Is Your Business Safe from Ransomware?
How ransomware works, why SMEs get hammered, and how you protect your business before things go horribly wrong
Ransomware attacks are surging, affecting businesses of all sizes. Research suggests small and medium enterprises (SMEs) face risks just as often as larger ones, with many incidents going unreported to avoid reputational damage. It seems likely that underreporting hides the true scale, making prevention essential for everyone.
Key points:
What Makes Ransomware So Dangerous? Ransomware encrypts files or locks systems, demanding cryptocurrency payments. It often starts via phishing or weak software, with attackers stealing data for extra leverage. While big cases make headlines, smaller ones quietly devastate SMEs.
Why Should SMEs Worry? Small businesses aren’t immune—they’re often easier targets with fewer defenses. Underreporting means the problem appears smaller than it is, but real-world data shows frequent hits.
Quick Steps to Protect Your Business Start with basics: Train staff, update software, and back up data offline. More on this below.
Ransomware represents a major cyber threat where malware locks or encrypts data, demanding ransoms for access. Emerging prominently with variants like CryptoLocker in 2013, it has become a sophisticated operation. Attackers use phishing emails (up 1,265% with AI aid), exploit kits, or vulnerable software to infiltrate. Once inside, it spreads, encrypts files, and leaves ransom notes. Variants include encryptors (e.g., LockBit), screen lockers, and scareware. In 2025, Ransomware-as-a-Service (RaaS) allows even novices to launch attacks, democratising the threat.
Victims must choose: Pay (which funds crime and doesn’t guarantee recovery) or restore independently, often costing more in downtime. Globally, 59% of organisations faced attacks in 2024, hitting sectors like healthcare and education hardest due to sensitive data. But SMEs suffer too—82% of attacks target firms with under 1,000 employees, and 13% of small/medium businesses were hit last year. Many go unreported to avoid stigma, understating the issue.
The threat escalated from 304 million global attempts in 2020 to 623 million in 2021, stabilising at 493 million in 2022 with better defenses. Daily attacks rose from 4,000 in 2023 to 4,400 in 2024, projected at 11,000 in 2025—a 3,500% frequency jump over five years. Attacks increased 20% in 2025 alone, with 264% growth over five years.
Costs ballooned: Average payments from £237,000 in 2020 to £2.08 million in 2024, projected at £2.44 million in 2025. Median payments rose from £59,000 to £1.52 million. Total damages: £69.3 billion in 2024 to £87.5 billion in 2025, or £1,827 per second in estimates. Payment rates dropped from 85% to 35%, as 97% recover without paying via backups. Recovery averages £1.41 million and 24 days downtime.
The World Economic Forum ranks it top cyber risk for 45% in 2025, with AI (66% expect impact) and supply chains driving growth. FBI reported 3,156 complaints in 2024 (up 11.7%), payments £619.27 million. By 2025, damages could hit £43.4 billion annually—or £119 million daily.
Sector trends: Education 180 attacks early 2025 (up 6%), healthcare 378 victims (from 282 in 2024). 72% note higher risks.
The table below summarises metrics (in GBP, 1 USD ≈ £0.7612 as of Nov 19, 2025):
| Year | Global Attack Volume | Average Ransom Payment | Median Payment | Payment Rate | Total Damages |
|---|---|---|---|---|---|
| 2020 | 304 million attempts | £237,000 | £59,000 | 76% | £15.2 billion |
| 2021 | 623 million attempts | £434,000 | £107,000 | 85% | £43.4 billion |
| 2022 | 493 million attempts | £618,000 | £152,000 | 68% | £32.0 billion |
| 2023 | 4,000 daily attacks | £1.41 million | £304,000 | 59% | £57.1 billion |
| 2024 | 4,400 daily attacks | £2.08 million | £1.52 million | 49% | £69.3 billion |
| 2025 (proj) | 11,000 daily attacks | £2.44 million | £1.90 million | 35% | £87.5 billion |
The chart illustrates cumulative victims, projecting 53% increase by 2025 end, underscoring the escalating problem.
SMEs aren’t just collateral—they’re often primary targets. 82% of attacks hit companies under 1,000 employees, seen as having weaker defenses and quicker to pay. 75% of SMBs couldn’t operate post-ransomware, with only 17% insured. 60% close within six months of major attacks.
