Why Ransomware Groups Are Increasingly Targeting Small Businesses

There’s a persistent myth in the small business world: hackers go after the big fish. Banks, hospitals, government agencies — those are the targets worth attacking. A local accountancy firm with twelve employees? A family-run dental practice? A regional logistics company with three trucks? Why would anyone bother?

The answer, increasingly, is that ransomware groups prefer smaller targets — and that shift is now well-documented. Understanding why it’s happening, what attackers are looking for, and what SMBs can realistically do about it isn’t a luxury anymore. It’s basic operational survival.

The Economics of Targeting Small Business

Ransomware has evolved from a scattered, opportunistic threat into a structured criminal industry. The groups running these operations aren’t lone coders working from basements — they’re organised teams with business development functions, customer support desks (genuinely), and affiliate networks. They run on a model called Ransomware-as-a-Service (RaaS), where core developers license their malware to affiliates who execute the attacks and share revenue.

What does that model want? Volume and predictability. Large enterprise attacks get enormous payouts occasionally, but they attract intensive law enforcement attention, take months to execute, and fail more often than they succeed. Enterprise security teams have incident response retainers, offline backups, and dedicated threat intelligence feeds.

Small businesses don’t. A dental practice is unlikely to have a CISO. A regional law firm probably isn’t running EDR tools on every endpoint. An HVAC contractor almost certainly hasn’t segmented their network or tested their backup restoration process. These aren’t criticisms — they’re economic realities of running a business where security competes with payroll, stock, and a dozen other priorities.

For ransomware affiliates, the calculus is straightforward: forty attacks on SMBs at £15,000–£50,000 each produces better returns with lower risk than one enterprise attack that might yield £500,000 but requires months of dwell time and has a 60% chance of being detected and neutralised before payoff.

Why SMBs Make Softer Targets Than They Realise

There are a few structural reasons why small businesses are genuinely easier to compromise than they might expect, and most of them have nothing to do with carelessness.

Patch lag is severe. Larger organisations have dedicated IT teams whose job includes tracking CVEs and deploying patches quickly. In an SMB, patching is often handled reactively — when something breaks — or outsourced to an MSP (managed service provider) that may itself be understaffed. Ransomware groups track newly disclosed vulnerabilities and move fast. The gap between “vulnerability published” and “attackers scanning for it” is now measured in hours, not weeks.

Remote access is often wide open. After COVID, remote working infrastructure went up fast and security hardening followed slowly (or not at all). RDP (Remote Desktop Protocol) exposed to the internet remains one of the most common initial access vectors for ransomware. It’s brute-forceable, and credential stuffing attacks against it are automated. Many SMBs set up RDP for a remote worker in 2020 and never locked it down further.

Email is still the dominant entry point. Business Email Compromise and phishing remain the primary way ransomware gets a foothold. An employee clicks a link in what looks like a supplier invoice, credentials are harvested, and the attacker has a starting position. SMBs rarely run security awareness training on a consistent cadence, and email filtering tools vary wildly in quality.

Backups exist but aren’t tested. This one is subtle but critical. Many small businesses do have some form of backup — often a cloud sync or an external drive. What they rarely do is test restoration, and what attackers know is that connected backups get encrypted along with everything else. If your backup is a network share or a permanently-connected USB drive, it disappears alongside your data the moment ransomware runs.

The Supply Chain Angle

There’s another dimension that’s grown significantly in the last few years: supply chain targeting. SMBs are often attacked not because they’re the ultimate prize, but because they’re a pathway to a larger organisation they’re connected to.

Think about who a small business serves. A regional IT provider has access to dozens of client networks. A small law firm holds sensitive files for corporate clients. An HVAC contractor might have network access to the building management systems of the hospital they service (this specific scenario is how the Target breach unfolded years ago, and attackers learned from it).

This means the risk profile of a small business depends partly on who they work with and what access those relationships create. Even if your own data isn’t intrinsically valuable, being a stepping stone to someone else’s infrastructure makes you a target.

What Attackers Are Actually After

Modern ransomware attacks don’t just encrypt your files and demand money to decrypt them. That’s the old playbook. The evolved version — which most major groups now use — is called double extortion, and sometimes triple extortion.

