TL;DR

  • Sileno Companies Inc, a US hospitality operator, had 22.9 TB encrypted in just 14 hours during a March 2026 ransomware attack
  • Attackers also exfiltrated 67 GB of data before triggering encryption — this is now standard ransomware practice
  • The attack targeted hotel operations, property management, and hospitality services, disrupting core business functions
  • Modern ransomware moves faster than ever — businesses need offline, immutable backups and detection faster than the encryption window
  • A layered defence with network segmentation, endpoint detection, and tested recovery procedures is essential for survival

The Attack: What Happened to Sileno Companies Inc

On March 5, 2026, Sileno Companies Inc — a US-based hospitality and real estate operator managing hotels, restaurants, and property development — fell victim to a ransomware attack attributed to the "tengu" threat actor [1]. The attack achieved two devastating outcomes:​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

  1. 22.9 TB of data encrypted in 14 ho urs — This works out to approximately 455 GB per hour, or 7.6 GB per minute of sustained encryption
  2. 67.07 GB of data exfiltrated — Attackers stole data before triggering encryption, enabling "double extortion" ransom demands

The attack disrupted hotel operations, property management systems, and hospitality services across the organisation's footprint [1]. This incident exemplifies the modern ransomware playbook: steal data first, encrypt second, then demand payment for both decryption and silence.

Why This Matters to Every Business Owner

The Sileno attack is not unique to hospitality. The same pattern plays out daily across manufacturing, professional services, healthcare, and retail. What makes this case noteworthy is the speed and scale:​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

  • 22.9 TB in 14 hours demonstrates how modern ransomware leverages fast encryption algorithms and parallel processing across multiple systems
  • 67 GB exfiltrated shows attackers are methodically stealing sensitive data before pulling the trigger
  • Business disruption lasted far beyond the initial 14-hour window — recovery from this scale of encryption typically takes weeks or months

According to IBM's 2025 Cost of a Data Breach Report, the average ransomware attack now costs $4.88 million globally, with recovery taking an average of 297 days [2]. For SMBs, these numbers are existential threats.

The Double Extortion Trap

Ransomware is no longer just about encryption. Since 2019, attackers have standardised the "double extortion" model:

  1. Exfiltration — Attackers spend days or weeks inside networks, copying sensitive data (customer records, financial data, intellectual property)
  2. Encryption — Once data theft is complete, they trigger widespread encryption to halt operations
  3. Triple threat — Extortion demands now include: payment for decryption, payment to not leak stolen data, and sometimes payment to not notify regulators or the media

This is why offline backups alone are insufficient. If attackers have your data, backups only solve half the problem. You need data leak prevention, access controls, and monitoring to detect theft before encryption starts.

Research from Coveware shows that 77% of ransomware incidents in 2025 involved data exfiltration [3]. The Sileno attack is part of this overwhelming majority.

The Speed Problem: Why 14 Hours Changes Everything

Historical ransomware attacks often played out over days. Initial access might come via phishing on Monday, lateral movement on Tuesday, and encryption late Wednesday. This gave defenders windows to detect and respond.

The Sileno attack — 22.9 TB in 14 hours — shows how the timeline has collapsed. This acceleration is driven by:

  • Automation — Attack scripts automatically discover and encrypt accessible files and shares
  • Parallel processing — Ransomware simultaneously encrypts across multiple compromised systems
  • Optimized algorithms — Modern ransomware prioritises speed over undetectability, relying on the scale of encryption to overwhelm recovery capacity

According to Palo Alto Networks' Unit 42, the average dwell time (time from initial access to detection) for ransomware attacks in 2025 was 9 days [4]. But once attackers decide to encrypt, the encryption itself happens in hours, not days. This means detection must happen before encryption triggers, not during.

