In This Guide
- Key takeaways
- What ransomware is and how it gets in
- ACSC Essential Eight checklist
- MFA, patches and admin rights
- Block email & RDP attack paths
- Immutable backups (the recovery plan)
- EDR: detection & response
- Staff training & phishing drills
- If you're attacked: 60-minute playbook
- Brisbane-specific risks & help
- Cyber insurance and the Essential Eight
- Frequently asked questions
Brisbane SME owners are increasingly asking us for a simple plan to stop ransomware and bounce back fast if hit. The bad news: small Australian businesses are now targeted more than enterprises because attacks are automated and SMEs typically have weaker controls. The good news: a handful of basic controls — MFA, patching, immutable backups, EDR — block the vast majority of attacks for under $200/user/month all-in.
This guide is a plain-English Brisbane SME ransomware checklist plus recovery steps. It's based on the ACSC Essential Eight framework that cyber insurers increasingly demand, and reflects what we deploy for Geeks Brisbane managed clients on the $149/user/month Premium plan.
Highest-impact controls (rank order): enforce MFA on 100% of accounts, patch OS and apps weekly, run EDR on every endpoint, immutable offsite backups tested monthly, remove local admin rights, close inbound RDP, train staff with phishing simulations. Geeks Brisbane Premium ($149/user/month) deploys all of this for SMEs.
What Ransomware Is and How It Gets In
Ransomware is malicious software that encrypts your files (turning them into unreadable .locked, .crypted, .babuk versions) and demands payment to unlock them. Modern attackers also steal data first ("double extortion") and threaten to publish it on dark web leak sites if you don't pay.
How Brisbane SMEs typically get hit
- Phishing email — staff click a malicious link or open an infected attachment (most common, ~70% of incidents)
- Compromised credentials — password reused on a breached site, attacker logs into M365, downloads SharePoint, deploys ransomware
- Exposed RDP or VPN — port 3389 open to the internet, brute-force or credential stuffing attack
- Unpatched vulnerability — old Exchange server, Confluence, FortiGate, Citrix exploited via internet
- Supply chain compromise — your IT vendor's RMM tool gets breached, ransomware pushed to all clients
The ACSC Essential Eight Checklist
The Australian Cyber Security Centre publishes a prioritised list of eight controls that stop the majority of attacks. Cyber insurers increasingly require Maturity Level 1 for SMEs to qualify for coverage. Here's the plain-English version:
| Control | What it means in practice | Effort |
|---|---|---|
| Application control | Block running unapproved apps (.exe from Downloads) | High |
| Patch applications | Browser, Office, Adobe, Zoom updated weekly | Low (automated) |
| Configure Office macros | Block macros from internet, sign internal ones | Low |
| User app hardening | Block ads, Flash, Java in browsers | Low |
| Restrict admin privileges | Daily user is not local admin; separate admin account | Medium |
| Patch operating systems | Windows/macOS updates within 14 days of release | Low (automated) |
| Multi-factor authentication | MFA enforced on all M365, VPN, admin and remote access | Low (free with M365) |
| Regular backups | Tested monthly, immutable, offsite, <7 day RPO | Medium |
Brisbane SMEs starting from zero can hit Essential Eight ML1 in 4-6 weeks of focused work — most of it free or inside existing Microsoft 365 licensing. Geeks Brisbane Premium clients are deployed to ML1 as part of onboarding.
MFA, Patches and Admin Rights
Three controls block most automated attacks. Get these right and 70%+ of ransomware never lands.
Multi-factor authentication (MFA)
Enforce MFA on every M365 account, VPN, RDP gateway, admin console and SaaS app. Use the Microsoft Authenticator app (free) — push notifications are easier than SMS codes and harder to phish. Add conditional access rules so MFA also kicks in on suspicious logins (overseas IP, unmanaged device, impossible travel).
OS and app patches
- Windows updates inside 14 days of release — automated via Intune or RMM
- macOS minor updates inside 14 days, major upgrades after 30-day soak period
- Browsers, Office, Adobe Reader, Zoom, Teams updated weekly via auto-update
- Server patches inside 30 days — schedule maintenance windows for downtime
- Network gear (firewalls, switches, APs) patched quarterly
Restrict local admin rights
Most ransomware needs local admin to spread. If staff log in as standard users, ransomware that lands on their laptop usually can't escape. Provide a separate admin account for IT tasks, used only when needed (UAC prompts).
Pro tip: Use Microsoft Local Administrator Password Solution (LAPS) — it rotates the local admin password on each machine to a unique random value, stored encrypted in Azure AD. Free with Intune. Stops attackers using a stolen admin password to pivot across endpoints.
Block Email and RDP Attack Paths
Email security
- Configure SPF, DKIM, DMARC on your domain — stops attackers spoofing your business email
- Defender for Office 365 or Mimecast — sandboxes attachments, scans links at click-time
- Block macros from internet email — reduces ransomware-via-Word risk dramatically
- External sender warnings — staff see a banner on inbound email, harder to fall for fake CEO requests
RDP and VPN
- Never expose RDP (port 3389) to the internet — top entry vector for SME ransomware
- Use Azure Virtual Desktop, AVD or RDS Gateway behind MFA if remote desktop is genuinely needed
- VPNs should require MFA — passwords alone are not sufficient in 2026
- Patch firewalls aggressively — FortiGate, SonicWall and Citrix have all been ransomware entry points via known CVEs
Immutable Backups: The Recovery Plan
Backups are your insurance against everything else failing. Brisbane SMEs that survive ransomware do so because they could restore from clean backups. Those that don't — pay the ransom or close the doors.
