You’re Not Too Small to Be Attacked. You’re Just Too Small to Make the News.

Ransomware attackers now treat small and mid-sized businesses as primary targets, not overflow: Sophos found attackers attempt to compromise backups in 94% of ransomware attacks, and Verizon's 2025 DBIR found ransomware present in 88% of breaches at SMBs. The businesses that recover without paying are the ones whose backups stayed isolated, immutable, and tested before the attack ever happened.
Share post:

It’s 3:41 a.m., and the on-call contact for a very small business continuity team gets an email nobody wants to read. There’s no forensics team standing by. No one knows yet how the attacker got into a tier-one workload. The team logs in to check recovery points and finds that nothing going back at least two months is clean. Now everyone’s arguing about which backups to restore first, in what order, and why, because no one has ever actually run this playbook before.

Eventually, this small data protection team gets things running again. It takes several hours: rebuilding network configurations, isolating the affected systems, hunting down a recovery point that isn’t compromised, double-checking permissions. They get there. But nobody outside the company will ever hear about it.

The short version: small and mid-sized businesses are now the primary target of ransomware, not the leftovers. Two things drive it. Enterprises got harder to breach, and attack toolkits got cheap enough to rent for a few hundred dollars a month. Attackers no longer immediately infiltrate backups. They wait, get folded into the backup and restore cycle, and let you restore them right back into your own environment. The one thing that separates a bad week from a closed business is how isolated and recoverable your backups were before the attack.

This will never make a headline. No journalist would even take the pitch because it isn’t interesting enough. The problem is more than just the downtime. When incidents like this stay invisible, other small businesses never get the signal that the risk around them has changed, and changed fast, in just the last six months to a year.

From the outside, it’s easy to shrug off a small business getting hacked. But that “small” business might process payroll, hold client records, or run infrastructure for dozens of other companies. When it goes down, so does everyone downstream of it, and it’s a problem far bigger than its size would suggest.

“You won’t make the headlines” is worth repeating to every small and mid-sized business that still thinks ransomware is a big-company problem. You’re not too small to be attacked, and you’re not too small to cause real damage to thousands of end users. You’re just too small to show up in the annual research reports.

What’s changed for attacks on SMBs?

SMBs have always been easier targets than enterprises because their security teams need to be stretched further. But more than that, attacks targeting SMBs have changed, especially over the last year. Yes, it’s the frequency of the attacks, but also how SMBs are being attacked.

Ransomware groups have spent close to a decade refining their craft against hospitals, government agencies, and Fortune 500 companies. That decade produced a playbook: reconnaissance, credential harvesting, lateral movement, data exfiltration, and only then, encryption. It’s an efficient, repeatable process now, and Ransomware-as-a-Service (RaaS) groups have industrialized it.

Two forces are driving RaaS groups to target SMBs. First, large enterprises have genuinely gotten harder to hit due to better detection, bigger security budgets, dedicated incident response teams. They’re a slower, less certain payout now. Second, SMBs are still operating on the assumption that they’re not worth the effort, often with an entire IT function riding on one contractor who handles everything from payroll software to the firewall.

Meanwhile, the RaaS ecosystem keeps scaling. Breachsense’s 2025 Annual Ransomware Report counted 138 distinct ransomware groups claiming victims in 2025, up from 98 the year before, and monthly subscriptions to attack toolkits can run as low as a few hundred dollars, which is a very low bar to clear. Today it operates like a full ecosystem: developers, affiliates, leak sites, negotiators, all running like a legitimate business, minus the legitimacy.

Some SMB ransomware stats worth sitting with

  • The HIPAA Journal reported a 58% year-over-year jump in ransomware attacks in 2025, based on GuidePoint Security’s tracking, the most active year GuidePoint has recorded. Other trackers report different growth rates for the same period, but every one of them points the same direction: up.
  • Verizon’s 2025 Data Breach Investigations Report found ransomware present in 88% of breaches at small and mid-sized businesses, well above the rate at large enterprises, with average downtime after an attack running about 24 days.
  • PurpleSec estimates the realistic total cost of an SMB ransomware incident, recovery, downtime, forensics, and legal exposure included, at $120,000 to $1.24 million, a range that can be existential for a small business.

