Threat Landscape Apr 15, 2026

How SMBs Became the Primary Ransomware Target

Small and midsize organisations used to be thought of as too small to be worth attacking. The numbers say otherwise. SMBs consistently see several times more confirmed breaches than large enterprises, and ransomware dominates the picture in a way it doesn't at the top of the market.

What the Data Actually Shows

Verizon's Data Breach Investigations Report (DBIR) has put the gap in plain terms for several years running. In the most recent edition, of 12,195 confirmed breaches in the dataset, Verizon recorded 2,842 affecting SMBs and 751 affecting large organisations. Nearly four times the SMB victim count. 88% of those SMB breaches involved ransomware, compared with 39% at large enterprises. Ransomware appeared in 44% of breaches overall, and the trend line has been moving up year on year.

The financial picture is bleaker for smaller organisations too. The median ransom payment sat around $115,000, and that figure doesn't include the usually larger downstream costs of downtime, recovery work, customer churn, and regulatory exposure. For a 40-person company, a single incident at that scale is often enough to end the business.

Three attack categories accounted for 96% of SMB breaches: system intrusion, social engineering, and basic web application attacks. These aren't exotic techniques. They're the baseline of the criminal ecosystem, and they work.

Why the Shift Happened

Large enterprises spent the last decade building out security operations centres, detection and response tooling, incident response retainers, and threat intelligence programmes. None of that is cheap, but it made them harder to compromise quietly. Attackers who had historically gone after big targets started to run into longer dwell times, better endpoint telemetry, and faster containment when they did get caught.

SMBs didn't make the same investments. In most cases they couldn't. Security spend at a 50-person firm has to come out of the same budget as payroll and rent, and the ROI case for a SOC at that size never made sense. The gap widened over years, and attackers noticed.

Ransomware-as-a-service changed the other side of the equation at roughly the same time. An affiliate running an attack today doesn't need custom malware or deep technical skill. They can rent access to a mature operation that provides the payload, the negotiation infrastructure, and sometimes the initial access broker. The affiliate focuses on finding and compromising targets. That industrialisation made it economical to go after smaller organisations in volume, because the marginal cost of each attack dropped.

So the shift wasn't driven by SMBs becoming more valuable. It was driven by enterprises becoming harder to hit, and smaller targets becoming cheaper to hit. The two trends compounded.

How They Get In

Sophos's 2025 Active Adversary Report found that in 56% of their incident response and managed detection cases, attackers abused valid accounts against external remote services like VPNs and firewalls, and that compromised credentials were the top root cause in 41% of cases overall. The DBIR numbers tell the same story: credential abuse accounts for 22% of initial access and vulnerability exploitation another 20%.

The pattern usually looks like one of these:

  • Credentials harvested from an unrelated breach. An employee reuses a password on a third party service that gets compromised, and the credentials end up on a combo list. Attackers try them against the company's VPN, email, or admin panels.
  • Phishing for session cookies or MFA approvals. Traditional phishing is still effective, but modern kits target the session token after login to bypass MFA entirely. A single click is enough.
  • Unpatched internet facing software. Admin panels, VPN appliances, remote access tools, file transfer applications. Known CVEs in popular products get scanned for constantly, and any exposed instance that's a few patches behind is a practical entry point.

Microsoft's documentation of the Storm-0501 group is a useful concrete example. They gained initial access by exploiting known vulnerabilities in Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion. Once inside, they used Impacket's SecretsDump to extract credentials across the network, then reused those credentials to move laterally until they had Domain Admin access. None of that required a zero-day. It required patches that hadn't been applied and passwords that hadn't been rotated.

The MFA Problem

Multi-factor authentication is the single cheapest control available. It's free on every major identity provider, it's been table stakes at enterprises for years, and it would have stopped most of the credential abuse described above. Adoption among SMBs is still low.

A Cyber Readiness Institute study found that 65% of global SMBs don't use MFA and don't plan to implement it. Around 44% cite cost as the primary barrier, but the reality is that enabling MFA on the platforms an SMB already pays for is free. The actual barrier is attention. At a small company, security isn't anybody's full time job. Enabling MFA properly across identity providers, VPNs, SaaS accounts, and admin panels takes an afternoon, and that afternoon never quite arrives.

What Reasonable Defence Looks Like Without a SOC

The list of things that would meaningfully reduce ransomware risk for an SMB is short and boring, and the budget required is close to zero. It's still not where most smaller organisations are operating today.

