How Ransomware Actually Works: A Step-by-Step Attack on Your Business

You're the perfect target. You probably don't know it yet.

A ransomware attacker can research your 22-person business in 40 minutes using publicly available information. They can compromise your most critical employee in 4 minutes using a $14 credential purchase. They can infiltrate your systems using your own security tools against you. And they can encrypt everything—payroll, customer data, project files, supplier relationships—in a Friday afternoon attack that takes you down for weeks.

At Lewis IT, we've helped construction firms, mortgage and title companies, education institutions, and CPA/accounting businesses understand exactly how these attacks unfold. We've also shown them the five specific controls that stop ransomware dead—controls bundled into security tools most small businesses already pay for but don't properly configure.

What follows is a step-by-step walkthrough of a real ransomware attack—written from the attacker's perspective. After you understand how the attack works, we'll show you exactly where it would have failed with proper security controls.

This isn't theory. This is how ransomware operations actually target small businesses in your industries right now.

Why Small Businesses Are the Preferred Target

Lewis IT investigates ransomware incidents regularly for construction companies, mortgage/title firms, education institutions, and accounting practices. The pattern is always the same: small businesses are targeted far more frequently than large enterprises.

Here's why attackers prefer your size:

Large enterprises have dedicated security teams, incident response contracts with forensic investigators, and legal resources that make recovery expensive and complicated for attackers.

Sole traders and micro-businesses rarely have enough at stake to justify the effort.

Small businesses (10-50 employees) sit in the perfect targeting zone: enough payroll, customer data, and project files to be worth attacking, no dedicated security team to defend the business, and a publicly traceable footprint.

A 22-person business is ideal. You have revenue to pay ransom. You have no cybersecurity staff watching for attacks. You have public records showing exactly who works for you and what you do.

Attackers target roughly 40 prospects per month at this size, because the economics work.

Monday: How Attackers Pick You

For construction companies: Attackers search federal contract databases and state licensing registries. They identify contractors with recent contract awards, project timelines, and deadlines. They know contractors will pay ransom rather than miss a job deadline.

For mortgage and title companies: Attackers search state lending registries and title company databases. They identify firms processing high-volume closings. They know title companies will pay ransom because every day of downtime means tens of thousands in lost revenue.

For education institutions: Attackers search school district databases and accreditation records. They identify districts by budget size and number of students. They know schools will pay ransom because student records have legal protections with heavy penalties for loss or breach.

For CPA and accounting firms: Attackers search state licensing databases and IRS contractor registries. They identify practices by client volume and revenue. They know accounting firms will pay ransom because tax deadline season creates artificial urgency.

The Research Phase (Free)

Lewis IT helps clients understand that attackers don't use sophisticated hacking—they use public records.

State business registries publish business names, registered agents, and contact information. Federal contract award databases list project values and named contacts. County licensing databases show business type and estimated revenue. LinkedIn shows organizational structure with job titles and years of employment.

One search tells an attacker:

  • Your business name and registered address
  • Your likely revenue (based on contract awards or licensing class)
  • The name and title of your office manager (finance staff)
  • Whether anyone handles accounts payable/payroll
  • How long financial staff have been employed
  • What software you probably use (searched through job postings)

A clean business record—no prior security incidents, no breach announcements—is the strongest signal attackers look for. It tells them:

  • Credentials are probably still valid
  • Staff hasn't been trained on ransomware
  • Passwords haven't been changed recently
  • Security controls are likely minimal

Total cost to attacker: $0.

LinkedIn and Social Media Intelligence

Attackers spend 40 minutes building your organizational chart using only a browser.

For a construction company: LinkedIn shows project managers with specific projects listed, equipment operators, and administrative staff. Facebook posts show job site photos with dates and locations. LinkedIn recommendations from clients confirm project work.

For a mortgage/title company: LinkedIn shows loan officers, title processors, and administrative staff with specific responsibilities listed. The office manager's profile says "accounts payable, payroll, and closing document preparation." A second employee joined 14 months ago and handles "document processing and compliance."

For an education institution: LinkedIn shows teachers, administrators, and support staff. Photos of staff are published in school newsletters. Alumni pages list current employees. School board meeting minutes published online identify key decision-makers.

