Ransomware groups are once again targeting smaller businesses for more lucrative payouts

Ransomware depicted by global map in luminous black and red colour scheme to denote a threatening cyber landscape for small businesses
(Image credit: Getty Images)

Security experts have said ransomware groups are once again prioritizing attacks on smaller organizations as they look to target those with less mature security capabilities. 

Analysis from Trend Micro has shown that ransomware gangs such as LockBit, Cl0p, and Black Cat are slowing down attacks against “big game” targets, such as multinationals, and focusing their attention on smaller organizations. 

Organizations “of up to 200 employees” – those within the small-to-medium-sized range – accounted for the majority (575) of attacks using LockBit’s ransomware across H1 2023. 

Similar trends were observed with rivals in the ransomware as a service (RaaS) space, the report noted. Nearly half (45%) of Black Cat victims were in the same size range while 27% of attacks on smaller organizations were waged by Cl0p.

Cl0p remains an outlier in this sense, however. Across H1, half of all attacks attributed to the group were focused on “larger enterprises”. 

The group was responsible for the devastating GoAnywhere breach, as well as the MOVEit cyber attack earlier this year that impacted hundreds of organizations globally, including the BBC, British Airways and Boots.

The cause for this heightened focus on smaller organizations is due to a combination of factors, according to Bharat Mistry, technical director at Trend Micro. 

Speaking to ITPro, Mistry said that traditional perceptions of lax SME security practices and an inability to adequately invest in robust security capabilities is prompting an increase in attacks. 


A Cisco’s guide to log management for cybersecurity

(Image credit: Graylog)

Solve security compliance, operational, and DevOps issues with a centralized log management solution .


“The first angle to this is that there’s a perception that SMEs are not going to be fully equipped, they’re cash-strapped more than likely, and spending money on cyber technology doesn’t really add to the bottom line,” he said. “Every penny counts.”

“So, from a cyber defense and maturity point of view, they feel like easy targets to go after.”

A ‘lower entry to market’ for mid-tier or emerging groups capitalizing on ransomware as a service is also a key factor here, Mistry noted, and creating a confluence of threats for businesses. 

Why smaller organizations are being targeted with ransomware

Underlying factors in this recent surge, Mistry said, are due to current economic conditions in the West, as well as the end of a lull period across 2022 as the COVID-19 pandemic petered out. 

“I would say the pandemic has probably had a part to play, but we’re at the other side of that now,” he said. 

“The economic climate is also a big factor. When you look at the countries that are most impacted, it’s really North America, so the US and Canada, and Western Europe.

“Nowhere in the Far East. We can see they’re going after places where there’s plenty of cash, but they’re also thinking we’ve got access to resources and technology so why not have a go.”


Connor Jones headshot
Connor Jones

Over the years, ransomware groups have fluttered between targeting smaller and larger organizations, whichever appears the most lucrative type of target at the time.

To onlookers, the trend seems to flip on its head frequently and depending on which organization’s data they read.

Just three months ago, Chainalysis’ Crypto Crime report claimed ransomware actors had switched their attention to targeting larger organizations. 

The incentive is that successful attacks on big companies are likely to yield more lucrative ransom sums, with the trade-off being that larger targets are likely to have more robust and subsequently more difficult-to-evade security defenses.

Going back to a year ago, the US’ Ransomware Task Force published a report in August 2022 specifically warning small businesses of the danger of ransomware because of the number of attacks targeting them.

The Irish government also published similar warnings around the same time.

In the space of 12 months, the industry has seen ransomware actors go from prioritizing smaller targets, back to bigger ones, and back to smaller ones again.

The swift changes in approach from criminals has been evidenced since ransomware became the go-to form of cyber crime in the late 2010s, and is likely to remain in flux for the foreseeable future.

Ransomware rises across the board

Trend Micro’s research showed an 11.3% increase in the number of new RaaS groups in the first half of 2023, which now stands at 69. 

“Another factor that comes into play as well is you’ve got people who are taking an opportunistic look at it all,” he said. “If you look at some of the tools that are available right now. We see an increase in things like ransomware as a service capability. All of these things lower the entry to market. 

“So it’s not just specialized gangs like LockBit or Black Cat, but it also means that others who are mid-tier can also have a go.”

The warning from Trend Micro comes as the firm reported a 47% increase in the volume of ransomware attacks across H1 compared to the second half of 2022. 

2022 was a far quieter in terms of ransomware attacks compared to 2021, a year in which incidents reached an all-time high. 

Underlining Mistry’s comments, US-based organizations were the most-targeted by ransomware gangs across the first half of the year, accounting for 949 attacks according to Trend Micro’s data - equivalent to nearly half of all recorded incidents. 

This figure represents a 69.94% increase compared to the second half of 2022, underlining the renewed cyber security threats faced by US businesses. 

The UK and Canada were also ranked in the top three most-targeted countries, recording 132 and 88 attacks respectively. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.