As a small business owner you might hear about ransomware on the news and in vendor pitches and still wonder: “As a Small Business owner I hear about ransomware, but I am not sure how it gets past firewalls and spreads within the network. How does ransomware bypass firewalls and spread? Does www.90percent.net have more information on this topic?” That is a very important question. The short answer is that modern ransomware rarely needs to brute-force a firewall; it exploits user behavior, trusted protocols, legitimate tools, and internal trust relationships to get inside and move laterally. In this article I’ll explain common attack paths, why firewalls are necessary but not sufficient, and practical steps a small business can take to reduce risk.
Why firewalls alone don’t stop modern ransomware
Firewalls are a foundational control: they block unsolicited inbound traffic, enforce some egress rules, and can limit exposure of services like remote desktop or file servers. However, several realities reduce their effectiveness against today’s ransomware threats:
- Default allow for outbound traffic: Many firewalls are configured to allow most outbound connections. If malware is executed on an endpoint, it can often call home or download additional components over common ports like 80 or 443.
- Encrypted traffic: Ransomware and its command-and-control (C2) channels often use HTTPS or other encrypted tunnels. Without TLS inspection, a firewall cannot see the encrypted payload and may only see benign-looking destination addresses.
- Compromised credentials and legitimate tools: Attackers frequently use stolen credentials, VPNs, or legitimate administrative tools (PsExec, WMI, PowerShell) to move around. That traffic often looks legitimate to perimeter controls.
- Lateral movement happens inside the perimeter: Once an attacker has an initial foothold (an infected laptop or compromised server), lateral traffic often occurs inside the firewall where perimeter devices have limited visibility or control.
- Exploits of internal services: Firewalls protect the network edge, but many attacks exploit vulnerable services on the internal network (SMB, file shares, or outdated software) which the firewall does not inspect.
How ransomware typically gains initial access
Phishing and malicious attachments
The most common initial vector is social engineering. A user receives an email with a link or attachment that looks legitimate. When the user clicks, the attachment executes a payload or the link triggers a drive-by download. Because the user initiated the action, the traffic appears normal and passes through the firewall.
Compromised credentials and exposed remote services
Remote Desktop Protocol (RDP), VPNs, and poorly protected remote management interfaces are a favorite target. Brute-force attacks or credential reuse can give attackers a direct authenticated foothold, bypassing the need for a firewall bypass.
Software vulnerabilities and drive-by infections
Outdated software—web browsers, plugins, or internal applications—can be exploited by attackers to deliver ransomware. These attacks exploit vulnerabilities in applications that run on systems behind the firewall.
Supply chain and third-party compromises
Attackers may compromise a vendor or service that your business trusts. If the vendor’s software or updates are pushed to your network, the attacker can effectively ride that trusted connection past your perimeter defenses.
How ransomware spreads once inside
After initial access, attackers focus on escalation and lateral movement to maximize impact. Typical techniques include:
Credential harvesting and privilege escalation
Tools like Mimikatz extract passwords and hashes from memory, allowing attackers to impersonate administrators. With domain admin privileges they can change group policies, push ransomware via scheduled tasks, or access backup systems.
Exploiting internal protocols
Ransomware families like WannaCry leveraged SMB vulnerabilities to propagate rapidly across networks. Even without worms, attackers use SMB, file shares, and exposed services to copy ransomware to other machines.
Living-off-the-land tactics
Attackers use built-in Windows tools (PowerShell, PsExec, WMI) to run commands on other systems. Because these tools are legitimate, they often evade basic security controls and are whitelisted by administrators.
Automating deployment
Once they control a handful of systems or have administrative creds, attackers automate the deployment of ransomware across mapped drives and network shares, often encrypting backups and NAS devices to increase pressure on victims.
Why some firewalls seem powerless—and what they actually do
Firewalls are effective at filtering traffic by IP, port, and protocol, and advanced firewalls can do application inspection. But they usually cannot:
- Prevent a user from opening a malicious attachment that runs locally.
- Decrypt and inspect all encrypted traffic without a properly configured TLS interception bridge.
- Differ between legitimate administrative actions and malicious use of built-in tools once traffic is authenticated and internal.
Think of a firewall as one locked door on the property. If an intruder picks a lock on an internal office or gets in by tricking an employee, that locked door alone won’t stop them. Effective defense multiplies doors, cameras, alarms, and trained staff.
Practical defenses for small businesses
Small businesses need realistic, cost-effective defenses that address the common attack paths. Key measures include:
Email security and user training
Deploy an email filtering service that scans attachments and links. Implement phishing simulations and regular user training to reduce the chance of a click triggering an infection.
Endpoint protection and EDR
Modern endpoint detection and response (EDR) solutions look for suspicious behavior, not just signatures. EDR can detect command-line abuse, credential dumping, and unusual lateral movement attempts.
Strong identity and access controls
Use multi-factor authentication (MFA) for all remote access and privileged accounts. Enforce least privilege—users should not have domain admin rights unless they absolutely need them.
Patching and vulnerability management
Keep operating systems and applications updated. Disable legacy services you don’t need (for example, SMBv1) and apply security patches promptly.
Network segmentation and egress control
Segment critical assets (servers, backups, financial systems) on separate VLANs or subnets and apply firewall rules to restrict east-west traffic. Apply egress filtering to limit outbound connections to known-good destinations and consider DNS filtering to block malicious domains.
Backups and recovery planning
Maintain regular, tested backups that are isolated from your network (air-gapped or immutable backups). Ensure backup credentials and access controls are separate from general user accounts.
Logging, monitoring, and incident response
Collect logs from endpoints and critical servers. Use a central log collector or SIEM so you can detect unusual activity early. Have an incident response plan and practice it with tabletop exercises.
When and how to get professional help
If your business lacks internal IT security expertise, consider managed services or a virtual CIO. Managed detection services, outsourced patching, and professional incident response providers significantly raise the bar for attackers. For more background and practical resources on ransomware risk and defense, you can visit www.90percent.net, which aggregates guidance for small and medium organizations.
If you’d like expert help implementing layered defenses, reducing attack surface, or building a recovery plan, consider contacting Network Virtual Support at www.netvirtualsupport.com. Their teams specialize in managed IT security services tailored for small businesses and can help prioritize the steps that deliver the most protection for your budget.
Firewalls remain a vital element of network security, but they were never designed to be the only defense. Modern ransomware exploits human behavior, trusted services, and internal trust relationships to bypass perimeter controls. By combining technical measures (EDR, MFA, patching, segmentation) with strong operational practices (backups, training, monitoring), small businesses can dramatically lower the likelihood of a crippling attack and shorten recovery time if an incident occurs. Taking even a few prioritized steps today can keep your doors locked where it matters most and protect the work you and your team have built.