For an accounting firm: LinkedIn shows CPAs, tax specialists, and administrative staff. Bios list specific service areas. Client lists are sometimes published. Job postings indicate which software (QuickBooks, ProConnect, CCH) the firm uses.

The primary target emerges clearly: The person who handles money and system access—usually the office manager, bookkeeper, or administrator.

Why? They have legitimate access to the systems attackers want. They're busy enough that one more email in their inbox doesn't get scrutinized. They're often less technically sophisticated than owners or executives.

Total cost to attacker: $0.

Tuesday: Building Your Organizational Chart for Free

For a 22-person construction company, attackers spend 40 minutes on this:

  • LinkedIn: Eight current employees with job titles. Project managers list specific projects. Administrative staff list responsibilities like "accounts payable, supplier invoicing, schedule management."
  • Public business filings: Legal name, registered agent, estimated revenue from contracting awards
  • Facebook: "Meet the team" photos with first names. Comments from family members (revealing relationships)
  • Job postings: Recent Indeed or LinkedIn postings show which software is used (QuickBooks, construction management platforms like Procore)
  • Google reviews: You've left reviews mentioning your IT support company by name

For a mortgage/title company:

  • LinkedIn shows loan officers, processors, title staff with specific specialties
  • Company website lists staff with photos and credentials
  • State licensing board lists registered agents
  • Recent contract wins are announced on company website

For an education institution:

  • School website lists administrators, teachers, department heads
  • LinkedIn profiles reveal staff credentials and tenure
  • School board meeting minutes identify key decision-makers
  • Staff directories are often published (sometimes in employee handbooks available online)

For a CPA/accounting firm:

  • Firm website lists partners, CPAs, tax specialists, administrative staff
  • LinkedIn profiles show specific service areas and client industries
  • State CPA board lists registered practitioners
  • Bios mention years of experience and specializations

The result: Attackers now know who to target, what their responsibilities are, what software they use, and how long they've been in their role.

Total spend by attacker: $0.

Wednesday: I Bought Your Credentials for $14

This is where the attack becomes real.

What Are Stealer Logs?

Stealer logs are credential packages harvested by infostealer malware that infected someone's personal device—often years earlier.

How stealer malware works:

  1. User downloads pirated software, a "free" tool, or malicious browser extension
  2. The malware installs on their personal computer
  3. The malware records every username and password they type into their browser
  4. The malware records saved passwords stored in browsers
  5. The malware periodically uploads harvested credentials to underground forums
  6. Attackers buy credential packages for $10-20 each, searchable by company domain

Lewis IT has discovered stealer log packages from clients' employee personal devices. We've found:

  • Office manager's work email credentials (password saved in personal browser)
  • Family member's Gmail account using the same password as company Microsoft 365
  • Construction supervisor's personal email with company credentials stored
  • Accounting clerk's personal banking credentials mixed with business system logins

The Credential Purchase

An attacker searches the stealer log marketplace by your company email domain. They find:

  • Your office manager's work email with password (saved in her personal browser years ago)
  • Your family member's personal email with the same password variant (from shared home network)

They pay $14 for the package. It takes four minutes.

Your office manager's password follows a common pattern: a pet or child's name + birth year + exclamation mark. An attacker checks it against HaveIBeenPwned—a free database security professionals use—and finds it appeared in a retail loyalty program breach three years ago. The password hasn't been changed since.

The family member's credentials are more interesting. The same password with minor variations appears across:

  • A streaming service account
  • A gaming account
  • Your company's Microsoft 365 login

The attacker now has valid credentials for your business email system.

Why This Works for Your Industries

Construction companies: Site managers and project coordinators often reuse personal email passwords across business systems. Equipment ordering systems get the same passwords as personal email.

Mortgage/title companies: Loan officers and processors often share passwords or reuse personal credentials. The loan origination system, email, and personal accounts share the same password.

Education institutions: Teachers and staff often reuse passwords across school systems, personal email, and third-party educational platforms. Budget passwords are shared among administrative staff.

CPA/accounting firms: Tax preparers and bookkeepers often reuse passwords across QuickBooks, personal email, and bank portals. Accountants in a practice often know each other's passwords.

