Why ransomware attacks happen to small businesses – and how to stop them

A black and white hand holding a drawing of a white, square-handled key. Instead of teeth, the key has the number "10110" representing binary code and encryption. The hand and key are set against a solid blue background.
(Image credit: Getty Images)

Ransomware is constantly in the headlines, as one of the biggest cyber threats businesses face and a part of many high-profile breaches. Particular attention is given to attacks against big companies hit by ransomware, but recent analysis found ransomware groups targeting small businesses once again.

Ransomware gangs such as LockBit, Cl0p, and Black Cat are slowing down attacks against “big game” targets and focusing their attention on small and medium businesses (SMBs), according to recent analysis from Trend Micro.

Firms with up to 200 employees accounted for the majority (575) of attacks using LockBit’s ransomware across the first half of 2023, according to the security vendor’s report.

As they grapple with tight budgets and a lack of security awareness, smaller businesses are increasingly vulnerable to cyber attacks. Yet ransomware is a growing threat that’s not going to go away, so what can SMBs do about it?

The weaknesses that enable small business ransomware attacks 

SMBs’ security budgets tend to be much smaller, making them less protected from cyber attacks compared to their larger counterparts. This can leave them failing to take basic cyber security measures such as using strong passwords, implementing two-factor authentication (2FA), and patching systems. 

Common weaknesses include outdated software and systems and a lack of a robust backup strategy, says Ken Barth, CEO of Catalogic Software. “Cyber resilience – which involves the ability to maintain business continuity in the face of threats – is often lacking in SMBs.” 

At the same time, many SMBs still think they’re too small to be targeted and fail to prioritize spending and board focus time on cyber security, says Matt Aldridge, principal solutions consultant at OpenText Cybersecurity. “This leaves them under-prepared and under-resourced when it comes to defending against attacks, making them the perfect target for malicious adversaries.”

Then there’s the human element. “Staff within smaller businesses may lack training and awareness of cyber threats, making them more vulnerable to phishing attempts and social engineering tactics,” says Jack Horlock, principal associate at CyXcel.

Adding to the threat, SMBs are likely to be dealing with remote or hybrid workers accessing the business network or cloud services via personal devices, says Aldridge. 

As a backdrop to this, ransomware is continuing to evolve. Approximately 29 new ransomware groups have emerged in 2023 and different types of ransomware such as ransomware-as-a-service – which sees off-the-shelf ransomware solutions available to buy on the dark web – lower the barrier to entry for all adversaries. “The RaaS model lowers the entry barrier for cyber criminals, while collaboration among larger extortion cartels amplifies the scale and impact of attacks,” says Barth.


Whitepaper cover with title over image of high rise buildings with red circular digital icons dotted around

(Image credit: Zscaler)

The encrypted threat landscape has changed over time. Find out what you can do to protect yourself


Groups targeting SMBs are often financially motivated because there’s a smaller reward from an SMB but they’re more likely to pay. Attackers may also want the specific data that the SMB processes, says Jim Perkins, security consultant at AMR Cybersecurity.

RaaS can also target specific sectors, regardless of the business size. “Some companies may be targeted due to their work and clientele,” says Perkins. 

For example, he continues, cyber security companies hold a lot of sensitive information about the defenses of several other firms. Or RaaS could be targeted against a company that provides a specific service to another larger business in a supply chain attack. 

Laurie Iacono, associate managing director, cyber risk at Kroll describes how there has been a heightened focus on third-party organizations. “Smaller enterprises often rely on widely available platforms for crucial business functions, such as file sharing apps, accounting, and payroll. However, as demonstrated by the MOVEit vulnerability, the repercussions of these attacks can have a widespread and enduring impact.”

The most successful ransomware group targeting all businesses is LockBit – and it attacks firms of all sizes, says Mark Stockley, senior threat researcher at Malwarebytes. “LockBit has been used to attack everything from a five-person law firm to Continental, a global company with 200,000 employees. The sobering reality for SMBs is, they are facing the same adversaries as multinational companies.”

Avoiding and mitigating small business ransomware attacks

It’s clear ransomware attacks are a growing threat to smaller firms. With this in mind, SMBs need to ensure they have “excellent IT hygiene”, up-to-date software and operating systems, and comprehensive technical defenses in place, Aldridge adds. “Additionally, they need to have a strong understanding of what needs protecting and the risks their systems and data are exposed to, so they can prioritize accordingly.”

He also advises making sure critical data is backed up and ensuring 2FA processes and strong password policies are in place.

Iacono outlines the importance of implementing password complexity rules to avoid using weak or common passwords, as well as refraining from reusing credentials. In addition, employees who can spot phishing email giveaways and grasp the ramifications of falling for one are more likely to report suspicious communications promptly, he says.

A balanced approach SMBs should consider adopting is the "trust but verify" method, says Horlock. “For instance, when dealing with situations like business email compromise, it's acceptable to trust someone. But having a rapid and well-defined verification process, such as sending a quick text message alongside an email, can add a layer of security.”

Robust defenses are critical, but it is also essential to plan carefully how to respond when things go wrong – during and immediately following an attack, says Aldridge. “SMBs often struggle in this area due to conflicting priorities and limited resources.  If you lose sensitive data, who would you need to inform and how would you do this?”

However, companies should never negotiate or pay the ransom, says Aldridge. “The danger with paying the ransom is there’s no guarantee you’ll recover the encrypted files. By paying up, you are only fueling the ransomware economy – and there is nothing to stop your organization from being targeted again in future cyber attacks.”

If ransomware payments are deemed absolutely necessary, remember that ransomware groups expect to negotiate, says Stockley. “Use a professional negotiator if you can. If you can't, as distasteful as it may be, take your time, avoid getting angry, and try to gain their trust and empathy.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.