The 3-2-1-1-0 rule (modern best practice)
- 3 copies of data
- 2 different media types
- 1 copy offsite
- 1 immutable (cannot be deleted by anyone, even your IT)
- 0 errors verified by monthly restore test
What Brisbane SMEs need to back up
- Microsoft 365 — Exchange Online, SharePoint, OneDrive, Teams (use Datto, Veeam or Dropsuite, not just Microsoft retention)
- Servers — image-level backups to local NAS plus immutable cloud (Azure, Wasabi, AWS S3 Object Lock)
- Endpoints — at least the user profile and Documents folder, automatic to cloud
- Line-of-business databases — Xero, MYOB, ServiceM8 etc. via vendor-native exports
Critical: Test restores monthly, not just check that backups ran. Most Brisbane SMEs that fail recovery had backups that "ran successfully" for months but weren't restorable. Restore tests catch silent failures.
Need a Cyber Insurance Report?
Free for Geeks Brisbane managed clients ($410 standalone). Documents your Essential Eight controls for insurance renewal.
Get a Digital Security CheckEDR: Detection and Response
Antivirus alone misses modern ransomware. Endpoint Detection and Response (EDR) uses behavioural analysis to catch encryption attempts in seconds and isolate the endpoint before it spreads. Brisbane SME-grade options:
- Microsoft Defender for Business — included with Microsoft 365 Business Premium ($33/user/month). Good baseline for most SMEs.
- SentinelOne, CrowdStrike, Bitdefender Gravity Zone — premium options at $5-$15/user/month, used on Geeks Brisbane Premium plans
- Managed Detection and Response (MDR) — humans watching alerts 24/7. Extra $20-$50/user/month, makes sense for higher-risk industries
Modern EDR can auto-isolate a ransomware-infected machine inside 60 seconds, severing it from the network so it can't reach shared drives or other endpoints. Without this, by the time staff notice locked files, all shared drives and most endpoints are encrypted.
Staff Training and Phishing Drills
People are still the biggest attack surface. Quarterly phishing simulations with KnowBe4, Curricula or similar — staff who click get a 5-minute training video, not punishment. Repeat-clickers need a conversation.
What every Brisbane SME staff member needs to know
- Never approve an MFA prompt you didn't trigger
- Hover over links before clicking — does the URL match the sender?
- The CEO doesn't ask for gift cards via email
- Banking changes from suppliers need a phone call to a known number to verify
- If something feels wrong, call IT before clicking
If You're Attacked: 60-Minute Playbook
You spot ransomware on a laptop or someone says "all my files have weird names." The first 60 minutes determine the recovery cost.
-
Disconnect — don't shut down
Pull the network cable, disable Wi-Fi. Don't power off (forensics value lost). Notify IT immediately. -
Identify scope
Which user, which device, which shared drives. Check M365 audit logs for unusual file access. Disable affected user accounts. -
Notify your MSP/IT and call cyber insurance broker
Geeks Brisbane managed clients on Premium get 15-min emergency response. Insurance broker will assign a breach coach and forensics team. -
Notify the ACSC
Report at cyber.gov.au. Doesn't take time but creates an official record and gives you access to ASD assistance. -
Assess data breach
Was personal data accessed/exfiltrated? If yes, the OAIC must be notified within 30 days under the Notifiable Data Breach scheme. -
Recovery from clean backups
Restore to known-clean point. Don't restore back into a compromised network. Rebuild affected endpoints from gold image. -
Post-incident review
How did it get in? What controls would have stopped it? Implement them. Document for cyber insurance claim.
Don't pay the ransom: Australian government guidance is no. Roughly 30% of paying victims never get usable decryption. Paying funds further attacks and may breach sanctions if attackers are on government lists. Restore from backups instead.
Brisbane-Specific Risks & Help
Sectors most at risk in SEQ
- Professional services — accountants, lawyers, financial planners hold sensitive data attractive to attackers
- Healthcare and allied health — patient data plus weak cyber maturity
- Construction and trades — high-value invoice fraud, often weak email security
- Hospitality groups — multiple sites, POS systems, payment data
- Not-for-profits — limited budget, often outdated systems
Brisbane SME ransomware reality (what we see)
Most attacks we respond to in Brisbane started with phishing 4-6 weeks before encryption — attackers had been inside the M365 tenant for weeks gathering data. By the time files locked, the data was already exfiltrated. Detection is the missing layer for most SMEs.
Premium plan ($149/user/month) deploys ACSC Essential Eight ML1 as standard. Free cyber insurance reports for managed clients. ABN-registered Brisbane engineers, 15-minute emergency response after-hours, ACSC-aligned methodology. 4.9 stars across 100+ reviews.
Cyber Insurance and the Essential Eight
Australian cyber insurance underwriters are tightening fast. Renewal questionnaires now demand evidence of:
- MFA on every account (not just admin)
- EDR deployed and managed
- Immutable offsite backups with restore tests
- Patch management policy with metrics
- Staff training and phishing simulation programs
- Documented incident response plan
Without documented evidence, premiums double or coverage is declined outright. Geeks Brisbane produces a free Digital Security Check report for managed clients, mapping current state against Essential Eight ML1 — the same evidence underwriters request. Standalone audits are $410.