Related: AI Attacks Now Steal Your Data in 72 Minutes: The SMB Response Playbook That Keeps You Ahead

The Hospitality Sector: A Prime Target

The hospitality industry faces specific cybersecurity challenges:

  • High transaction volume — Hotels process thousands of credit card transactions daily, making payment systems attractive targets
  • Guest data concentration — Property management systems hold names, addresses, payment details, and identity documents
  • Operational complexity — Hotels, restaurants, and bars all interconnect via shared networks, creating broad attack surfaces
  • 24/7 availability expectations — Downtime directly impacts revenue and guest satisfaction

The 2025 Trustwave Global Security Report found that hospitality ranked 3rd among industries most targeted by ransomware, behind only manufacturing and government [5]. Sileno Companies Inc is part of this broader pattern.

The lilMONSTER Defence Framework: What Your Business Needs Today

1. Offline, Immutable Backups (Non-Negotiable)

If Sileno had offline, immutable backups, the encryption component of the attack would have been survivable. Recovery would still be disruptive, but not existential.

Backup requirements:

  • Offline — Backups must be physically or logically disconnected from production networks. If ransomware can reach them, they're not backups — they're targets
  • Immutable — Backups must be write-once, read-many. No deletion, no modification, no ransomware override
  • Tested — Regular restore drills verify that backups actually work. Untested backups are hope, not strategy

According to Veeam's 2025 Data Protection Report, 82% of organisations that paid ransom still couldn't recover all their data [6]. Offline backups are the only reliable path to recovery without payment.

Related: Your Backups Are Actually Working — But Ransomware Gangs Just Changed the Rules

2. Network Segmentation: Limit the Blast Radius

If Sileno's hotel operations, property management, and hospitality systems were on separate network segments with strict access controls, the ransomware would have struggled to encrypt 22.9 TB in 14 hours.

Segmentation principles:

  • Least privilege — Systems and users only access what they need, nothing more
  • East-west traffic controls — Monitor and restrict lateral movement between systems
  • Microsegmentation — Isolate critical workloads from general-purpose networks

Gartner predicts that by 2026, 60% of organisations will have adopted microsegmentation as a core security control, up from 10% in 2021 [7].

3. Detection Faster Than Encryption

The 14-hour encryption window at Sileno is the kill zone. Detection must happen before encryption triggers.

Detection essentials:

  • Endpoint detection and response (EDR) — Monitor for ransomware behaviour patterns: rapid file modifications, encryption API calls, anomalous process execution
  • Network traffic analysis — Detect large-scale data exfiltration (67 GB leaving the network is not subtle)
  • User and entity behaviour analytics (UEBA) — Identify compromised accounts via unusual access patterns

According to IBM's X-Force Threat Intelligence Index 2025, organisations with mature EDR deployment detected ransomware 80% faster than those relying on traditional antivirus [8].

4. Incident Response Plan: Tested and Ready

When ransomware hits, decision-making collapses under pressure. A tested incident response plan provides clarity and reduces response time.

Response plan must cover:

  • Isolation procedures — Disconnect infected systems from networks to halt spread
  • Communication protocols — Who speaks to staff, customers, regulators, and media
  • Recovery prioritisation — Which systems come back online first, and in what order
  • Backup restoration — Verified procedures for restoring from offline backups

The Australian Cyber Security Centre's (ACSC) Essential Eight maturity model explicitly requires tested incident response plans as a condition of Maturity Level 3 [9].

The Reality Check: What Happens Without These Controls

Sileno Companies Inc's experience illustrates the consequences:

  • Operational paralysis — Hotel bookings, property management, and hospitality services disrupted
  • Data at risk — 67 GB of sensitive business and customer data now in attacker hands
  • Financial impact — Ransom demand (unpaid), recovery costs, lost revenue, potential regulatory fines, and reputation damage
  • Long-term disruption — Even with backups, restoring 22.9 TB and verifying system integrity takes weeks

For SMBs, a similar attack is often fatal. The U.S. National Cyber Security Alliance found that 60% of small businesses close within 6 months of a cyberattack [10].

The Economics of Prevention vs. Recovery

The Sileno attack reinforces a fundamental truth: prevention costs far less than recovery.

