People hear “ransomware” and think of hospitals in New York or pipelines in Texas. Big targets. Major news.

Here’s the reality: a significant percentage of ransomware attacks target businesses with under 50 employees, in markets exactly like Fargo-Moorhead. Not because attackers have a specific interest in North Dakota - because smaller businesses in regional markets tend to have the right combination of characteristics that make an attack profitable.

Why small businesses in mid-size markets get targeted

Real data, limited backup. A 10-person accounting firm in Fargo has client financial records, tax documents, and business data that’s genuinely valuable to encrypt. They’re less likely than a large enterprise to have verified offsite backups. If their data is encrypted, they often have no choice but to pay or rebuild from scratch.

Less security infrastructure. Large companies have security operations centers, endpoint detection, and incident response teams. Most small businesses have consumer-grade antivirus and whatever came with Windows. The attack difficulty is much lower.

High operational pressure. When your email, QuickBooks, and file server all stop working simultaneously, you can’t function. A restaurant can’t process orders. A law firm can’t access client files. A manufacturer can’t run their floor. Every hour of downtime is money. That pressure drives ransom payments.

Good payment history. Ransomware groups track which industries and business sizes actually pay. Small professional services firms - accounting, legal, healthcare-adjacent, insurance - have historically paid at higher rates.

How they get in

The most common entry points, in order:

  1. Phishing email with malicious attachment or link - someone on your team clicks something they shouldn’t. The malware installs quietly and waits.
  2. Remote Desktop Protocol (RDP) exposed to the internet - if you have RDP open without a VPN in front of it, automated tools are scanning for it and trying credentials around the clock.
  3. Unpatched software - ransomware groups regularly exploit known vulnerabilities that have patches available. If you’re behind on updates, you’re vulnerable to attacks that could have been blocked months ago.
  4. Compromised credentials - via phishing, credential stuffing, or malware that steals stored passwords.

What a ransomware attack actually looks like

It’s not immediate. Modern ransomware attackers typically spend weeks inside a network before they detonate anything. They’re mapping your systems, finding your backups, and making sure they can maximize the damage before they demand payment.

By the time your files are encrypted, the attacker has usually already:

  • Exfiltrated a copy of your data (so they can threaten to publish it)
  • Located and deleted or encrypted your backups
  • Mapped every machine on your network

The ransom demand in our region for a small business typically runs $10,000–$75,000 depending on what you have. Recovery without paying - rebuilding from scratch, paying for forensics, dealing with the downtime - often costs more.

How to make yourself a harder target

You can’t be impenetrable. But you can be harder to hit than the next business, which is often enough.

Verified offsite backups. The 3-2-1 rule: three copies of your data, on two different types of storage, with one offsite or in the cloud. Test restores quarterly. This is the most important thing you can do - it removes the leverage that makes ransomware work.

MFA everywhere. Especially email and remote access. This alone would prevent a majority of initial compromises.

Patch promptly. Critical patches within 48 hours of release. Everything else within two weeks. Automated patch management helps if you’re not doing this consistently.

No exposed RDP. If you need remote access, use a VPN with MFA in front of it, not direct RDP exposure to the internet.

Security awareness training. Phishing remains the most common entry point. Annual training and occasional simulated phishing tests make your team meaningfully harder to fool.

Fargo-Moorhead businesses are on attackers’ lists. The question is whether you’re the easy one or the harder one. DarkHorse IT can walk through your current setup and tell you exactly where your exposure is.