  • MFA on everything that matters, and move to passkeys where you can. Email, VPN, identity provider, admin panels, cloud consoles, code repositories. Start with privileged accounts and work outward. TOTP codes are better than nothing but can be intercepted by real time phishing proxies. Passkeys can't, because the private key never leaves the device and authentication is cryptographically bound to the legitimate domain. Microsoft Entra ID, Google Workspace, and Okta all support passkeys natively now. For a small org, enabling passkeys is a 2-3 week rollout: turn on the passkey authentication policy in your IdP, enrol staff on their existing laptops and phones (biometric unlock acts as the second factor), and set a sunset date for TOTP.
  • EDR on every endpoint, not just antivirus. Traditional antivirus catches known malware signatures. EDR (CrowdStrike Falcon Go, Microsoft Defender for Business, SentinelOne) catches post-exploitation behaviour: credential dumping, lateral movement, ransomware encryption patterns. It can auto-isolate a compromised device in seconds. CISA's Cybersecurity Performance Goals 2.0 lists endpoint detection as a foundational control. SMB-tier EDR starts around $3-5 per endpoint per month.
  • A real inventory of what's exposed externally. Most smaller organisations underestimate their external attack surface. Staging environments, forgotten subdomains, admin panels left reachable from a time when the office was smaller. You can't patch what you don't know about.
  • Patching, especially for internet facing software. Automate it where you can. If automation isn't possible, put a calendar entry on someone's week and treat it like any other operational task.
  • Immutable, offline backups. Ransomware operators specifically target backup infrastructure. "We run backups" isn't enough if those backups are reachable from the same network. Immutable storage (AWS S3 Object Lock, Azure immutable blob, or an air-gapped NAS with append-only snapshots) means even a compromised admin account can't delete or encrypt recovery points. Test the restore path on a schedule.
  • DNS filtering. A protective DNS resolver (Cisco Umbrella, Cloudflare Gateway, DNSFilter) blocks connections to known C2 domains, phishing sites, and malware distribution infrastructure before a TCP session is established. It requires zero endpoint software, deploys in minutes via DHCP or router config, and covers every device on the network including IoT and BYOD. Some providers have free tiers for small organisations.
  • Separate admin accounts from daily accounts. Staff with admin rights should have a dedicated admin account used only for privileged tasks. Never for email, never for browsing. This limits the blast radius when a user account gets compromised via phishing or credential stuffing. Pair it with just-in-time elevation (Entra PIM, or even a simple approval workflow) so standing privilege is minimal.
  • Disable RDP and unused remote access. RDP exposed to the internet is still one of the top ransomware entry vectors. Audit for open ports 3389/3390, disable RDP where it's not needed, and where remote access is required, move it behind a VPN or zero trust access broker with MFA.
  • Email filtering and security awareness. Filtering catches most opportunistic phishing. Training won't stop a determined attacker, but it raises the floor.
  • A one page incident response plan. Most SMBs have no written IR plan. A simple runbook covering who to call (MSSP, insurer, legal), how to isolate affected systems, where backups live, and a communication template reduces chaos during an incident. CISA's StopRansomware Guide includes a step-by-step checklist. Tabletop the plan once a year.

None of that requires a big team or a big budget. It requires someone to own the work and do it consistently. For a small organisation that means making security an explicit part of someone's job, not an implicit expectation of everyone's job, which usually translates to nobody's.

The Outsourcing Question

A lot of SMBs reach the same conclusion: we can't do this ourselves, so we'll pay a managed security service provider to do it for us. That can work, but the quality of MSSPs varies enormously. The good ones function as an extension of the internal team and catch real problems before they turn into incidents. The less good ones generate reports that nobody reads and send alerts to an inbox nobody watches.

A few questions worth asking before signing a contract:

  • What happens when they find something? Who do they contact, how fast, and what's the expected response?
  • Are their alerts routed to people who can act on them, or to a shared mailbox?
  • Do they test their own detection with tabletop exercises, or only react when something happens?
  • What's the escalation path on a confirmed incident, and who owns the decision to pull systems offline?

The provider's answer to the last question is often the most telling. A provider that expects you to make that decision on a Saturday night, unaided, is not really managing the risk for you.

Where Continuous External Scanning Fits

External scanning is a piece of the puzzle rather than the whole picture, but it answers a specific question that SMBs struggle with: what do I have exposed to the internet right now, and does any of it have known problems?

Most smaller organisations are surprised by the answer. Subdomains set up for a one-off project that was never decommissioned. A staging environment that was supposed to be temporary. An admin panel that was exposed for remote access when the team was four people and is now, three years later, still reachable from the internet with password only authentication. These forgotten assets are exactly what ransomware affiliates find when they do reconnaissance, and they're the entry points that turn into incidents.

Continuous external scanning means the inventory stays current automatically, and known vulnerabilities get flagged the day they become known rather than at the next quarterly review. It's the kind of work that compounds: every asset you know about is one less surprise, and every known problem is one fewer opportunity for an affiliate to reach your network the easy way. We wrote about a related pattern in the EU Commission Trivy breach and more recently in the Claude Code source map leak, both of which started with exposed assets that shouldn't have been reachable.

Putting It Together

The reason SMBs are now the primary ransomware target is unglamorous. Enterprises got harder to compromise, ransomware as a service lowered the attacker cost of going after smaller targets, and the two trends met in the middle. Smaller organisations didn't move.

The fix is also unglamorous. Passkeys, EDR, patching, immutable backups, DNS filtering, visibility into what's exposed. Some of it is free, some costs a few dollars per seat per month. All of it requires someone to own the work. The organisations that do the basics consistently aren't guaranteed to stay out of trouble, but they move themselves off the easy target list, which is most of what a ransomware affiliate cares about.

Know What's Exposed

One of the concrete things a small team can do without any dedicated security hire is get a current picture of their external attack surface. Luna's scanner maps internet facing assets, fingerprints services, and checks them against a library of 11,000+ security templates. It runs continuously, which matters because the attack surface of a growing company changes every week. See how it works.

References