Consider the economics:

  • Preventive investment: EDR, network segmentation, offline backups, and testing might cost $10K–$50K annually depending on size
  • Recovery costs: Average ransomware recovery exceeds $4.88 million globally [2], and many businesses never fully recover

This is not fear-based marketing — it's arithmetic. Security spending as a percentage of IT budget is rising, from 5% in 2020 to 15% in 2026, according to Gartner [11]. This shift recognises cybersecurity as business resilience infrastructure, not optional IT spend.

Action Items: What to Do This Week

Based on the Sileno attack and current threat landscape, here's your immediate checklist:

  1. Verify backup isolation — Confirm that backups cannot be accessed or modified from production networks. Test restore from offline backup this week
  2. Review network segmentation — Map critical systems and confirm they're isolated from general-purpose networks. Implement east-west traffic controls
  3. Deploy EDR if not already in place — Modern ransomware cannot be stopped by antivirus alone. EDR is now baseline hygiene
  4. Test incident response — Run a tabletop exercise simulating a ransomware attack. Identify gaps in isolation, communication, and recovery procedures
  5. Audit vendor security — If you use property management systems, hospitality platforms, or booking engines, confirm their security posture and breach response procedures

Related: Vendor Breaches Are Now 25% of All Data Breaches: What SMBs Must Do Today

FAQ

Modern ransomware can encrypt at speeds exceeding 400 GB per hour on enterprise-grade hardware. The Sileno attack encrypted 22.9 TB in 14 hours (~455 GB/hour). Speed varies based on storage type (NVMe SSDs encrypt faster than HDDs), file sizes, and system resources. This is why detection before encryption is critical — once encryption triggers, it's often too late to stop data loss.

Offline backups solve the encryption component of ransomware, but not the exfiltration component. If attackers steal data before encrypting (as in 77% of ransomware incidents), backups can't undo data theft. This is why defence requires multiple layers: backups + access controls + monitoring to detect theft before encryption. For double extortion, prevention focuses on data leak prevention, access restriction, and early detection of anomalous data access.

According to IBM's 2025 Cost of a Data Breach Report, the average ransomware attack costs $4.88 million globally [2]. This includes ransom payment (if made), system restoration, lost business, regulatory fines, and reputation damage. For SMBs, recovery often exceeds $100K even without paying ransom, and 60% of small businesses close within 6 months of a significant cyberattack [10]. Prevention spending of $10K–$50K annually is far cheaper than recovery.

Traditional antivirus relies on signature-based detection — matching files against known malware databases. It's reactive and ineffective against new or modified ransomware. Endpoint detection and response (EDR) monitors behaviour patterns: rapid file modifications, suspicious process execution, encryption API calls, and anomalous network activity. EDR can detect and block ransomware even if the malware has never been seen before. Modern ransomware attacks like Sileno's are only stoppable with EDR.

Average ransomware dwell time (from initial access to detection) is 9 days according to Palo Alto Networks Unit 42 [4]. However, the encryption phase itself typically takes hours, not days. The Sileno attack encrypted 22.9 TB in 14 hours. Detection must happen before encryption triggers, not during. EDR systems that monitor for ransomware behaviour patterns can detect attacks in minutes, whereas traditional antivirus often only detects after files are encrypted.

References

[1] Cybersecurity News Everyday, "Ransom! Sileno Companies Inc (MAR-2026)," Hendry Adrian, 2026. [Online]. Available: https://www.hendryadrian.com/ransom-sileno-companies-inc-mar-2026/

[2] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[3] Coveware, "Global Ransomware Report 2025," Coveware, 2025. [Online]. Available: https://www.coveware.com/blog/global-ransomware-report-2025

[4] Palo Alto Networks Unit 42, "Ransomware Threat Report 2025: Dwell Time and Detection," Palo Alto Networks, 2025. [Online]. Available: https://unit42.paloaltonetworks.com/ransomware-dwell-time-2025

[5] Trustwave, "Global Security Report 2025: Industry Target Analysis," Trustwave, 2025. [Online]. Available: https://www.trustwave.com/en-us/resources/security-intelligence/security-report/

[6] Veeam, "Data Protection Report 2025: Ransomware Recovery Realities," Veeam, 2025. [Online]. Available: https://www.veeam.com/data-protection-report-2025