Underreporting amplifies this: Businesses hide incidents to protect reputation, but 69% of payers face repeat attacks. 87% involve data theft, 85% encryption. Phishing (42% of breaches) and AI-powered threats like RaaS make SMEs easy prey.
Act swiftly to minimise damage:
Identify variants early (e.g., ID Ransomware) and assume data theft.
Prevention for SMEs emphasises affordable, layered defenses.
Declining payment rates show these work, but stay vigilant.
Prioritise basics for SMEs: Train staff, update everything, backup offline. Layer with MFA, antivirus, and plans. Remember, 75% couldn’t survive without prep—act now to avoid hidden threats.
Ransomware attacks on small and medium enterprises (SMEs) represent a pervasive and escalating threat in the cybersecurity landscape. These are often overshadowed by high-profile incidents at large corporations.
While big businesses make headlines, data from 2025 reveals that SMEs are disproportionately affected. 82% of ransomware incidents target firms with fewer than 1,000 employees.
This vulnerability stems from limited resources and inadequate cybersecurity measures. There’s also the misconception that small size equates to low risk.
In reality, attackers exploit these gaps using sophisticated tools like AI-enhanced phishing and Ransomware-as-a-Service (RaaS). This has led to a 264% rise in incidents over five years.
Underreporting exacerbates the issue. Many SMEs avoid public disclosure to protect their reputation. But this silence allows threats to persist—69% of payers face repeat attacks.
Global trends in 2025 show ransomware evolving beyond encryption. It now includes data exfiltration in 87% of cases, adding extortion layers by threatening leaks.
For SMEs, the financial toll is severe. Average recovery costs reach £1.41 million per incident. Downtime averages 24 days, with total damages potentially hitting £87.5 billion globally.
Sectors such as healthcare, education, and professional services are particularly vulnerable. This is due to the value of their data.
For instance, 75% of SMBs report they couldn’t survive a major hit. Only 17% carry cyber insurance.
The Verizon 2025 Data Breach Investigations Report (DBIR) highlights that SMBs are targeted nearly four times more than large organisations. Ransomware features in a growing proportion of breaches.
Ransomware poses a significant threat to SMEs. Evidence suggests they are targeted as frequently as larger organisations, if not more so, due to perceived weaker defences.
Research indicates that 82% of ransomware attacks hit companies with fewer than 1,000 employees. Many incidents go unreported to avoid reputational harm.
In 2025, SMBs have been hit nearly four times more often than large firms. Ransomware is present in a rising number of breaches.
SMEs often face devastating impacts, including operational shutdowns, data loss, and financial strain. 60% close within six months of a major attack.
Underreporting is common, as businesses fear publicity. But this hides the true scale—69% of those who pay get hit again.
Small businesses typically lack robust cybersecurity resources. This makes them attractive to attackers using tools like Ransomware-as-a-Service (RaaS).
Phishing, which surged 1,265% with AI assistance, accounts for 42% of breaches.
Many SMEs operate under the myth that they’re “too small to target”. This leads to inadequate training and backups.
Attacks can encrypt files, steal data for extortion, and cause downtime averaging 24 days.
Recovery costs average £1.41 million, with only 17% of SMEs insured.
Sectors like healthcare, education, and professional services are hit hard due to sensitive data.
Real-world examples illustrate the risks. Below is a table summarising key ransomware case studies involving SMEs or small businesses from recent years, including 2025.
These examples draw from documented incidents. They focus on impact, demands, outcomes, and lessons.
Note that many cases involve underreporting, so the full scope may be larger.