Total spend to attacker: $14.

Thursday: Getting Past Your MFA (Multi-Factor Authentication)

Multi-factor authentication stops many attacks. But the implementation matters more than having it enabled.

Why Simple Push-Bombing Fails Now

Microsoft enabled number matching by default for all Microsoft Authenticator push notifications in May 2023. Instead of just tapping "approve," users must type a number from their login screen. This stops simple push-bombing attacks.

But attackers have a new technique that still works: Adversary-in-the-Middle (AiTM) Phishing.

How AiTM Phishing Works

  1. Attacker hosts a proxy page that mirrors the real Microsoft 365 login screen perfectly
  2. Attacker sends your office manager an email designed to look like a routine Microsoft 365 security alert:
    • Subject: "Unusual login activity detected on your account"
    • Content: References the same breach you got her credentials from
    • Link: "Verify your identity by clicking here"
  3. Office manager clicks the link and sees the fake but perfect Microsoft login screen
  4. She enters her password into the fake screen
  5. She approves the MFA prompt on her authenticator
  6. The proxy forwards both to Microsoft's real servers and captures the session token
  7. Microsoft validates the login and issues the session token
  8. She sees "login successful" on what she thinks is the real Microsoft site
  9. The attacker now has her session token in their browser

Microsoft sees a valid authenticated session. The attacker's activity looks completely legitimate.

The Backup Plan

If the phishing email doesn't get clicked, the attacker has a backup. They call your office earlier in the day:

Call from attacker (posing as IT support):

  • "Hi, this is [IT Support Company Name] that you use. We're seeing unusual login activity on your office manager's account."
  • "We need her to approve a verification push in the next few minutes."
  • "Can you let her know we'll be sending it?"
  • Receptionist: "She's not at her desk right now."
  • Attacker: "No problem, I'll try again later."

The call cost nothing. It also plants a seed. When the real phishing email arrives later, the office manager is more likely to believe it's a legitimate security alert.

By Thursday night, the attacker is inside your office manager's Microsoft 365 account.

They set up an inbox forwarding rule so her emails copy to an address they control—without notifying her.

Why This Works for Your Industries

Construction companies: Project managers and administrators receive legitimate security alerts regularly. An alert about unusual construction software access seems credible.

Mortgage/title companies: Loan officers and processors receive compliance alerts constantly. A security notification about account access seems routine.

Education institutions: Teachers and administrators receive password reset notifications regularly from school districts. A phishing email mimicking this looks legitimate.

CPA/accounting firms: Tax professionals receive countless security notifications from tax software providers. A phishing email about account verification fits the pattern perfectly.

Total spend by attacker: $0 (plus captured session token).

Friday 2:47pm: Why the Attacker Waited 36 Hours Before Encrypting

After gaining access Thursday night, the attacker doesn't encrypt immediately. They spend 36 hours reading your email.

Why? To size the ransom correctly.

What They Learn in 36 Hours

In your forwarded emails, the attacker finds:

For a construction company:

  • Upcoming project with a "hard deadline we cannot miss"
  • Budget for the project (mentioned in email to project manager)
  • Supplier contracts showing payment terms
  • Bank reconciliation showing liquid assets
  • Customer list with project values

For a mortgage/title company:

  • Cyber insurance policy with coverage limits (usually $250,000-$500,000)
  • Bank reconciliation showing business account balance
  • Closing schedules for upcoming weeks
  • Client contact list
  • Title search volumes and revenue per closing

For an education institution:

  • Budget documents showing fund balances
  • Student roster data (high-value for ransom threats)
  • Teacher payroll information
  • State funding announcements
  • Grant documentation

For a CPA/accounting firm:

  • Client list with billing rates
  • Bank reconciliation showing business account balance
  • Tax deadline calendar
  • Payroll information
  • Pending tax return volumes

Ransom Sizing

The attacker sets ransom at exactly what they know you can access—but not so high you'll fight it.

Example: Your construction company

  • Cyber insurance sub-limit: $250,000
  • Bank account balance: $180,000
  • Next project starts in 3 weeks with hard deadline

Attacker sets ransom at $65,000.

