The call comes in mid-morning, usually. The business owner’s voice has that specific quality — not quite panic, but close to it. They explain that something is wrong with the computer, that files aren’t opening, that there’s a message on the screen asking for payment. We ask them to read the message back to us. They do, and we already know what we’re dealing with before they finish the second sentence.
The next few minutes are a kind of triage. We talk them through isolating the machine — unplug the network cable, don’t click anything else, don’t try to open more files. And then we ask the question that determines everything that comes next: do you have a backup?
There’s a pause. Sometimes they say yes. More often, there’s a longer pause, and then something like “I think so” or “we have an external drive somewhere” or just silence. That pause is the moment where the conversation either becomes a recovery procedure or a much harder conversation. If the answer is no — truly no — we have to tell them something no one wants to hear: there may not be a path back.
What Ransomware Actually Does (and What It Doesn’t)
Ransomware is not a virus in the traditional sense. It doesn’t delete your files. It encrypts them — scrambles them with a key that only the attacker holds — and then demands payment in exchange for that key. The encryption itself is, for practical purposes, unbreakable. There is no tool we can run, no trick, no forensic process that undoes it without either the decryption key or a clean copy of the data from before the attack.
The idea that you can just pay and get your files back is partly true and largely unreliable. Some ransomware operators run what amounts to a criminal business — they send the key, files come back. Others take the payment and disappear. Others send a partially working key. And paying once puts you on a list of businesses that paid, which means you’re more likely to be targeted again. We don’t recommend paying. We don’t help facilitate it. And we can’t promise it works even when clients choose to try.
What we’ve observed in Eastern NC specifically is that small businesses are the target of choice for a lot of these campaigns, not despite their size but because of it. A large company has an IT department, security software, policies, someone watching the logs. An owner-operated business in Carteret County has a computer, maybe a network drive, and the owner doing everything themselves. That gap is exactly what gets exploited.
What “No Backup” Means in Practice
When ransomware hits a business with no backup, the files are gone. That’s the short version. The longer version is what “gone” actually means for a business that’s been operating for years.
QuickBooks data from the last decade, encrypted. Customer invoices going back five years, encrypted. The spreadsheet with all the vendor contacts, encrypted. The folder of project photos that the owner never printed out, encrypted. Whatever was on that machine — contracts, permits, employee records, bid histories, reservation logs — it’s all locked behind a key you don’t have.
Then the downstream effects start. You can’t invoice because you can’t see what jobs are open. You can’t look up a customer’s order history. You can’t pull a past contract to reference the scope. The business doesn’t stop existing, but it loses its memory.
We think about this in ENC terms because the stakes here have a seasonal edge. A vacation rental manager hit by ransomware in late May can’t pull booking records for a property with a check-in that weekend. A restaurant running a reservation system on an on-site machine loses the list for Saturday night. A marine services business heading into peak season can’t access the service history for boats already scheduled. We saw a similar pattern in a storm surge recovery case in New Bern — the business lost both primary and backup data because both were in the same physical location. These are not hypothetical scenarios. These are the kinds of businesses we serve, and the timing of an attack in this region can turn a bad week into a catastrophic one.
The Backup Changes Everything
When a client with a managed backup in place calls with the same ransomware scenario, the conversation is different from the first sentence. It’s still stressful — ransomware is never a good morning — but it has a shape. We know where it goes.
The process: isolate the infected machine, identify the last clean backup point, restore to a clean machine or a wiped drive, verify the data is intact, confirm the attack vector is addressed so it doesn’t happen again, put the client back to work. In a straightforward case with a recent backup and a single affected machine, that’s a same-day or next-day recovery. Hours, not weeks.
The data is whole. The client loses some billable time and the cost of the recovery work. They don’t lose the business’s memory. They don’t face the question of whether to pay a criminal or write off years of records.
That’s the entire difference. Not a software feature or a technical detail — it’s the difference between a procedure and a loss.
What We Actually Set Up
The approach we use for managed backup isn’t a single product or a single copy. It’s two layers, because a single layer has single points of failure.
The first layer is local — a backup that lives on-site or on an attached device. This is what handles the everyday failures: accidental file deletion, a drive that crashes, a user who overwrites something they shouldn’t have. Local backup is fast to restore from because the data doesn’t have to travel over the internet. For most everyday incidents, this is all you need.
The second layer is offsite — a backup that lives somewhere physically separate from the business. Cloud storage, a remote location, whatever fits the client’s situation and budget. This is what handles the scenarios where the physical location is the problem: fire, flooding, storm surge that takes out the server room, or ransomware that encrypted the local backup along with everything else. If the building is gone, the offsite backup is still there.
The tooling we choose varies by client. Data volume matters. How long a business can be down before it becomes a serious problem matters. Budget matters. We don’t have a single answer for every business, and we don’t try to sell everyone the same thing.
What doesn’t vary is the verification step. A backup that isn’t confirmed to be running is not a backup — it’s an assumption. We check that the job is actually completing, that the data is actually recoverable, that the schedule is actually being followed. We’ve seen clients who thought they had a backup for years and discovered, at the worst possible moment, that the drive had filled up six months ago and nothing had been written since. A backup job that silently fails is worse than no backup in some ways, because it creates a false sense of protection.
ENC-Specific Risk Factors
Running a business on the Crystal Coast introduces risk factors that aren’t on the radar for most of the cybersecurity content written for a general audience, which tends to assume you’re operating in a climate-controlled office park somewhere inland.
Hardware fails faster here. Salt air and high humidity are hard on electronics — drives, connectors, cooling systems. A hard drive that might run reliably for five years in a Raleigh office building might start showing problems in three years in a Beaufort waterfront location. Mechanical failure isn’t an attack, but it produces the same outcome: your data is inaccessible and you’re hoping a backup exists. We’ve documented the single-point-of-failure pattern that makes these situations so devastating for small businesses. We’ve pulled dead drives out of coastal offices and seen the corrosion firsthand.
Hurricane season is an active threat, not a theoretical one. A storm surge event that puts a foot of saltwater through a ground-floor office doesn’t distinguish between the computer and the external drive sitting next to it. Both are gone. Any backup stored in that room is gone with it. An offsite backup survives the storm. A local-only backup doesn’t.
Malware patterns also have a seasonal character here. Tourism traffic brings volume — more point-of-sale transactions, more payment data moving through systems, more temporary staff who are less familiar with security basics, more email moving in and out. The period between late May and early September is when we see more credential theft attempts, more phishing, more POS-targeted malware. It’s not coincidental. The attack surface gets bigger when the region gets busy, and the pressure to stay operational is highest exactly when the threat level is elevated.
The One Thing You Should Do This Week
This is not a complicated ask: find out whether your backup is running.
Not “do you have a backup set up” — you may have set something up years ago and never checked it since. The question is whether it’s running today, whether it completed successfully the last time it was supposed to run, and whether you’ve ever actually tried to restore from it.
If you don’t know the answers to those questions, find out before something forces you to find out the hard way.
If you don’t have a backup, get one in place. It doesn’t have to be our setup — call us or call someone, but get it done before you need it. We’re at 252-777-2488. Learn more about our team or read about what a managed backup looks like for your business on our business backup and recovery page.
Ransomware recovery with a backup in place is a procedure. Without one, it’s a loss.
We’ve had both kinds of calls. We know which one we’d rather be making with you. If you want to make sure you’re set up before something happens, reach out — the best time to sort out your backup is before it matters.
All cases are anonymized. No client-identifying details included.