Once considered a problem primarily for large enterprises and government agencies, ransomware has evolved into an equal-opportunity menace. No sector, geography, or business size is immune.
For small and medium-sized businesses (SMBs), the impact of a ransomware attack can be especially catastrophic. With limited IT resources, minimal in-house security expertise, and tight margins, SMBs often lack the defences needed to fend off or recover from an attack, making them ideal targets for cybercriminals.
What is Ransomware?
At its core, ransomware is a form of malware designed to deny access to systems, data, or devices until a ransom is paid. The attacker typically encrypts critical files or locks down IT infrastructure, then demands payment, often in cryptocurrency, to provide a decryption key or unlock mechanism.
Ransomware attacks can be launched in minutes and bring entire organisations to a standstill. Victims are faced with an impossible choice: pay up and hope for a resolution, or refuse and face prolonged downtime, data loss, reputational damage, and regulatory consequences.
Why Is It So Dangerous?
- Immediate disruption of operations
- High ransom demands (often six or seven figures)
- Irretrievable data loss (if backups are inadequate or compromised)
- Exfiltration and extortion (increasingly, attackers also steal data and threaten to leak it)
- Reputational harm and loss of customer trust
- Compliance violations (particularly under GDPR)
For SMBs, even a modest ransomware event can spiral into a business-ending crisis.
Types of Ransomware
Not all ransomware behaves the same way.
Crypto Ransomware
Encrypts a victim’s files, rendering them unusable until a ransom is paid. This is the most common form of ransomware.
Examples: WannaCry, Locky, CryptoLocker
Locker Ransomware
Locks users out of their systems or devices entirely, often displaying a full-screen ransom note that disables any further access. Particularly effective in industrial and OT contexts due to the fact that while access can be lost production lines can continue, immediate loss of OT systems would likely be no different (impact wise) to rebuilding those same systems and removes the incentive to pay to regain access.
Scareware
Mimics ransomware but doesn’t actually encrypt files. Instead, it bombards the user with fake warnings or alerts to extort payment.
Examples: Fake antivirus software demanding a “clean-up fee”
Doxware / Leakware
Threatens to leak sensitive or embarrassing data unless a ransom is paid, often used in combination with data exfiltration. Sometimes combined with more traditional ransomware for a ‘double extortion’ tactic to heighten the odds of the attackers receiving some form of payment, either to regain access or to regain stolen data and avoid reputational, legal or regulatory consequences.
Examples: REvil, Maze
Human-Operated Ransomware
Unlike automated attacks, these are manual intrusions where attackers move laterally across the network, escalate privileges, disable backups, and launch ransomware after days or weeks of reconnaissance. Quite often significant campaigns carried out by sophisticated actors over a sustained period of time. These operations usually utilise multiple techniques (such as data encryption with data exfiltration for ‘double extortion’ and gradually leaking pieces publicly to slowly increase public pressure)
Examples: Ryuk, Conti, BlackCat
How Ransomware is Delivered
Attackers use a range of methods to deploy ransomware. These are the most common delivery mechanisms SMBs need to defend against:
1. Phishing Emails
The most frequent entry point. These emails trick users into clicking malicious links or opening infected attachments (e.g., PDFs, Word documents with macros).
2. Remote Desktop Protocol (RDP) Exploits
Attackers scan the internet for exposed or weakly secured RDP services and bruteforce their way in.
3. Vulnerable Software
Unpatched software vulnerabilities (especially in VPNs, web servers, and firewalls) are prime targets.
4. Drive-by Downloads
Users visiting compromised websites may unwittingly trigger ransomware downloads via malicious scripts. Waterhole attacks are very similar, with attackers purposely compromising popular site they know their targets frequently visit and waiting for the inevitable arrival and compromise. This is why it is important to ensure good secure configuration of web browsers with timely updates being applied. Consider additional security controls such as popup and ad-blockers and a strong EDR tool will serve you well.
5. Malicious USB Devices
Less common, but still seen, are pre-infected USB’s (and other peripherals) either unknowingly or purposefully introduced to a system or network, while extreme examples of sophisticated threat actors littering car parks with suspicious USB’s for employees to find, it is much more likely that a user will unknowingly introduce a personal device that has been coincidentally compromised already or else a rogue employee maliciously bringing something in for whatever personal reason.
6. Supply Chain Attacks
Attackers compromise a trusted third-party vendor or software supplier to distribute ransomware through legitimate updates or abusing trusted communication channels. Particularly problematic in the public sector, where small charities, healthcare and socialcare orgs are often an easier target with interconnected systems or frequent communications with higher profile organisations such as NHS trusts and local authorities.
Famous Ransomware Attacks
Several high-profile incidents have shaped the way we understand ransomware today. Each demonstrates how devastating these attacks can be, even for well-resourced organisations.
WannaCry (2017)
Perhaps the most notorious ransomware attack in history, WannaCry exploited a Windows vulnerability to spread globally in hours. It infected more than 200,000 machines across 150 countries, including the UK’s NHS, which suffered massive operational disruption.
NotPetya (2017)
Disguised as ransomware but actually a wiper, NotPetya crippled large multinationals, including Maersk and FedEx, costing billions in damages. It entered networks via a compromised Ukrainian tax software.