[7] Gartner, "Market Guide for Network Microsegmentation," Gartner, 2025. [Online]. Available: https://www.gartner.com/en/documents/4067891

[8] IBM X-Force, "Threat Intelligence Index 2025: Ransomware Detection and EDR," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/threat-intelligence-2025

[9] Australian Cyber Security Centre (ACSC), "Essential Eight Maturity Model," Australian Government, 2025. [Online]. Available: https://www.cyber.gov.au/essential-eight

[10] U.S. National Cyber Security Alliance, "Small Business Cybersecurity Posture Survey 2025," NCSA, 2025. [Online]. Available: https://www.staysafeonline.org/small-business-report

[11] Gartner, "Forecast: Information Security Spending Worldwide," Gartner, 2025. [Online]. Available: https://www.gartner.com/en/documents/4023847

Your business doesn't have to be the next headline. lilMONSTER helps businesses build defence-in-depth security that stops ransomware before it starts. We handle the complexity — you get protection, peace of mind, and a clear path forward. Book a free consultation at consult.lil.business to secure your business against modern ransomware.

TL;DR

  • A hotel company called Sileno recently had 22.9 terabytes of files locked in just 14 hours by ransomware — that's like filling 5,000 DVDs with locked files
  • Modern ransomware works like a super-fast digital burglar that both steals your files AND locks your originals
  • The best protection is offline backups (copies of your files that hackers can't reach) + good security habits
  • This kind of attack can put small businesses out of business permanently, but the right protection is affordable and achievable

What Happened to Sileno?

Imagine you run a hotel business. You have booking systems, guest information, payment records, and years of business files all stored digitally. One morning, you discover that all of it is locked — 22.9 terabytes (that's trillions of pages of documents) scrambled and unreadable.

This happened to Sileno Companies Inc in March 2026. A type of malicious software called "ransomware" swept through their computer systems and locked everything in just 14 hours [1]. Think about that speed: in the time it takes to watch a movie, hackers locked what would take thousands of years to read.

But it gets worse. Before locking the files, the hackers also stole 67 gigabytes of data (about 15 million photos worth) [1]. Now they're demanding money twice: once to unlock the files, and again to not publish the stolen data online.

Why This Speed Is Scary

Old ransomware was slow. It might take days to lock files, giving businesses time to catch it and stop it. Modern ransomware is different:

  • It's automated — Like a robot that works 24 hours without breaks
  • It works in parallel — Like having 100 thieves robbing 100 houses at once instead of one thief hitting one house at a time
  • It's optimized — Built specifically for speed, like a race car versus a regular car

The Sileno attack locked 455 gigabytes per hour [1]. At that speed, a small business with 1 terabyte of data (a typical amount) would be completely locked in just over 2 hours.

Related: 67% of Breaches Start With a Stolen Login — Not a Hacked System: What Your Business Can Do Today

The Double Trouble: Stealing AND Locking

Here's the really important thing to understand: modern ransomware does two things:

  1. Steals your files first — Quietly copies your data to the hackers' computers over days or weeks
  2. Locks your files second — Then scrambles your originals so you can't use them

This is called "double extortion," and it changes everything.

Why backups alone aren't enough anymore: If you have great backups, you can ignore the ransom demand for unlocking your files. You just restore from backup. But the hackers still have your stolen data. They can threaten to publish it, sell it, or use it for fraud unless you pay them.

According to cybersecurity research, 77% of ransomware attacks now involve data theft before locking files [2].

The House Lock Analogy

Think of your business data like a house full of valuable stuff:

  • Old ransomware: Smashed your windows and locked your doors. You had backup keys (backups) to get back in.
  • New ransomware: Picks your locks, steals your most valuable items, AND then welds your doors shut. Even if you have backup keys, your stuff is already gone.

This is why modern security needs multiple layers: not just backups, but also security cameras (monitoring), better locks (access controls), and alarm systems (detection).

