Ransomware protection
for SMEs
Never pay the ransom. 128 ransomware compromises reported in France in 2025, with SMEs representing nearly half of all victims. ECLAUD IT deploys multi-layer protection so your business does not become a statistic.
Ransomware is the number one cyber threat for French SMEs. In 2025, ANSSI recorded 128 ransomware compromises, with Qilin (21%), Akira (9%) and LockBit 3.0 (5%) as the dominant strains. The average ransom reaches €900,000 (CESIN) and 60% of affected SMEs close within 6 months. The solution is not to pay — it is to protect in advance: EDR, immutable backups, network segmentation, phishing training and a disaster recovery plan.
What is ransomware and how does it work?
Ransomware is malicious software designed to take your data hostage. The scenario is always the same: a member of staff opens a booby-trapped attachment or clicks a phishing link. Within minutes, the software encrypts all accessible files — documents, databases, network backups. A message appears: "Pay X bitcoins to recover your data."
Modern ransomware no longer stops at encryption. Double extortion has become the norm: before encrypting, the attacker exfiltrates your sensitive data. If you do not pay, they threaten to publish it. Some groups like Qilin — responsible for 21% of attacks in 2025 — even practise triple extortion: simultaneous encryption, publication and DDoS attack to increase pressure.
"In 2025, ANSSI handled 128 ransomware compromises. SMEs, micro-businesses and mid-market companies remain the most frequent victims, representing 37 to 48% of cases depending on the year." — ANSSI, Panorama of the cyber threat 2025
The infection process generally follows three phases. First, initial intrusion: targeted phishing, exploitation of an unpatched vulnerability (VPN, Exchange server, exposed RDP) or compromise of a supplier (supply chain attack). Then, lateral movement: the attacker moves through the network, elevates privileges, identifies backups and disables them. Finally, ransomware deployment: simultaneous encryption of all accessible systems, destruction of shadow copies and ransom demand.
Between initial intrusion and ransomware deployment, an average of 5 to 14 days elapse. It is during this window that a well-configured EDR can detect the intruder and prevent encryption. Without this detection, the day of the attack is devastating.
Why SMEs are ransomware's preferred targets
If you think ransomware only targets large corporations and hospitals, think again. SMEs have become the preferred prey of cybercriminals — and it is no accident. Here is why your company is in the crosshairs.
No SOC, no monitoring
78% of micro-businesses and SMEs declare themselves inadequately prepared for cyberattacks (Neurark). Without a security operations centre (SOC), no one monitors your network at night, at weekends or during holidays — exactly when attackers strike.
Absent or untested backups
Many SMEs have a backup — on a USB drive permanently connected to the server. The ransomware encrypts it first. Without a disconnected (air-gap) backup tested regularly, restoration is impossible.
Untrained staff
90% of ransomware arrives via phishing email. With generative AI, fraudulent emails are now indistinguishable from real ones. Without regular training and phishing simulations, a single click is enough.
Insufficient security budget
48% of SMEs have no formalised cybersecurity strategy (Konica Minolta 2025). Security investment is often deferred "for later" — until the day ransomware strikes and "later" costs €100,000.
Cybercriminals have understood: attacking 50 poorly protected SMEs yields more than attacking a large corporation behind multiple firewalls. It is industrialised, automated, and ransomware kits are sold ready-to-use on the dark web (Ransomware-as-a-Service). Your size does not protect you — it exposes you.
The ransomware threat in numbers
| Indicator | Figure | Source |
|---|---|---|
| SMEs among ransomware victims | 37 to 48% | ANSSI 2024-2025 |
| Payers who don't recover everything | 47% | Sophos 2025 |
| Average SME incident cost | €50,000 to €100,000 | ANSSI |
| Dominant strain 2025 | Qilin (21%) | ANSSI |
| Supply chain attacks | +100%, 30% of breaches | Verizon DBIR 2025 |
| SMEs without a formalised cyber strategy | 48% | Konica Minolta 2025 |
The figures are unambiguous. The cost of cybercrime in France rose from €5 billion in 2016 to €100 billion in 2024. The question is no longer "if" your SME will be targeted, but "when". The good news: 54% of organisations with a recovery plan recover in less than a week, versus months for the others. Preparation makes all the difference.
The 7 essential anti-ransomware protection measures
Ransomware protection relies on defence in depth: several complementary security layers. If one layer fails, the next takes over. Here are the 7 measures we systematically deploy for our SME clients.
MFA everywhere
Multi-factor authentication on all critical access points: email, VPN, cloud access. 99% of password attacks fail against MFA (Microsoft).
Immutable 3-2-1 backup
3 copies, 2 different media, 1 off-site. The off-site copy is immutable (air-gap or write-once) — ransomware cannot encrypt it.
EDR/XDR on every workstation
Traditional antivirus is dead. An EDR (Endpoint Detection & Response) analyses suspicious behaviour in real time and blocks encryption before it spreads.
Network segmentation
Compartmentalise the network to prevent lateral propagation. If a workstation is infected, the ransomware remains confined to an isolated segment.
Patch management
Ransomware exploits known vulnerabilities. A rigorous update process (OS, software, firmware) closes the entry points.
Phishing awareness
90% of ransomware arrives by email. Regular phishing simulations and ongoing training reduce the human risk.
Recovery plan (DRP)
When everything else fails, the DRP enables restart. RTO and RPO defined, tested quarterly, documented.
These 7 measures are aligned with the recommendations of ANSSI and the "Cybersecurity for micro-businesses and SMEs in 13 questions" guide. No single measure is sufficient — it is their combination that creates effective protection.
