internet Security. “CIS Community Defense Model v2.0.” CISecurity.org, 2021, www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0.
Fortinet FortiGuard Labs. 2025 Global Threat Landscape Report. Fortinet, 2025, www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-landscape-report-2025.pdf.
National Institute of Standards and Technology. Cybersecurity Framework 2.0. NIST, 2024, www.nist.gov/cyberframework.
Frequently Asked Questions
What is ransomware and how does it affect small businesses? Ransomware is malicious software that encrypts a business’s files and demands payment to restore access. For small and mid-size businesses, the primary impact is operational: production stops, data becomes inaccessible, and recovery costs typically far exceed the ransom demand itself.
How do ransomware attackers choose their targets? Attackers prioritize accessibility over name recognition. Businesses with weak credential practices, unpatched systems, and poorly segmented networks are high-value targets regardless of size or industry. Small manufacturers, logistics companies, and construction firms are common targets across Indiana.
What should a business do immediately after discovering a ransomware attack? Isolate affected systems from the network immediately to stop the encryption from spreading. Contact your IT provider or an incident response service. Do not pay the ransom without consulting legal and IT counsel first. Document everything from the first moment of discovery for regulatory and insurance purposes.
How much does ransomware recovery actually cost a small business? Total recovery costs for small and mid-size businesses range from $120,000 to $1.24 million per incident. The ransom payment itself is typically the smallest part of the total — roughly 15 percent. The majority of the cost comes from downtime, lost revenue, emergency IT response, legal and notification fees, and system restoration.
How can Indiana small businesses protect against ransomware? The most effective protections are consistent and accessible: tested, isolated backups; multi-factor authentication on all accounts; current software patches; and a written incident response plan. A cyber risk assessment is a practical starting point for understanding your specific exposure.