Kaseya Supply Chain Attack (2021)
REvil ransomware operators compromised the software provider Kaseya to deliver ransomware to over 1,000 downstream customers, many of them SMBs, through a managed service platform.
Conti Attacks on Costa Rican government (2022)
The Conti ransomware gang has targeted numerous Costa Rican government organisations with devastating effect, causing significant disruption and taking months to fully recover from.
LockBit Ransomware attack on the Royal Mail (2023)
Targeting a distribution centre near Belfast, this incident largely impacted international deliveries.
Change Healthcare attack (2024)
This significant 2024 ransomware incident caused nationwide healthcare disruption.
You can see details of more significant historical ransomware attacks here:
A timeline of the biggest ransomware attacks – CNET
Why Ransomware is Especially Problematic for SMBs
While global headlines focus on attacks against massive enterprises, ransomware is increasingly aimed at smaller businesses. Why?
1. Limited Defences
SMBs often lack dedicated cybersecurity staff, segmented networks, or 24/7 monitoring. This makes intrusion and escalation easier for attackers.
2. Inadequate Backup Strategies
Many SMBs fail to maintain secure, offline, and regularly tested backups, critical for recovery without paying a ransom.
3. Faster Time to Pay
Attackers know SMBs are under pressure to resume operations quickly. They’re more likely to pay smaller ransoms (e.g., £10,000–£50,000) just to get back up and running.
4. Poor Patch Management
Outdated systems and software are common in SMBs due to resource constraints, opening the door to exploit-based ransomware.
5. Compliance Risks
Even if the ransom is paid and operations resume, SMBs are still subject to fines and legal consequences if personal data was breached (e.g., under GDPR).
In short, ransomware is not only a cyber risk, it’s a business continuity and existential risk for SMBs.
How SMBs Can Build Ransomware Resilience: NCSC Guidance
The UK’s National Cyber Security Centre (NCSC) provides practical and actionable advice tailored to organisations of all sizes, including SMBs. Here’s how to align your defences with their guidance.
1. Prepare for Ransomware Attacks
- Create and regularly test offline backups
- Develop an incident response plan
- Identify and document key business assets
- Assign roles and responsibilities in a crisis
- Practice tabletop exercises for ransomware scenarios
2. Prevent Malware Delivery and Execution
- Implement email filtering to block malicious attachments and links
- Use endpoint protection (EDR/XDR) and keep definitions up to date
- Restrict the use of macro-enabled files or disable macros entirely
- Apply network segmentation to limit lateral movement
3. Control Access
- Enforce Multi-Factor Authentication (MFA) on all remote access and admin accounts
- Apply least privilege access control, users should only have access to what they need
- Disable unused user accounts, especially those with admin rights
- Log and monitor all access to sensitive systems
4. Keep Systems Up to Date
- Patch operating systems, software, and firmware as soon as updates are available
- Prioritise critical vulnerabilities (especially those exploited in the wild)
- Maintain asset and software inventories to track what’s in your environment
5. Develop and Test Recovery Plans
- Ensure backups are offline and immutable
- Test restoration procedures at least quarterly
- Maintain a communications plan in case of incident (include regulators, customers, staff, media)
Extensive NCSC guidance around ransomware can be found here:
A guide to ransomware – NCSC.GOV.UK
What About Paying the Ransom?
The NCSC, along with law enforcement agencies like the NCA and the FBI, strongly advises against paying ransoms. Here’s why:
- No guarantee that you’ll get your data back
- Encourages further criminal activity
- May be illegal depending on where the funds are sent
- Could increase your risk of being targeted again
Instead, the focus should be on resilience, detection, and recovery. Prevention, when done right, is far more cost-effective than ransom payment or prolonged downtime.
The Role of a Managed Security Service Provider (MSSP)
For many SMBs, building this level of cyber resilience in-house simply isn’t feasible. That’s where MSSPs come in.
As your trusted security partner, an MSSP can:
- Provide continuous monitoring and early threat detection
- Implement and manage EDR, firewalls, and email security
- Conduct vulnerability scans and patch management
- Assist with NCSC-aligned controls and compliance
- Help design and test incident response plans
- Deliver user awareness training to reduce phishing risk
Outsourcing cybersecurity to a capable MSSP turns ransomware defence from a burden into a business enabler. Ensuring you choose the right one, and not just another supply chain vulnerability is paramount.
Conclusion: Don’t Wait Until It’s Too Late
Ransomware isn’t just a threat on the horizon, it’s a present and growing danger. For SMBs, the question is increasingly not whether ransomware will strike, but whether you’ll be prepared when it does.
By understanding how ransomware works, staying alert to its delivery methods, and implementing the practical guidance provided by the NCSC, you can significantly reduce your risk. Investing in preventative controls today could mean the difference between swift recovery and permanent closure tomorrow.
At Clear Path Security, we specialise in helping SMBs build cost-effective, scalable defences against ransomware and other evolving threats. If you’re ready to assess your readiness, strengthen your resilience, or build a recovery plan, we’re here to help.
Reach out to us today — before ransomware reaches you.
Comments are closed