| Case Study | Year | Company/Sector | Attack Details | Impact | Ransom Demanded | Outcome | Lessons Learned |
|---|---|---|---|---|---|---|---|
| DEphoto | 2024/2025 | UK Photography (SME) | Data theft via ransomware, including credit cards and private photos. | Affected 555,952 customers; risk of identity theft and photo leaks. | £45,672 ($60,000) | Data stolen for extortion; no payment confirmation. | Secure customer data storage; avoid storing sensitive info without encryption; regular backups essential. |
| Peter Green Chilled | May 2025 | UK Logistics (SME) | Scattered Spider ransomware disrupted operations. | Halted refrigerated goods supply to supermarkets like Tesco, Aldi; supply chain ripple effects. | Not specified | Operations disrupted; no payment details. | Strengthen supply chain security; segment networks to limit spread; monitor for anomalies. |
| Synnovis | May 2025 | UK Pathology Services (Potential SME) | Qilin ransomware leaked health data. | Exposed STI and cancer test results; patients uninformed for months. | Not specified | Data leaked; no payment. | Prioritise patient data protection; comply with notification laws; use immutable backups. |
| Dental Practices | 2019 | US Healthcare (Multiple SMEs) | Ransomware via shared backup service encrypted files. | Over 400 offices disrupted; patient care halted. | Varied, but paid in many cases | Faulty decryption keys; partial recovery. | Vet third-party vendors; implement multi-layered backups; train on phishing. |
| K-12 Schools (e.g., Granite School District) | 2023 | US Education (SMEs) | Ransomware locked systems and data. | Disrupted classes; data theft threats. | £1.14 million ($1.5M) for Granite | Some paid; ongoing recovery. | Secure educational networks; regular patches; cyber insurance for schools. |
| Shenango Area School District | 2023 | US Education (SME) | Similar encryption and extortion. | Operational halt; student data at risk. | £0.99 million ($1.3M) | Recovery via backups where possible. | Emphasise employee training; Zero Trust models. |
| Tri-City College Prep High School | 2023 | US Education (SME) | Data encryption and leak threats. | Educational disruptions. | £76,120 ($100,000) | Partial payment in some cases. | Affordable cybersecurity tools for small institutions. |
| Law Firms (e.g., Grubman Shire Meiselas & Sacks) | 2020 | US Legal (SME) | REvil ransomware stole client data. | Threatened celebrity data leaks. | £31.98 million ($42M) doubled from initial | Paid to prevent leaks; lawsuits followed. | Protect client confidentiality; MFA and encryption critical. |
These cases demonstrate patterns. Entry via phishing or vulnerabilities, followed by encryption and extortion.
In healthcare, like the dental and Synnovis examples, sensitive data amplifies risks. This can lead to regulatory fines.
Education SMEs, as in school districts, face budget constraints. This makes recovery challenging.
Logistics like Peter Green show interconnected vulnerabilities. These affect larger chains.
Prevention involves layered defences like backups, training, and MFA. 97% recover without paying via clean backups.
Cyber insurance, held by only 17% of SMEs, can mitigate costs.
Recovery follows steps like isolation, reporting, and restoration.
Ransomware is malware that sneaks into your systems, encrypts your files and demands money to unlock them. Modern attacks usually lurk quietly first, mapping your network, finding your backups, stealing passwords and waiting for the perfect moment to hit. Once it triggers, everything locks at once and your business stops dead.
2. How common are ransomware attacks on small businesses?
Ridiculously common. Attackers use bots that scan the internet for weak systems, out-of-date software and terrible passwords. They don’t pick targets manually any more. If your business has a vulnerability, the bots find it and deploy the attack automatically.
3. Why do most SME ransomware attacks stay quiet?
Because businesses panic about reputational damage. They don’t want clients knowing they clicked a dodgy link or skipped updates. But when a business pays quietly, attackers share the details so other groups can target them again.
4. What are the real costs of a ransomware attack?
The ransom is the smallest part. The real costs include:
• downtime
• emergency IT work
• lost sales
• lost client trust
• data recovery
• legal fees
• possible ICO trouble
• long-term reputation damage
Recovery for a UK SME often ends up over £1 million once everything is counted.
5. Should I ever pay the ransom?
No. Paying doesn’t guarantee anything. Some attackers vanish, some ask for more, some send broken keys. Worst of all, paying makes you a repeat target.
6. How has AI made ransomware worse?
AI lets attackers:
• write convincing phishing emails
• clone voices
• build fake login pages
• automate malware writing
• scan networks faster
• customise attacks for specific industries
Even non-technical criminals can now run high-level attacks.
7. What is Ransomware-as-a-Service (RaaS)?
It’s the subscription model for criminals. They rent ransomware kits, dashboards, payment portals and instructions. Anyone with a laptop can run an attack. This is why attack volume has exploded.
8. Do backups actually protect you?
Yes, but only if they’re done properly. Backups must be:
• recent
• isolated
• clean
• tested regularly
Attackers often target backups first. If your backups are connected to your live network, they’re useless.
9. Is cyber insurance worth having?
Yes, but insurers expect you to have basic protections in place. This usually means MFA, updates, proper backups and a simple recovery plan. Cyber insurance can save your business financially after a major hit.