Why this number?

  • Low enough that you'll pay rather than fight it ($65,000 vs. $250,000 policy limit)
  • High enough that it's worth their time
  • Well within what they know you can access
  • Below the 10% liquid assets threshold (which triggers payment contests)

The Encryption Timing

Friday 2:47pm is deliberate.

The attacker knows:

  • Your bookkeeper finishes at 3pm on Fridays (from out-of-office replies in forwarded emails)
  • You're on a job site (your calendar is synced to the shared inbox)
  • The person most likely to notice something wrong (bookkeeper) is leaving
  • The person with authority to decide about ransom (you) is unreachable
  • By evening, everyone is home for the weekend

By the time anyone understands what's happened:

  • Every file on the shared drive is encrypted
  • A ransom note sits on every screen
  • It's Friday evening—no one to call for help
  • The weekend gives attackers time to negotiate before response resources mobilize

Total cost to attacker: $14 for credentials + 6 hours of work across the week.

Five Places This Attack Would Have Died

Lewis IT has helped construction, mortgage/title, education, and accounting firms implement these five controls. Each one is bundled into security tools most small businesses already pay for—but don't use properly.

Control 1: Password Management and Breach Detection

What stops the Wednesday credential purchase:

Microsoft Entra Password Protection (included in Microsoft 365) detects and blocks:

  • Reused passwords
  • Commonly compromised passwords
  • Passwords appearing in breach databases
  • Weak password patterns

Implementation:

  • Enable password ban on compromised credentials
  • Enforce unique passwords per account (via password manager)
  • Block common patterns (pet names + years, etc.)
  • Implement HaveIBeenPwned integration

For your industries:

  • Construction: Prevent project managers from reusing personal email passwords
  • Mortgage/title: Block loan officers from using personal banking passwords on business systems
  • Education: Force teachers to use unique passwords on school systems
  • Accounting: Prevent tax preparers from reusing personal passwords on QuickBooks

If this was in place: Attacker's Wednesday credential purchase would have failed immediately.

Control 2: Phishing-Resistant MFA

What stops the Thursday AiTM phishing attack:

Microsoft already blocks simple push-bombing attacks (number matching enabled May 2023). The current dominant attack is AiTM phishing that captures session tokens.

Defenses that stop AiTM:

Option A: FIDO2 Hardware Security Keys

  • User plugs in USB key during login
  • MFA is hardware-bound, not network-relatable
  • Captured session token is useless without the physical key
  • Cost: $30-60 per key

Option B: Passkeys

  • Biometric or PIN-based authentication
  • Cryptographic keys stay on user device
  • No session token an attacker can use remotely
  • Built into Windows Hello for Business

Option C: Conditional Access Policies (included in Microsoft 365)

  • Require compliant or hybrid-joined device for login
  • Block login from non-managed devices or unusual locations
  • Captured session token doesn't work from attacker's IP address

For your industries:

  • Construction: Require hardware keys for project management system access
  • Mortgage/title: Require hardware keys for loan origination system access
  • Education: Require hardware keys for student information system access
  • Accounting: Require hardware keys for QuickBooks and tax system access

If this was in place: Attacker's Thursday phishing attack would have failed. Even the captured session token would have been useless.

Control 3: Block External Email Forwarding

What stops the forwarding rule used to read 36 hours of email:

Microsoft 365 allows administrators to block external email forwarding rules at the tenant level.

Implementation:

  • Tenant-level policy preventing any external mail forwarding
  • Blocks attacker from silently copying emails to external address
  • Removes 36-hour dwell time advantage

For your industries:

  • Construction: Prevent project details from being forwarded to external addresses
  • Mortgage/title: Stop closing documents from being forwarded externally
  • Education: Block student records from external forwarding
  • Accounting: Prevent client information from being forwarded out

Cost: Configuration change (0 cost), included in Microsoft 365

If this was in place: Attacker's inbox forwarding rule would have failed. They'd still encrypt, but they'd be guessing on ransom size.