Double extortion: Before encrypting, attackers exfiltrate your data. They then threaten to publish it on a leak site unless you pay. Even if you restore from backup and refuse to pay for decryption, you still face the threat of sensitive client data, financial records, or employee information being posted publicly.

Triple extortion: In addition to the above, attackers contact your customers, suppliers, or regulatory bodies directly. They’ll email your clients telling them their data has been stolen from you. This maximises reputational damage and legal liability, increasing your incentive to pay.

For a small business, the reputational dimension is often more devastating than the technical one. You can rebuild from a backup. You cannot easily recover from your clients learning their data was stolen from you, or from a regulator launching an investigation into why you failed to protect personal data.

The MSP Problem

A significant portion of SMBs outsource their IT to a Managed Service Provider. This is often the right call — you get expertise you can’t afford to hire in-house. But it introduces a specific risk that’s been heavily exploited.

MSPs typically manage dozens or hundreds of client environments from a centralised platform. If an attacker compromises the MSP’s management tooling — which has happened with platforms like Kaseya and ConnectWise — they can potentially deploy ransomware to every client simultaneously. One compromise, hundreds of victims.

If you use an MSP, the questions to ask are: How do they authenticate access to my systems? Do they use multi-factor authentication on their remote management tools? What is their incident response plan if they are compromised? How are my credentials and access credentials stored? Most SMBs have never asked these questions of their IT provider. Most IT providers haven’t been asked.

What Actually Reduces Your Risk

The good news is that most ransomware attacks aren’t sophisticated zero-day exploits. They’re opportunistic, automated, and look for easy wins. Raising the difficulty meaningfully reduces your likelihood of being targeted.

Offline, tested backups. The single most important control. Your backup needs to be disconnected from your network and tested regularly for restoration. A backup you’ve never restored from is a hypothesis, not a safety net. Cloud backups with versioning help, but you need at least one copy that ransomware cannot reach and encrypt.

Multi-factor authentication everywhere. Email, VPN, remote access, cloud services — all of it. MFA doesn’t make you invulnerable, but it dramatically raises the cost of initial access for attackers using stolen credentials or brute force.

Disable RDP unless you genuinely need it. If you do need remote access, put it behind a VPN with MFA rather than exposing RDP directly to the internet. This eliminates an enormous percentage of automated attack traffic.

Patch systematically. You don’t need enterprise patch management tooling, but you do need a process. Set up automatic updates for operating systems, check your software vendors for security bulletins, and treat “we’ll update it later” as the risk it actually is.

Email filtering with link protection. Modern email security tools analyse links at click time, not just at delivery. This matters because attackers often use legitimate file sharing services or redirect chains that look clean at delivery and only become malicious after scanning.

Know your insurance position. Cyber insurance is a real market now, and for small businesses it’s worth understanding what you’d be covered for in a ransomware event. Many policies have exclusions for poor security hygiene, so reading the policy matters. Some insurers also provide incident response services as part of coverage — that’s worth knowing before you need it.

The Reality of Recovery

Even businesses that do everything reasonably right can get hit. The question of whether to pay a ransom is one most businesses aren’t prepared to answer under pressure, so it’s worth thinking about in advance.

Law enforcement guidance in most jurisdictions is to not pay — paying funds criminal organisations and doesn’t guarantee you get your data back. In practice, many businesses pay anyway, often because they don’t have an alternative path to recovery and the cost of extended downtime exceeds the ransom demand. There’s no clean answer here.

What helps is having a documented incident response plan before you need it: who do you call first, what do you shut down, who in your organisation has authority to make decisions, what are your regulatory notification obligations, and how do you communicate with clients? Businesses that have thought through these questions in advance make better decisions under pressure than those that haven’t.

The Mindset Shift

The most important thing for small business owners to internalise is that the question is no longer “why would anyone target us?” but “when will they try, and how hard will it be for them?” Ransomware attacks are increasingly automated. Your business shows up in scans whether you invite attention or not.

You don’t need to build an enterprise security programme. But you do need to make your environment meaningfully harder to attack than the next business on the list. In a volume-driven criminal economy, that’s often enough.

The businesses that suffer most are the ones that waited until after the attack to take security seriously. The businesses that recover fastest are the ones that had tested backups and a rough plan. Neither of those requires a big budget — they require treating security as something you think about before the problem arrives, not after.