Why SMBs Have Become Ransomware's Primary Target
There is a persistent myth in small business circles that cybercriminals aren't interested in companies "our size." The logic goes: hackers go after banks, hospitals, multinationals, the kind of organisations with deep pockets and valuable data. A ten-person accounting firm or a regional manufacturer with fifty employees isn't worth the effort.
That assumption is not only wrong. It is, in 2026, actively dangerous.
The reality is almost the reverse. According to the Verizon 2025 Data Breach Investigations Report, which analysed over 22,000 security incidents and more than 12,000 confirmed breaches, ransomware was involved in 88% of all breaches affecting small and medium-sized businesses, compared to just 39% for large enterprises. SMBs are not bystanders caught in the crossfire of attacks aimed at bigger targets. They are the target.
Understanding why that shift happened, and what it means in practice, is the first step toward doing something about it.
The economics of ransomware have changed
Ransomware groups operate like businesses. They optimise for return on investment: maximum payout, minimum effort, lowest risk of getting caught or blocked. For most of the 2010s, that calculation pointed toward large enterprises, the kind of organisations whose data was valuable enough to justify the complexity of a sophisticated, targeted attack.
What changed is scale and automation. Modern ransomware campaigns no longer rely on a small team manually targeting a specific company. They run automated tools that scan millions of endpoints for known vulnerabilities, harvest credentials through phishing campaigns, and deploy ransomware across hundreds of victims simultaneously. At that scale, the economics shift dramatically.
Large enterprises are increasingly hardened targets. They have dedicated security teams, enterprise-grade tools, and the budget to maintain them. Breaking through their defences is possible, but it requires significant effort and carries real risk of early detection.
Small businesses, by contrast, often run on unpatched systems, stretched-thin IT resources, and a genuine belief that they're too small to matter. From an attacker's perspective, that combination is ideal: low resistance, low risk, and, crucially, enough at stake that the victim is likely to consider paying.
The Coveware Q1 2025 report confirms the pattern. Companies with between 11 and 100 employees accounted for nearly 30% of observed ransomware engagements, and the 101 to 1,000 employee band represented another third. Together, businesses below the 1,000-employee mark made up more than two thirds of all ransomware victims tracked.
What an attack actually costs
When small business owners think about ransomware, they tend to think about the ransom demand itself. That number is scary enough: the median ransom payment in 2025 sat at $115,000, according to Verizon. But the ransom is often the smallest part of the bill.
Recovery costs, covering downtime, data restoration, IT labour, system rebuilding, and forensic investigation, averaged $1.53 million in 2025, excluding any ransom paid. For companies with fewer than 500 employees, IBM's Cost of a Data Breach Report puts the average total breach cost at $3.31 million. Downtime alone runs approximately $53,000 per hour.
Beyond the immediate financial damage, the tail is long. Research from IBM suggests that 47% of breach costs land in the first year, but 29% materialise in the second, and 24% persist beyond that, through regulatory fines, legal proceedings, and the slower erosion of client trust.
The survival statistics are stark. According to StrongDM's 2025 survey, 75% of SMBs say they could not continue operating if hit with ransomware. The Identity Theft Resource Center's 2025 Business Impact Report found that 62.5% of small business victims reported a total financial impact exceeding $250,000, a number that many small businesses simply cannot absorb.
Prevention, by comparison, costs between $5,000 and $15,000 per year for a typical small business. That makes it 50 to 60 times cheaper than recovering from a single incident.
Why small businesses are structurally vulnerable
The targeting isn't random. Cybercriminals go where the resistance is weakest, and small businesses present a specific combination of vulnerabilities that makes them consistently attractive targets.
Unpatched systems. Exploited vulnerabilities were the number one technical cause of ransomware for the third consecutive year in 2025, according to multiple sources. The median time between a vulnerability being disclosed and a small business patching it sits at 32 days, a window that attackers are well-practised at exploiting.
Compromised credentials. Phishing remains the entry point of choice, accounting for roughly a third of all SMB breaches. AI-generated phishing emails, which cost 95% less to produce than traditional campaigns and achieve open rates five to six times higher, have made this vector dramatically more dangerous in the past two years.
No dedicated security staff. According to StrongDM, 47% of businesses with fewer than 50 employees allocate zero cybersecurity budget. Without someone whose job it is to monitor, patch, and respond, gaps accumulate quietly until an attacker finds them.
Backups that aren't actually safe. A common misconception is that having backups makes a ransomware attack recoverable. In practice, 96% of ransomware attacks now target backup locations specifically, according to VikingCloud, precisely because attackers know that intact backups eliminate extortion leverage. If backups are connected to the same network as production systems, they are often encrypted along with everything else.
Double extortion. Modern ransomware rarely stops at encryption. In 87% of attacks in 2025, attackers also exfiltrated data before deploying the payload. That creates a second pressure point: even if a business can restore its systems from clean backups, attackers threaten to publish or sell the stolen data unless a ransom is paid. This tactic is particularly effective against professional services firms, healthcare providers, or any business that handles sensitive client information.
What actually reduces the risk
The good news, and there is good news, is that the most effective defences against ransomware are not particularly exotic or expensive. The businesses that recover fastest, or avoid incidents altogether, tend to have implemented the same set of fundamentals.
Keep systems patched. Over a third of ransomware incidents in 2025 started with an unpatched vulnerability. Staying current on software updates closes the most common technical entry point before attackers can use it.
Enable multi-factor authentication. Compromised credentials are the second most common entry point. MFA does not prevent credential theft, but it makes stolen passwords dramatically less useful, an attacker with a username and password still cannot log in without the second factor.
Train staff to recognise phishing. The human element remains the most exploited vector. Employees are either the first line of defence or the easiest way in. Regular, practical training, not a once-a-year slide deck, makes a measurable difference.
Maintain offline backups. Specifically, backups that are not reachable from the main network. A tested 3-2-1 backup strategy, three copies, two different media types, one stored offsite or offline, costs under $500 per year to implement and eliminates the core of an attacker's extortion leverage.
Have an incident response plan. Most small businesses have no documented plan for what to do if an attack occurs. That absence turns a manageable incident into a chaotic one, where delays in isolation and response dramatically increase total damage.
None of this requires a large IT team or an enterprise security budget. It requires consistency, and a clear understanding that the question for most small businesses is no longer whether they will be targeted, it's whether they will be prepared when it happens.
In summary
The idea that ransomware is someone else's problem, reserved for corporations and government agencies, has been decisively overtaken by events. With 88% of SMB breaches now involving ransomware, with recovery costs that can reach seven figures, and with attacks accelerating rather than slowing down, small and medium-sized businesses cannot afford to treat cybersecurity as an optional extra.
The right tools, properly configured and consistently maintained, change the equation. Bakbit's suite is built for businesses that need real IT infrastructure without the complexity and cost of enterprise-grade solutions, so that the fundamentals are in place before an attacker comes looking for gaps.
Want to understand where your current setup stands and what the priority gaps are? The Bakbit team can help you take stock and put the right protections in place.