The anti-ransomware solutions we deploy
We do not sell theory — we deploy concrete, tested and maintained solutions. Each component is selected for its ability to stop ransomware at a specific stage of the attack.
Fortinet FortiEDR
Endpoint protectionReal-time behavioural detection, automated response, rollback of encrypted files. Pre- and post-execution ransomware protection.
Veeam + air-gap backup
Immutable backupBackups disconnected from the network (physical or logical air-gap). Long-term retention, automated restoration tests, RPO < 4h.
Fortinet FortiGate
Next-generation firewallSSL/TLS inspection, DNS filtering, sandboxing of suspicious attachments, IPS. Blocks communications with command-and-control (C2) servers.
Microsoft Defender for Business
Microsoft 365 protectionExchange Online email protection, malicious attachment detection, Safe Links. Integrated into the Microsoft ecosystem.
Training & phishing simulation
Human factorQuarterly simulation campaigns, per-department dashboards, targeted micro-training for staff who click.
All these solutions are managed by ECLAUD IT: deployment, configuration, updates, monitoring and response in case of alert. You do not need an in-house cybersecurity expert — it is our business.
What to do if you are hit by ransomware?
You have just discovered a ransom message on your screens. The first few minutes are critical. Here is exactly what to do — and what absolutely not to do.
Isolate immediately
Disconnect the infected machine from the network (cable AND Wi-Fi). Do not switch it off — encryption keys may be in memory.
Do not pay the ransom
47% of those who pay do not recover all their data (Sophos 2025). You are financing criminals and making yourself a recurring target.
Contact your provider
ECLAUD IT responds within 2 hours. We analyse the infection vector, identify the strain and assess the extent of the damage.
Report the attack
File a police report and notify cybermalveillance.gouv.fr. If personal data is compromised, CNIL notification is mandatory within 72 hours.
Restore from backups
With tested immutable backups, full restoration is possible. Without a DRP, it is a lottery.
Ransomware at a Reunion Island SME — field experience
The context: a 25-person services SME in Reunion Island. No dedicated IT provider, an "internal IT person" combining this role with their main position. Backup on a NAS connected to the network. Consumer-grade antivirus. No phishing training.
The attack: on a Monday morning, staff discover inaccessible files. The NAS, the file server and shared workstations are encrypted. A README file demands €15,000 in Bitcoin. The "backup NAS" is also encrypted — it was on the same network.
The damage: 4 days of complete shutdown. Loss of 3 months of accounting records (the last external backup was 3 months old). Manual reconstruction of client files. Total estimated cost: €75,000 (business downtime, reconstruction, new hardware, emergency provider).
What we put in place afterwards: FortiEDR on all workstations, Veeam backup with daily air-gap copy, network segmentation (VLAN), MFA on all cloud and VPN access, quarterly phishing training, disaster recovery plan (DRP) with 4-hour RTO. Since implementation: zero incidents in 18 months — and 3 phishing attempts detected and blocked by staff themselves.
How much does ransomware protection cost?
| Plan | Includes | Price |
|---|---|---|
| Basic | Managed EDR, firewall, daily backup, MFA | €30 — €49/workstation/month |
| Advanced | Basic + immutable air-gap backup, network segmentation, quarterly phishing simulation, documented DRP | €50 — €89/workstation/month |
| Managed SOC | Advanced + 24/7 monitoring, real-time detection and response, threat hunting, monthly report, 2h SLA | Custom quote |
To put it in perspective: the average cost of a ransomware incident for an SME is €50,000 to €100,000 (ANSSI). Protection costs less than the attack. All prices include initial deployment, configuration and support.
FAQ — Ransomware Protection for SMEs
What exactly is ransomware?
Ransomware is malicious software that encrypts your files and demands a ransom — usually in cryptocurrency — to restore your access. Modern versions use "double extortion": encryption + threat to publish stolen data. Infection most commonly arrives via a phishing email or exploitation of an unpatched vulnerability.
Is my SME really a ransomware target?
Yes. SMEs, micro-businesses and mid-market companies represent 37 to 48% of ransomware victims in France (ANSSI 2024-2025). Attackers target SMEs precisely because they have fewer protections than a large corporation: no SOC, no network segmentation, untested backups, staff not trained in phishing. You are not "too small to be targeted" — you are "small enough to be vulnerable".
Should you pay the ransom if attacked?
No. ANSSI, Cybermalveillance.gouv.fr and the No More Ransom project unanimously recommend not paying. 47% of companies that pay do not recover all their data (Sophos 2025). Paying funds the criminal ecosystem and makes you a recurring target. The only reliable protection: regularly tested immutable backups.
How much does ransomware protection cost for an SME?
Comprehensive protection (EDR, immutable backup, firewall, phishing training) costs between €30 and €90 per workstation per month depending on the plan. This is an investment, not a cost: the average cost of a ransomware incident for an SME is €50,000 to €100,000 (ANSSI), not counting business downtime and reputational damage.
What is the difference between an antivirus and an EDR?
A traditional antivirus compares files against a database of known signatures — it only detects already-identified threats. An EDR (Endpoint Detection & Response) analyses behaviour in real time: if a process starts mass-encrypting files, the EDR blocks it immediately, even if the strain is unknown. Against modern ransomware, antivirus alone is insufficient.
Does ECLAUD IT respond in Reunion Island in case of a ransomware attack?
Yes. We are based in Saint-Paul (Reunion Island) and operate across the entire island within 4 hours. In the event of a ransomware attack, our emergency protocol can be activated within 2 hours: isolation, analysis, restoration. We also operate in mainland France.
Don't become the next
ransomware statistic
Free audit of your ransomware exposure. We identify your vulnerabilities and propose a protection plan tailored to your SME.