May 19, 2026
It started with an email that looked like it came from a supplier. A plumbing company office manager clicked the link Friday afternoon. By Monday morning, every file on every computer was encrypted — job estimates, customer records, QuickBooks, the scheduling system. Everything. The attackers wanted $85,000 in Bitcoin to give it back.
This isn't an unusual story anymore. Variants of it played out thousands of times in 2025, and the pattern is accelerating. Small and mid-sized businesses now account for 88% of ransomware attacks — not banks, not hospitals, not Fortune 500 companies. Small businesses like yours.
Criminals have figured out something important about the trades. Plumbing, HVAC, electrical, and construction companies are highly dependent on their scheduling systems, customer databases, and field service apps. When those go down, the business stops — and the pressure to pay a ransom fast is enormous because every hour of downtime means missed appointments, angry customers, and idle crews.
On top of that, contractor businesses often have thinner IT defenses than other industries. Most are running on a mix of older equipment, shared passwords, and 'we'll get to it later' security. Attackers know this. They're targeting the businesses where the operational pain is highest and the defenses are lightest — and the trades and Oregon contractor community sits right at that intersection.
The median ransom demand for a small business in 2025 was around $110,000. And 40% of small businesses say a cyberattack costing $100,000 or less would put them out of business permanently. That's before you account for everything else.
Paying doesn't guarantee anything either. Modern ransomware groups steal your data first, then encrypt it — what's called double extortion. So they have leverage twice. Pay us or stay locked out. Pay us again or we publish your customer records publicly. The Portland trades community is small. You don't want to be the company everyone is talking about.
The ransom is the headline number. It's not the real number. When a trades business gets hit, the actual financial damage stacks up across at least five different categories — and most of them aren't covered by paying the attacker.
Downtime. If your scheduling system, customer database, and accounting software are encrypted, you're not running jobs. For an HVAC company averaging $15,000 a day in revenue, a week of downtime is over $75,000 in lost work before you've paid anyone a dollar. Most ransomware events take 7 to 21 days to fully recover from.
Emergency IT response. Bringing in incident response specialists, forensics firms, and recovery engineers is expensive — typically $200 to $400 an hour, often for multiple specialists working in parallel for days at a time. A typical SMB recovery engagement runs $20,000 to $80,000 in professional services alone.
Cyber insurance impact. If you have a cyber policy, premiums often jump 30 to 50% at renewal after a claim, and some carriers will simply non-renew. If you don't have a policy, getting one after an incident is significantly harder and more expensive.
Lost contracts and customers. Commercial clients increasingly ask vendors about their security posture. A documented breach can disqualify you from future bids. Residential customers find out through reviews and word of mouth. The Portland and Oregon trades community is tight — reputation damage compounds.
Regulatory and notification costs. Depending on whose data was exposed, you may be legally required to notify customers, state regulators, or both. Notification campaigns, legal counsel, and potential fines are real line items.
Add it up and a small ransomware incident with a $85,000 ransom demand can easily turn into $300,000 to $500,000 in total business impact — which is exactly why 40% of small businesses go out of business after an attack.
The good news is that the controls that block most ransomware aren't exotic. They're operational discipline:
Multi-factor authentication on everything. Email, remote access, your scheduling app, QuickBooks Online. The most common way ransomware gets in is through a stolen password. MFA means a password alone isn't enough.
Monitored endpoints. Someone watching your computers 24/7 — including evenings and weekends when your office is closed. Managed security services provide this so you're not staffing your own security team. When ransomware activity is detected, containment happens in minutes, not Monday morning.
Backups ransomware can't reach. A backup stored on the same network as your other files isn't a backup — it's a second copy of your problem. You need backups that are isolated, can't be modified by an attacker, and have actually been tested by restoring files. A backup you've never restored is a backup you can't trust.
The trades businesses that come through ransomware attempts without major damage aren't doing anything sophisticated. They have MFA. They have someone watching their systems. They have tested backups. The gap between those who do and those who don't is where ransomware wins — and it's the kind of gap that gets harder to close after an incident than before.
For a typical small business, full recovery takes 7 to 21 days. The first 48 to 72 hours are containment — stopping the spread and assessing what's been encrypted. From there, recovery depends on whether you have clean backups available. With tested, isolated backups, most operations can be restored within a week. Without them, you're either negotiating with attackers or rebuilding systems from scratch — both of which take significantly longer.
Law enforcement, including the FBI, recommends against paying. Paying doesn't guarantee you get a working decryption key, doesn't guarantee the attackers won't publish your data anyway, and signals to other criminals that your business is a viable target. That said, the decision is rarely straightforward when your business is hemorrhaging money during downtime. The best position is one where you never have to make this decision — which is what tested backups and active monitoring provide.
Most cyber insurance policies cover ransomware, but coverage has tightened significantly over the past few years. Many policies now require specific security controls — MFA, EDR, tested backups, security awareness training — as a condition of coverage. If you don't have these controls in place and get attacked, your claim may be denied. Premiums also typically jump 30 to 50% at renewal after a claim, and some carriers may decline to renew at all.
Stolen credentials and phishing emails account for the majority of small business ransomware incidents. An employee clicks a convincing email, enters their password on a fake site, and the attacker now has working access to your systems. From there, they spread laterally, locate your backups, and trigger the encryption. This is why MFA and security awareness training are the highest-leverage controls — they break the most common attack chain at its starting point.
No reputable IT provider can promise zero risk. What a good managed security service can do is dramatically reduce the likelihood of an attack succeeding and dramatically reduce the recovery time if one does. That's the actual product — fewer attempts succeeding, faster containment, faster recovery. Promises of 'we'll stop every attack' are marketing, not security.
If you'd like a 15-minute conversation about how AlwaysOnIT helps Portland-area trades and contractors think about cybersecurity — no sales pitch, just an honest look at where you stand — you can schedule a call below.
