A logistics company in Utah County opens for business on a Monday morning. Every computer shows the same message: files encrypted, pay $250,000 in Bitcoin within 72 hours or the data is gone forever. Their server backups? Encrypted too — the attackers had been inside the network for three weeks before pulling the trigger.

This scenario plays out across the country every day. And it’s hitting Utah businesses harder than most owners realize.

Ransomware in 2025: What’s Changed

Ransomware isn’t new, but the business model behind it has evolved dramatically. Today’s attacks are run by organized criminal enterprises that operate like software companies — with customer support teams, negotiation specialists, and affiliate programs that let less-skilled attackers use their tools for a cut of the ransom.

The numbers paint a stark picture. Ransomware attacks increased 84% year-over-year in early 2025. Two-thirds of businesses report being hit in the past two years. And the average ransom demand for mid-size businesses now exceeds $200,000 — not counting downtime, recovery costs, and reputational damage.

But the most alarming trend is backup targeting. In 96% of ransomware incidents, attackers specifically go after backup systems. They know that if they can encrypt or delete your backups, you have no choice but to pay.

Why Utah Businesses Are in the Crosshairs

Utah’s economy is booming, and that’s both a strength and a vulnerability. The Silicon Slopes corridor is home to hundreds of tech companies handling valuable intellectual property. Healthcare organizations across the valley manage protected patient data that attackers can use for double extortion — threatening to both lock your files and publish sensitive records. Professional services firms, from accounting to legal, hold client data that can’t afford to be exposed.

Many of these are small and mid-sized businesses without dedicated security operations centers. Attackers know the math: these companies have valuable data but often lack the defenses of an enterprise. The payoff is high and the resistance is low.

The Attack Timeline: How Ransomware Actually Works

Understanding the stages of a ransomware attack helps you see where defenses need to be placed:

Initial access (Day 1). The attacker gets in — usually through a phishing email, an exposed remote desktop port, or a compromised vendor credential. This step is often quiet and unremarkable.

Lateral movement (Days 2-14). Once inside, the attacker explores your network. They identify file servers, backup systems, and domain controllers. They escalate privileges and establish persistence so they can survive a reboot or password change.

Backup destruction (Days 14-21). Before encrypting anything, the attacker disables or deletes your backups. Shadow copies, local backup drives, and even cloud backup agents are targeted. This is the step most businesses don’t plan for.

Encryption and extortion (Day 21+). With backups neutralized, the attacker encrypts everything and drops the ransom note. Many now also exfiltrate data first, threatening to publish it if you don’t pay — even if you can restore from backups.

What Actually Stops Ransomware

There’s no single silver bullet, but these five controls stop the vast majority of ransomware attacks — or limit the damage when one gets through:

1. Immutable backups. This is the single most important control. Immutable backups are copies that cannot be modified, encrypted, or deleted — not even by an administrator. Solutions like Veeam with immutability, Datto, or cloud-native immutable storage ensure that even if an attacker compromises your entire network, your backup copies remain intact and recoverable.

2. Network segmentation. Don’t let your entire network be one flat playground for attackers. Segment your backup infrastructure, your sensitive data, and your admin tools onto separate network zones with strict access controls. If an attacker compromises a workstation, they shouldn’t be able to reach your backup server directly.

3. Endpoint detection and response (EDR). Traditional antivirus catches known malware. EDR watches for behaviors — like a process rapidly encrypting files or a user account accessing thousands of files it’s never touched before. Modern EDR tools can automatically isolate a compromised machine before the damage spreads.

4. Patch management. Many ransomware attacks exploit known vulnerabilities that have patches available. The problem is the patch never got applied. A disciplined patching schedule — especially for internet-facing systems and VPN appliances — closes these doors before attackers can walk through them.

5. Email security and user training. Since phishing remains the top initial access vector, strong email filtering combined with regular security awareness training gives you the best chance of stopping an attack before it starts.

Your Incident Response Plan: The Difference Between Hours and Weeks

Even with strong defenses, you need a plan for when something gets through. The businesses that recover in hours instead of weeks have one thing in common: they practiced before it happened.

Your ransomware incident response plan should answer these questions before an attack occurs:

• Who makes the call to isolate systems? (This needs to happen in minutes, not hours.)
• Where are our immutable backups, and who knows how to restore from them?
• What’s our communication plan for employees, customers, and vendors?
• Do we have cyber insurance, and what’s the claims process?
• What’s our legal obligation for breach notification in Utah?

Don’t Wait for the Ransom Note

At Brivy IT, we help Utah businesses build ransomware-resilient infrastructure — from immutable backup architecture to endpoint protection and incident response planning. If you’re not confident your backups would survive a targeted attack, reach out for a free assessment. We’ll show you exactly where your gaps are and what it takes to close them.