The asymmetry is the real problem underneath all of this. A single affiliate on a modern ransomware crew can hit dozens of SMB targets in a quarter easily. The average defender on the other side is one IT generalist, or an MSP spread across forty other clients.

Don’t underestimate how long attackers sit idle, or how deliberately they target backups

The popular image of ransomware is instant: someone clicks a bad link, and you watch your files lock up in real time. The reality is slower and quieter. Most attacks start weeks or months before anyone realizes the environment has been infiltrated. Attackers sit still on purpose. They watch, they learn, and they map out what’s actually valuable before they touch anything.

One pattern shows up again and again in ransomware incident reports: the entry point is something the business always meant to fix. An unpatched VPN appliance. A legacy server that should have been decommissioned years ago but stayed powered on “because we still need it.” That one overlooked asset is often all it takes to establish a foothold that goes undetected for weeks, sometimes far longer.

Attackers are willing to wait because they know immutable backups are increasingly common, and a direct assault on them won’t work. So they take the next best route: they camp out long enough to get folded into the backup and restore cycle itself. When the business thinks it’s recovering, it may actually be restoring the attacker right back into the environment.

Backups aren’t a fallback anymore. They’re a primary target. Sophos’s independent research, based on a survey of nearly 3,000 IT and security professionals hit by ransomware, found that attackers attempted to compromise backups in 94% of those attacks. The payoff for attackers is real: victims with compromised backups pay a median ransom of $2.3 million, more than double the $1 million median when backups stay intact.

What actually protects a small business from ransomware?

Budgets and priorities at most SMBs still lag behind the threat. Even at the enterprise level, the detection window is shrinking fast, especially as ransomware itself starts adapting in real time with agentic AI. That shift means the most important strategy isn’t catching every intrusion, it’s how quickly you can take back control once one gets through. We’ve watched businesses of every size get hit hard, and what separates a bad week from a business-ending one usually isn’t the size of the security budget. It’s how isolated and well-protected the backups were.

If you’re an SMB looking for a security partner, look for an MSP that can be both your backup partner and your security partner. We’re happy to point you toward one if you’d like a recommendation.

The good news is that small teams don’t need a massive budget to close this gap. N2W gives you automated, frequent backups that never touch production, plus isolated recovery testing that validates full restore scenarios, not just the VM but the network configuration around it too. Immutable backups can be layered with low-cost offsite copies to Wasabi for extra protection and fast, hot-storage recovery. Flexible recovery points to cold storage like Azure Blob, Amazon S3, and Glacier keep long-term costs down without sacrificing recoverability. And compliance reports, audit logs, and a live view of unprotected resources mean you can see exactly where your gaps are, every day, instead of finding out at 3:41 a.m.

Ransomware questions small businesses are asking

Are small businesses really targeted by ransomware? Yes. Verizon’s 2025 Data Breach Investigations Report found ransomware present in 88% of breaches at small and mid-sized businesses, well above the rate seen at large enterprises. Attackers increasingly prefer SMBs because they’re easier to breach and slower to detect an intrusion in progress.

Why do ransomware attacks target backups? Because a business that can restore from backup doesn’t need to pay the ransom. Sophos’s research found that attackers attempted to compromise backups in 94% of ransomware attacks, and victims whose backups were compromised paid a median ransom more than double that of victims whose backups stayed intact.

How can a small business recover from ransomware without paying the ransom? By keeping backups isolated from production, testing full restores (not just individual files) before an attack happens, and verifying that recovery points predate the intrusion. Immutable, offsite, and regularly tested backups are what let a business decline to pay and still get back up and running.

For SMBs that can’t staff a 24/7 security operations center or a dedicated incident response team, that kind of layered, automated resilience is what stands between a bad week and a business-ending one. You may still be too small to make the news. But with the right backup strategy in place, you can also make sure you’re too well-protected to become the story.

See what this looks like for a business your size. N2W is built to scale for SMBs, large enterprises and MSPs running on AWS and Azure.

Book a demo and we’ll walk through your environment with you, isolated recovery testing, immutable backups, and all, so you can see exactly how it would hold up before you commit to anything.

You might also like