10. What should I do immediately if I’m hit by ransomware?
Do this right away:
11. Can free security tools really prevent ransomware?
Yes. Most attacks succeed because of simple mistakes like outdated software or weak passwords. Free tools and built-in protections go a long way if you use them correctly.
12. How often should I test my backups?
At least quarterly. Preferably with a full mini recovery drill. A backup you’ve never tested is not a backup.
13. Is phishing still the main way attackers get in?
Yes. Phishing is behind nearly half of all ransomware infections. One click on a fake invoice or login screen is all it takes.
14. Are phones and tablets a security risk for SMEs?
Absolutely. Phones contain emails, MFA codes, passwords and cloud access. One compromised phone can expose your whole system.
15. How do I create a simple incident response plan?
You don’t need a huge document. Just a clear checklist covering:
• who isolates systems
• who contacts IT
• how to communicate if email is down
• who handles client communication
• where backups are stored
• the order of recovery steps
Run a practice drill once or twice a year.
16. What is double extortion ransomware?
Attackers steal your data first, then encrypt everything. They demand payment to stop them leaking your files. This is now the standard model.
17. What is triple extortion ransomware?
They steal your data, encrypt your systems and then contact your customers directly to pressure you. “Your provider won’t pay, your data is at risk.” Nasty stuff.
18. Are Macs and cloud systems safe from ransomware?
No. Macs get hit too. Cloud systems are safer than on-site servers, but if attackers get your login, they can encrypt or delete cloud files.
19. How do attackers choose their targets?
They don’t. Bots do the work. They scan the internet for:
• old software
• weak passwords
• open ports
• unprotected remote desktops
If your system looks weak, the bot deploys the attack instantly.
20. Which industries are targeted the most?
Attackers love businesses with sensitive data and tight deadlines.
Big targets include:
• dental practices
• accountants
• solicitors
• clinics
• schools
• trades businesses
• construction firms
• ecommerce shops
21. What are the different types of ransomware demands?
This is where it gets messy. Ransomware isn’t just “pay to unlock your files”. Criminals use a mix of threats.
Here are the main ones:
21.1 Encrypt and lock your files
The classic version of ransomware.
21.2 Lock your entire device
You can’t access anything. Just a ransom screen.
21.3 Steal your data and threaten to publish it
The modern standard.
21.4 Steal your data and contact your customers
They embarrass you into paying.
21.5 Threaten to destroy your servers
Countdown timers and panic tactics.
21.6 Threaten to leak internal emails
Great for scaring businesses that worry about reputation.
21.7 Leak staff records or payroll files
Including addresses, ID docs and salaries.
21.8 Sell your data on the dark web
The whole lot goes up for auction.
21.9 Threaten to report you to the ICO
Regulatory fear works very well on SMEs.
21.10 Leak supplier contracts or pricing
Hits your commercial relationships.
21.11 Wiper ransomware
Pretends to be ransomware but wipes everything for good.
21.12 Ransomware plus DDoS attack
Systems encrypted, website crashed at the same time.
21.13 Website takeover
Your entire site is replaced with a ransom page.
21.14 Cloud account encryption
Google Drive, OneDrive and Dropbox locked.
21.15 Backup server targeting
Attackers hit backups first so you can’t recover.
21.16 Credential theft plus encryption
They steal passwords before locking your systems.
21.17 Silent ransomware
Attackers hide for weeks before triggering the ransom.
Ransomware is not some distant problem for big corporations, it is hitting small businesses every single day. Most of the damage isn’t caused by the encryption itself, it is caused by downtime, panic, lost clients, legal headaches and the sheer chaos that follows when you realise your backups don’t actually work the way you thought they did.
The good news is that most ransomware attacks are completely preventable with a handful of simple steps like MFA, updates, isolated backups and basic staff training. Once you understand how attackers target SMEs and the tricks they use to pressure you into paying, you’re already halfway to being a much harder target.
If you’ve read this far, you’re ahead of most businesses already.
If you want to protect your business properly, get in touch and we’ll walk you through it.
Whether you want a quick consultation, a full review of your current setup or our practical Cyber Security Checklist that shows you exactly what to fix first, reach out and we’ll get you sorted.
No pressure, no jargon, just a clear plan that keeps your business safe and running.
You can message us any time to get started.