Control 4: Security Alert Monitoring

What stops the 36-hour dwell time:

Microsoft Defender for Business (included in Microsoft 365 Business Premium) generates alerts when:

  • New inbox forwarding rules are created
  • Unusual sign-in activity occurs
  • Suspicious admin activity is detected
  • Potential data exfiltration happens

Implementation:

  • Alerts are generated automatically
  • Someone reviews alerts daily or within 4 hours
  • Alerts route to visible locations (email, Teams, ticketing system)
  • Response procedures are established

For your industries:

  • Construction: Monitor project management system access
  • Mortgage/title: Monitor loan origination system activity
  • Education: Monitor student information system access
  • Accounting: Monitor QuickBooks and client portal access

Cost: Minimal (alerts are free; someone needs to review them)

If this was in place: Attacker would have been detected Thursday night when the forwarding rule was created.

Control 5: Social Media Awareness

What prevents the public intelligence gathering:

You can't unpublish a state contracting registry or federal contract award. But you can control what your team posts about their specific responsibilities.

The office manager's LinkedIn profile stated: "Accounts payable, payroll, supplier invoicing, and project scheduling"

This detail made her the obvious target.

Implementation:

  • Brief team on security implications of job title specificity
  • Encourage vague descriptions ("administrative responsibilities")
  • Avoid listing specific systems or processes
  • Remove work details from personal social media

For your industries:

  • Construction: Don't list specific projects or budget sizes on LinkedIn
  • Mortgage/title: Don't list specific lending volumes or deal types
  • Education: Don't list specific student counts or demographic details
  • Accounting: Don't list specific client count or revenue

Cost: Conversation with team (free)

If this was in place: Attacker would still find your office manager, but might target a different person with less valuable information.

Three Questions to Send Your IT Provider Right Now

These questions cover where this attack would have failed. Each corresponds to a control bundled with tools you likely already pay for:

Question 1: "Are we using phishing-resistant MFA (FIDO2 keys, passkeys, or Windows Hello for Business) for finance, admin, and executive logins?"

Why this matters: AiTM phishing (the attack method in this walkthrough) only works against standard MFA. Phishing-resistant MFA stops it completely.

Correct answer: "Yes, we're using [FIDO2 hardware keys / passkeys / Windows Hello] for all admin, finance, and executive accounts."

Red flag answers:

  • "We're using Microsoft Authenticator" (vulnerable to AiTM if not configured with Conditional Access)
  • "We're using SMS or email MFA" (too weak)
  • "We have MFA but not phishing-resistant"

Question 2: "Is external email forwarding blocked at the tenant level?"

Why this matters: Blocking external forwarding prevents attackers from silently exfiltrating email for 36 hours. It eliminates the dwell time advantage.

Correct answer: "Yes, we've blocked all external email forwarding at the Microsoft 365 tenant level."

Red flag answers:

  • "No, people sometimes need to forward emails"
  • "It's disabled by default but users can override it"
  • "I'm not sure about our configuration"

Question 3: "Are our security alerts going somewhere, and is someone reviewing them?"

Why this matters: Alerts about new forwarding rules, unusual login activity, and suspicious admin behavior are generated automatically by Microsoft Defender for Business. Someone needs to be reviewing them.

Correct answer: "Yes, Defender alerts are routed to [email distribution / Teams channel / ticketing system] and reviewed [daily / within 4 hours]."

Red flag answers:

  • "Alerts are generated but we don't actively monitor them"
  • "We have alerts but nobody specifically reviews them"
  • "Nobody looks at them because we're too busy"

Implementation by Industry

Lewis IT has helped firms in all four industries close these gaps:

Construction Companies

Vulnerabilities: Project managers storing site plans in personal cloud storage, using personal email for supplier coordination, storing passwords in shared devices.

Lewis IT Implementation:

  • Phishing-resistant MFA for project management system access
  • Block external email forwarding
  • Daily review of Defender alerts for construction software access
  • Staff training on not posting project details on social media

Mortgage and Title Companies

Vulnerabilities: Loan officers receiving phishing emails mimicking system alerts, sharing passwords across loan origination systems, storing client data in personal storage.