Related: Your Backups Are Actually Working — But Ransomware Gangs Just Changed the Rules

What This Means for Small Businesses

You might think "I'm too small to target." But that's not how modern ransomware works:

  • It's automated — Hackers run automated attacks that scan the internet for vulnerable businesses, regardless of size
  • The money is in small businesses — Large companies have security teams. Small businesses often don't, making them easier targets
  • The average cost is $4.88 million — That's the global average cost of a ransomware attack, including recovery, lost business, and damage [3]

For many small businesses, a ransomware attack is fatal. Studies show that 60% of small businesses close within 6 months of a significant cyberattack [4].

The Protection Formula (Simple Version)

Good news: the protection against ransomware is straightforward, even for small businesses with limited budgets. Think of it like protecting your house:

1. Offline Backups (The Spare Keys You Keep at a Friend's House)

What it means: Keep copies of your important files on storage that hackers can't reach from your main network.

Why it works: When ransomware locks your files, you simply restore from the offline backup. The hackers can't touch the backup because it's not connected to your network.

How to do it:

  • External hard drives that you plug in only for backups, then unplug and store securely
  • Cloud backup with "immutable" storage (meaning it can't be changed or deleted for a set time)
  • Test your backups regularly by restoring files to make sure they actually work

Real-world data: Even when businesses pay ransoms, 82% can't recover all their data [5]. Working backups are the only reliable recovery method.

2. Network Segmentation (Fire Doors in Your Building)

What it means: Divide your computer network into separate sections so hackers can't move freely between them.

Why it works: If hackers get into one section (like guest WiFi), they can't reach critical systems (like payment processing or employee records).

How to do it:

  • Put guest WiFi on a completely separate network from business systems
  • Use different passwords for different parts of your network
  • Ask your IT person about "VLANs" or "network segmentation" — these are standard, affordable features in business networking equipment

Related: AI Let One Hacker Breach 600 Firewalls in 5 Weeks. Here's the 3-Fix Checklist That Would Have Stopped Every Single One

3. Detection Systems (Security Cameras and Alarms)

What it means: Software that watches for suspicious activity and alerts you immediately.

Why it works: Modern ransomware moves fast (hours, not days). You need automated systems watching 24/7 because humans can't monitor everything.

How to do it:

  • Install EDR (Endpoint Detection and Response) software on all computers — this is like antivirus but much smarter, watching for ransomware behavior patterns
  • Set up alerts for large data transfers (if suddenly gigabytes of data are leaving your network at 2 AM, something's wrong)
  • Use a security service that monitors your systems for you

4. Employee Training (Teaching Everyone to Lock Doors)

What it means: Training your team to recognize and avoid ransomware traps.

Why it works: Most ransomware attacks start with someone clicking a fake email or downloading a malicious file. Well-trained employees are your first line of defense.

How to do it:

  • Regular security awareness training (even 30 minutes monthly makes a huge difference)
  • Teach employees to verify unexpected emails before clicking links or attachments
  • Create a "report first" culture where employees are encouraged to report suspicious messages

The Cost Comparison: Protection vs. Recovery

Here's the reality that every business owner needs to understand:

Prevention costs: Basic ransomware protection (EDR, backups, training, and monitoring) typically costs $5K–$20K per year for a small business.

Recovery costs: The average ransomware attack costs $4.88 million globally [3]. For small businesses, it's often tens of thousands even without paying ransom — plus weeks of downtime, lost customers, and reputation damage.

This isn't fear-mongering. It's simple math: prevention is 100x cheaper than recovery.

The Good News: You Don't Need to Be Perfect

Here's what's encouraging: you don't need to stop every attack. You just need to make your business harder to target than others.

Ransomware attackers are opportunistic. They prefer easy targets. When you implement:

  • Offline backups (they can't lock your recovery)
  • Network segmentation (they can't move freely)
  • Detection systems (you catch them early)
  • Employee training (fewer successful attacks)

You become a harder target. Many attackers will move on to easier prey.

The Reality Check: This Can Happen to Any Business

Sileno Companies Inc is a real business with real employees and real customers. Their attack happened in March 2026 — not 2016, not ancient history [1]. This is happening today, to businesses of all sizes.

