Ransomware Is Now Targeting Small Businesses. Here's What to Do.

For years, ransomware felt like an enterprise problem. The headlines were about hospitals, city governments, and Fortune 500 companies paying millions to get their data back. Small businesses figured they were too small to bother with.

That calculus has completely changed. In 2023, ransomware attacks on businesses with fewer than 100 employees increased by 82% year-over-year. The reason is simple: small businesses are easier targets. Less security investment, less incident response capability, and often slower to patch vulnerabilities.

Why small businesses are now the primary target

The economics of ransomware shifted when attackers discovered that hitting many small targets is more profitable than hunting large ones. Large enterprises have dedicated security teams, incident response retainers, and cyber insurance that complicates payouts. Small businesses often have none of that.

The average ransom demand for small businesses is now $200,000–$500,000. The average total cost of a ransomware incident — including downtime, recovery, reputational damage, and potential regulatory fines — exceeds $1.4 million. For a 20-person business, that's existential.

How ransomware actually gets in

Most small business ransomware incidents start with one of three entry points:

• Phishing emails — an employee clicks a link or opens an attachment. This is the most common vector by far, accounting for over 40% of incidents.
• Unpatched software — attackers exploit known vulnerabilities in operating systems and applications that haven't been updated. If your systems aren't being patched regularly, you're exposed.
• Compromised credentials — username and password combinations purchased on the dark web, often from a previous breach at another service the employee used. This is why password reuse is dangerous.

The specific steps to protect your business

There's no silver bullet, but these measures reduce your risk substantially:

• Email security with phishing detection — not just spam filters. Modern email security platforms use machine learning to detect sophisticated phishing attempts that bypass traditional filters.
• Endpoint Detection and Response (EDR) — not basic antivirus. EDR monitors for behavioral indicators of compromise and can isolate an infected machine before ransomware spreads across your network.
• Multi-Factor Authentication (MFA) everywhere — especially on email, remote access tools (VPN, RDP), and any cloud applications with sensitive data.
• Regular tested backups — offline or immutable backups that ransomware can't reach or encrypt. The "tested" part matters — unrecoverable backups are as useful as no backups.
• Patch management — every device on your network, patched on a regular schedule. Not when it's convenient. On a schedule.
• Staff training — phishing simulations so employees actually know what a suspicious email looks like, not just a policy document they signed once.

What to do if you get hit

If ransomware executes: isolate the infected machines immediately (physically unplug from the network), call your IT provider, and do not pay the ransom without legal and cybersecurity counsel. Paying doesn't guarantee you get your data back, and it may create legal liability under OFAC regulations if the ransomware group is sanctioned.

Having an incident response plan before something happens matters more than having one after.