Ransomware 101: How Attacks Really Start in Irish SMEs — and What Basic Measures Stop Most of Them.

On a Tuesday morning in Donegal, an employee opened an email that appeared to be from a courier company. It said a parcel was waiting for collection and asked them to click a link to arrange redelivery. They clicked. Nothing obvious happened. They carried on with their day. Three nights later, at 2am, ransomware activated across every system in the building. By 8am, the business had no access to its files, its accounting software, its customer records, or its email.

That is a true account of how most Irish SME ransomware attacks begin. Not with sophisticated hacking. Not with nation-state tools. With a single employee click on a convincing email.

What Is Ransomware?

Ransomware is malicious software that encrypts the files on a computer or network — making them completely inaccessible — then demands a payment, typically in cryptocurrency, in exchange for the key that restores access.

Modern ransomware operations are industrialised. Criminal groups operate as businesses — with developers who build the malware, affiliates who distribute it, and negotiators who handle the ransom demands. The ransomware-as-a-service model means that technically unskilled criminals can purchase access to sophisticated tools for a monthly subscription and a percentage of proceeds.

How Attacks Actually Start

Understanding how ransomware reaches Irish businesses is more useful than understanding how it works technically. The entry points are consistent.

Phishing email is the most common. An employee receives a convincing email impersonating a courier, a bank, a supplier, or a software provider. It contains a link or an attachment. The employee clicks. Malware installs silently. Weeks or months later — after the attackers have explored the network, identified the most valuable systems, and ensured the backups are also compromised — the ransomware deploys. The delay between infection and activation is deliberate.

Stolen credentials are the second most common entry point. An employee's password appears in a data breach or is harvested by infostealer malware from their personal device. The attacker uses those credentials to log into the business's remote desktop connection, Microsoft 365, or VPN. They explore the network from the inside, escalate their privileges, and deploy ransomware when ready.

Unpatched software provides a third route. Attackers actively scan the internet for known vulnerabilities in software that organisations have not updated. A web-facing server running outdated software can be compromised without any employee action at all.

Remote Desktop Protocol exposed to the internet — a surprisingly common configuration in Irish SMEs where IT providers have set up remote access without adequate security controls — is scanned constantly by attackers looking for weak or reused passwords.

Has your IT provider confirmed which of your systems are accessible from the internet and what controls protect that access? If you are not certain, that uncertainty is your current risk. Book a free 20-minute strategy call — we can review your exposure.

What Happens After the Initial Access

The gap between infection and ransomware activation is a deliberate feature of modern attacks. Once inside your network, the attacker spends time understanding your environment — mapping your systems, identifying your backups, finding your most valuable data, and escalating their privileges to administrator level so they can affect the maximum number of systems when they deploy.

This dwell time — the period between initial access and the ransomware deploying — averages between 10 and 30 days in incidents affecting Irish SMEs. During this period, the attackers are also frequently exfiltrating data. When the ransomware activates and you see the demand, the attackers typically already have copies of your most sensitive files. The threat is not only that your systems are locked — it is that your data will be published if you do not pay.

This is why backups alone are no longer a complete defence. Restoring from backup solves the encryption problem. It does not solve the data exfiltration problem. And it does not solve the problem if the attacker spent three weeks inside your network and your backup contains their access tools.

The Basic Measures That Stop Most Attacks

The encouraging reality is that the vast majority of ransomware attacks that succeed against Irish SMEs succeed because basic controls were absent. Each of the three primary entry points has a straightforward countermeasure.

Against phishing: multi-factor authentication on all accounts means that even if an employee's password is stolen via a phishing site, the attacker cannot use it to log in. Security awareness training that covers specifically what phishing emails look like reduces the click rate. Both are inexpensive.

Against stolen credentials: MFA again, combined with dark web credential monitoring that alerts you when business email addresses appear in breach databases. The credential is stolen at some point — the question is whether you know before it is used.

Against unpatched software: a consistent patching schedule covering operating systems, applications, and firmware. Automated patching where possible, manual schedule where not. Monthly at minimum; weekly for internet-facing systems.

Against exposed RDP and remote access: audit what is accessible from the internet, restrict RDP to VPN access only, enforce MFA on all remote access methods, and review what your IT provider has opened on your behalf.

Why This Matters to Your Business Right Now

The NCSC Ireland recorded a significant increase in ransomware incidents affecting Irish SMEs in 2024 and 2025 [^1]. The Garda National Cyber Crime Bureau has noted that ransomware attacks on Irish businesses have become more targeted — with attackers conducting reconnaissance on specific businesses rather than mass-deploying indiscriminate campaigns. Donegal, Sligo, and the North-West are not exempt from this pattern.

The businesses that recover from ransomware quickly are those that had tested, isolated backups, a clear incident response plan, and adequate cyber insurance before the attack. The businesses that do not recover — and some do not — are those that had none of these things and were making those decisions under pressure, with no systems available and a ransom demand on every screen.

What Next

1. Audit your remote access. Ask your IT provider to list every service accessible from the internet and confirm what authentication is required for each. RDP without VPN and MFA should be closed or secured immediately.

2. Enable MFA on all accounts this week. Start with email, then move to any cloud service your business uses. Microsoft 365 and Google Workspace both support MFA at no additional cost.

3. Verify your backup is isolated. A backup connected to the same network as your primary systems can be encrypted alongside those systems. Confirm with your IT provider that at least one backup copy is stored offline or in an immutable cloud location that your normal systems cannot overwrite.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Immutable, Offline and Cloud Backups: The Last Line of Defence Against Ransomware
• Your Business Password Is on the Dark Web. It Got There in 48 Hours.
• Preparing for and Responding to a Ransomware Attack When You Have No IT Team

[^1]: NCSC Ireland — Annual Cybersecurity Report 2024 [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.