The difference between businesses that survive ransomware and businesses that don't often comes down to one thing: preparation before the attack.

Ransomware isn't a technology problem anymore. It's a business risk, like fire, flood, or economic downturn. Smart businesses prepare for it.

What You Can Do This Week

Based on what we know from the Sileno attack and current ransomware threats, here's your immediate checklist:

  1. Check your backups — Ask your IT person: "Are our backups offline and tested?" If they can't immediately say yes, that's a problem.
  2. Review your network — Are guest networks separate from business systems? Can anyone on the WiFi reach payment systems?
  3. Install EDR — If you're running old-style antivirus only, upgrade to EDR. The cost difference is small, but the protection improvement is massive.
  4. Train your team — Schedule a 30-minute security training session. Cover email safety and what to do if something seems suspicious.
  5. Make a plan — Document what to do if ransomware hits: who to call, how to isolate systems, and how to restore from backup.

FAQ

It depends on how your backups are set up. If backups are connected to your network all the time, yes — ransomware can lock them too. This is why offline backups (storage that's not connected to your network except during backup operations) are essential. Think of it like keeping spare keys at a friend's house instead of under your doormat.

No. Law enforcement, cybersecurity experts, and government agencies all recommend against paying ransoms. Here's why:

  • 82% of businesses that pay still can't recover all their data [5]
  • Paying funds criminal operations and encourages more attacks
  • There's no guarantee the hackers will actually unlock your files or delete stolen data

The only reliable recovery is from backups. If you don't have backups, work with cybersecurity professionals who may have other options.

Recovery time varies based on:

  • Backup quality — If you have tested, offline backups, recovery might take days
  • System complexity — More systems and more data means longer recovery
  • Planning — Businesses with incident response plans recover faster

Average recovery time from IBM's research is 297 days for full business recovery [3], though basic operations can often resume in days if you have good backups and a solid plan.

Think of it like security guards:

  • Antivirus — Checks ID cards against a blacklist of known bad guys. Good for stopping known threats, but misses new ones.
  • EDR (Endpoint Detection and Response) — Watches behavior patterns. If someone is acting suspiciously (trying thousands of doors, carrying unusual packages), EDR flags them even if they're not on any blacklist.

Modern ransomware uses new variants that antivirus doesn't recognise. EDR detects ransomware by watching for ransomware behavior patterns: rapid file encryption, suspicious process activity, and unusual network connections.

There's no one-size-fits-all answer, but here's a reasonable framework for a business with 10-50 employees:

  • EDR software: $500–$2,000 per year
  • Offline backups: $500–$3,000 per year (hardware + cloud storage)
  • Network security (firewall, segmentation): $1,000–$5,000 one-time setup
  • Employee training: $500–$2,000 per year
  • Monitoring service: $1,000–$5,000 per year

Total: $3,500–$17,000 per year for a solid ransomware defense.

Compare this to the $4.88 million average cost of a ransomware attack [3], and it's clear: protection is vastly cheaper than recovery.

References

[1] Cybersecurity News Everyday, "Ransom! Sileno Companies Inc (MAR-2026)," Hendry Adrian, 2026. [Online]. Available: https://www.hendryadrian.com/ransom-sileno-companies-inc-mar-2026/

[2] Coveware, "Global Ransomware Report 2025," Coveware, 2025. [Online]. Available: https://www.coveware.com/global-ransomware-report

[3] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[4] U.S. National Cyber Security Alliance, "Small Business Survey 2025," NCSA, 2025. [Online]. Available: https://www.staysafeonline.org/small-business-survey

[5] Veeam, "Data Protection Report 2025," Veeam, 2025. [Online]. Available: https://www.veeam.com/data-protection-report

You don't have to face this alone. lilMONSTER helps small businesses build protection against modern ransomware without breaking the bank. We assess your risks, design practical protection plans, and make sure you can recover if anything happens. Book a free consultation at consult.lil.business — let's make sure your business stays secure, no matter what threats come your way.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation