What makes construction companies a preferred ransomware target?

Ransomware actors prioritize targets where downtime creates immediate financial pain — companies that will pay quickly to resume operations. Construction firms meet every criterion: ERP downtime halts payroll, billing, and job cost tracking; construction schedules create contractual penalties for delays; financial data and bid information are high-value; and construction firms typically have less mature IT security than their revenue size would suggest in other industries. Ransomware groups like LockBit, BlackCat, and others have explicitly targeted construction firms and construction ERP vendors.

How does ransomware typically enter a construction company's network?

The most common entry points are: phishing emails targeting accounting or project management staff (often impersonating subcontractors, suppliers, or owners); exposed RDP (Remote Desktop Protocol) ports — construction firms commonly expose RDP for remote ERP access without adequate protection; subcontractor or vendor VPN access that isn't adequately secured or monitored; and malicious email attachments disguised as change orders, lien waivers, or bid documents. Once inside, attackers move laterally to find and encrypt the ERP database and backup systems.

How long does it take to recover from ransomware as a construction company?

Without tested backups, recovery from ransomware can take weeks or months for a construction firm with a complex ERP. Rebuilding a Sage 300 CRE or Viewpoint Vista environment from scratch, restoring job cost data, and reconciling transactions is enormously time-consuming. With tested, clean backups and a documented recovery plan, recovery can be 24–72 hours for the core systems. The most critical factor is whether backups are offline or immutable — ransomware actors specifically target and encrypt backup systems before executing the main attack.

Should construction companies pay ransomware demands?

Paying is not recommended for several reasons: there's no guarantee you'll receive working decryption keys; paying funds criminal organizations; it may trigger OFAC sanctions liability if the ransomware group is on the Treasury Department's sanctioned entities list; and it signals you're a paying target, making you more likely to be attacked again. The better path is tested backups that allow recovery without paying. If you're currently in an active ransomware incident without clean backups, consult a professional incident response firm before making any payment decision.

Why Ransomware Loves Construction Companies — And How to Stop It

A construction company that can't access its ERP can't process payroll, track job costs, issue change orders, or bill for completed work. Every hour of downtime during an active project has a real dollar cost — and ransomware actors know it.

This is exactly why ransomware groups specifically target construction. It's not random. Construction firms typically have significant revenue, relatively immature IT security, and a business model where downtime creates immediate, compounding financial pain.

The Attack Chain: How Ransomware Enters a Construction Company

Entry Point 1: Phishing Targeting Project Staff

Construction firms receive hundreds of documents by email: change orders, RFIs, submittals, lien waivers, bid invitations, material invoices. Attackers exploit this volume by sending convincing fake documents with malicious attachments or links.

Common lures:

Fake subcontractor invoice: "Invoice #8847 from ABC Mechanical — please review and approve"
Fake change order: "Owner-directed change order #12 — action required"
Fake lien waiver: "Conditional waiver attached — please countersign"
Fake bid invitation: "Prequalification documents for Project XYZ — deadline Friday"

The attachment contains a macro-enabled Word document, a weaponized PDF, or a link to a fake document portal that harvests credentials.

Entry Point 2: Exposed RDP

Remote Desktop Protocol (RDP) is the most common attack vector for construction firms. Here's why: Sage 300 CRE, Viewpoint Vista, Foundation, and most on-premise construction ERPs are accessed by estimators, project managers, and accountants via RDP — typically because the ERP is installed on a server in the office and staff need remote access from home or the field.

If that RDP port (TCP 3389) is open to the internet without strong controls, attackers can brute-force the login or use credentials from breached employee accounts. Once they have RDP access, they're inside your network with the same access as a legitimate user.

Check right now: Does anyone at your company connect to the office server via Remote Desktop? If they connect directly (not through a VPN), your RDP is likely exposed. This is the single most common construction company attack vector and the easiest to fix — move RDP behind a VPN or replace it with a Remote Desktop Gateway.

Entry Point 3: Subcontractor and Vendor Access

Many construction firms give subcontractors access to Procore, shared drives, and sometimes even accounting systems. If a subcontractor's own systems are compromised, attackers can pivot to your network through that trusted access relationship. This is called a supply chain attack — your security depends on your vendors' security too.

What Happens Inside the Network

After gaining initial access, a skilled ransomware actor doesn't immediately encrypt everything. They follow this pattern:

Lateral movement: Explore the network to map all systems, find backup servers, and identify the highest-value data (ERP database, financial records)
Privilege escalation: Obtain domain administrator credentials — this gives them control over all Windows systems
Backup destruction: Delete or encrypt backup files and backup software databases first, before touching production data
Data exfiltration: Copy sensitive files (financial records, bid data, project files) to external servers for double-extortion leverage
Encryption execution: Simultaneously encrypt all systems — ERP database, file servers, workstations — maximizing impact

The entire process from initial access to full encryption can take minutes or days, depending on the attacker's sophistication. The backup destruction step is critical — it's why "we have backups" isn't sufficient if those backups are on the same network.

The Controls That Stop Ransomware

1. Tested, Offline Backups — Non-Negotiable

The single most important ransomware defense is backups that attackers cannot reach and encrypt. This means:

Immutable cloud backup: Azure Immutable Blob Storage, AWS Object Lock, or Wasabi with object lock enabled. Once written, these backups cannot be deleted or modified — not even by your own administrator credentials — for a defined retention period.
Offline copy: A backup copy that is physically or logically disconnected from your network. An external drive stored off-site and rotated weekly, or a tape backup, provides this.
Tested recovery: Backups are only valuable if you can actually restore from them. Your IT provider should perform a quarterly restore test — specifically restoring your ERP database to a test environment and verifying it works. "We have backups" without a tested restore is false confidence.

2. Close Exposed RDP

Move all remote access behind a VPN with MFA, or implement a Remote Desktop Gateway. If users truly need RDP access, it should never be directly internet-exposed. This single change eliminates the most common construction company attack vector.

3. EDR on All Endpoints

Traditional antivirus doesn't stop modern ransomware — EDR (Endpoint Detection and Response) does. EDR monitors process behavior, not just known malware signatures. When ransomware starts encrypting files, EDR detects the behavioral pattern and stops it — even if it's a new variant that antivirus has never seen. Microsoft Defender for Business (included in M365 Business Premium) provides EDR capability at a very reasonable cost for construction firms.

4. MFA on Email and Remote Access

If an attacker steals an employee's credentials through phishing, MFA prevents them from logging in. This breaks the most common initial access chain. MFA must be enforced for email (Microsoft 365 or Google Workspace) and for VPN or any remote access portal.

5. Segment Subcontractor and Vendor Access

Subcontractors should have access to Procore and shared document portals — not to your internal network, ERP, or file servers. Guest access to Microsoft 365 can be scoped to specific SharePoint sites and Teams channels without giving access to the broader tenant. Review all active external user accounts quarterly and remove those associated with completed projects.

6. Patch Management — Especially the ERP

Unpatched systems are a major ransomware entry point. This includes Windows servers running your ERP, the ERP application itself, and all workstations. Critical and high-severity patches should be applied within 30 days of release. Your IT provider should maintain a patch compliance dashboard and alert you when critical patches are outstanding.

If You're Already Hit: First 30 Minutes

If you discover ransomware is executing:

Disconnect affected systems from the network immediately — pull ethernet cables, disable Wi-Fi. Don't shut them down (preserves forensic evidence), just disconnect them.
Call your IT provider's emergency line — not their standard support line
Don't pay yet — call your cyber insurance carrier first; they often have incident response resources and will guide you through the process
Preserve evidence — document what you're seeing with photos; don't delete anything
Notify leadership — this is a business continuity event, not just an IT issue

Construction companies need IT support that understands the construction technology stack — including how to back up and recover a Sage or Viewpoint ERP, how to segment subcontractor access, and how to close the RDP vulnerabilities that make construction firms easy targets. The controls above aren't complex. They're achievable for any construction firm — but they require an IT provider who treats them as requirements, not options.