Lewis IT Implementation:

  • Phishing-resistant MFA for all loan origination system access
  • Block external email forwarding for closing documents
  • Alert monitoring for unusual loan system access
  • Staff training on protecting customer PII on social media

Education Institutions

Vulnerabilities: Teachers receiving phishing emails mimicking school alerts, storing student data in personal cloud services, sharing passwords for gradebook systems.

Lewis IT Implementation:

  • Phishing-resistant MFA for student information system access
  • Block external email forwarding for FERPA-protected data
  • Alert monitoring for unusual student database access
  • Staff training on not posting student information on social media

CPA and Accounting Firms

Vulnerabilities: Tax preparers receiving phishing emails from tax software providers, storing client data in personal cloud services, sharing QuickBooks passwords.

Lewis IT Implementation:

  • Phishing-resistant MFA for QuickBooks and client portal access
  • Block external email forwarding for tax documents and client data
  • Alert monitoring for unusual accounting system access
  • Staff training on not posting client count or revenue on social media

The Reality: Most Attacks Cost Less Than $15

An attacker compromised your 22-person business using:

  • $14 for stolen credentials
  • 6 hours of publicly available research
  • Your own security tools configured to work against you

The ransom they set: $65,000.

The return on investment for this attack is extraordinary.

Lewis IT has helped construction, mortgage/title, education, and accounting firms understand that ransomware isn't prevented through expensive new tools—it's prevented through proper configuration of tools you already own.

Protect Your Business: Contact Lewis IT

Lewis IT helps construction companies, mortgage and title firms, education institutions, and CPA/accounting practices implement the five controls that stop ransomware attacks.

We'll:

  1. Review your current security configuration
  2. Assess phishing-resistant MFA implementation
  3. Verify email forwarding restrictions
  4. Establish alert monitoring procedures
  5. Provide staff security awareness training

Email: info@lewisit.io
Phone: 240-784-1221
Website: www.lewisit.io/contact-us

Ransomware attacks happen in stages—research, access, persistence, exfiltration, encryption. Each stage has specific controls that stop the attack. Contact Lewis IT today and implement protection that actually works.


Frequently Asked Questions

Do attackers really target small businesses?

Yes. Most ransomware operations target small and mid-sized businesses (10-50 employees) because the ratio of payout potential to defensive resources is higher than at either extreme. Large enterprises have security teams and incident response contracts. Solo practitioners rarely have enough at stake. Small businesses are in the targeting sweet spot.

What is Adversary-in-the-Middle (AiTM) phishing?

AiTM phishing is a technique where the attacker hosts a proxy page that mirrors a real login screen (Microsoft 365, Google Workspace, etc.). When the user enters credentials and approves MFA, the proxy captures the session token. The legitimate service treats the login as successful, but the session token ends up in the attacker's browser. AiTM has become the dominant credential-based attack vector against Microsoft 365.

What is a stealer log?

A stealer log is a package of credentials harvested by infostealer malware from an infected personal device. The malware records browser-saved passwords, session cookies, and stored tokens, then sells them on underground markets for $10-20 per package. Malware typically infects personal computers through pirated software or malicious browser extensions.

How much does it actually cost an attacker to compromise a small business?

In the example walkthrough above, the attacker spent $14 for stolen credentials and about 6 hours of publicly available research. Some attacks cost $0 if credentials are leaked publicly. Total investment before ransom payment typically stays well below $100.

Are the tools that stop these attacks expensive?

No. Most defenses are included in Microsoft 365 Business Premium that small businesses typically already own. External forwarding restrictions are configuration changes (free). Defender for Business alerts are free—someone just needs to review them. Phishing-resistant MFA hardware keys cost $30-60 per user, far cheaper than a ransomware incident.

What should we do first?

Ask your IT provider the three questions in this article: (1) Do we have phishing-resistant MFA for critical roles? (2) Is external email forwarding blocked? (3) Are our security alerts being reviewed? The answers will tell you where your highest risks are.


Lewis IT provides ransomware prevention and response services for construction companies, mortgage and title firms, education institutions, and CPA/accounting practices throughout Maryland and the Mid-Atlantic region. From phishing-resistant MFA implementation to alert monitoring and security awareness training, we help organizations stop ransomware attacks before encryption begins.

Subscribe to Lewis IT Bin

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe
DigitalOcean Referral Badge