Small and medium-sized businesses (SMEs) are becoming big targets for cybercriminals. Many small businesses don’t spend as much on cybersecurity as larger companies. According to a survey, only 84% of SMEs focus on cybersecurity, compared to 98% of large businesses. This makes them easier targets for ransomware attacks.
In fact, the 2024 Sophos Threat Report shows that 28% of the attacks by the LockBit group hit SMEs. Other big groups like Akira and BlackCat/Alphv also target small businesses. As some ransomware groups break apart, new ones are forming, and the total number of groups has increased by 56%.
Changing tactics
Ransomware groups are changing how they attack. They used to break into a company’s systems, steal data, and demand money to unlock it. Now, more groups are using extortion, where they steal the data and threaten to publish it unless they get paid. This method is faster and easier for them.
One report found that only 8% of businesses paid the ransom, even though attacks went up by 27% compared to 2023. Larger companies are harder to attack because they have better security and backups. Plus, experts like the NCSC and the ICO discourage paying ransoms. Because of this, cybercriminals are focusing on small businesses, where they hope to get smaller payments more often.
Here are some of the groups targeting SMEs:
- 8base: This group pretends to be a security company, using a type of ransomware called Phobos. By April 2024, it had attacked 350 victims, with about 10% in the UK.
- Play/Playcrypt: This group uses double extortion, which means they ask for money to unlock data and also to keep it private. By the end of 2023, they had attacked 300 businesses, mostly in Europe.
- BianLian: This group switched from double extortion to just threatening to leak data. In 2024, they published information from 90 victims.
- CosmicBeetle/NONAME: Active since 2020, this group started getting noticed in 2023. It uses simple but effective methods, like guessing passwords. They have targeted SMEs around the world.
AI and future attacks
Things might get even harder for SMEs in the future.
NCSC has warned that AI (artificial intelligence) could help cybercriminals launch faster and more complex attacks. Even people with less skill could use AI to get into systems.
But there’s hope—many attacks happen because of poor cyber hygiene (basic security practices), not because of highly advanced hacking techniques.
How to improve cyber hygiene
Good cyber hygiene means doing simple things like updating malware protection, using strong passwords, backing up data, limiting admin rights, and using firewalls.
But the 2024 Cyber Security Breaches Survey found that many SMEs don’t follow all these rules. For example:
- Only 34% of businesses update their software within two weeks
- 32% use secure connections (VPNs) for remote work
- 30% check their systems for unusual activity
Monitoring for suspicious activity can make a huge difference. SIEM systems (Security Incident and Event Management) can help small businesses by watching for signs of attacks in real time. SIEM systems, once only affordable for large companies, are now within reach for SMEs. These systems check for things like changes in user permissions, firewall settings, or new software being installed, and they send alerts if something looks wrong.
For small businesses that don’t have the time or resources to manage cybersecurity on their own, outsourcing to a Managed Security Service Provider (MSSP) can be a good solution. An MSSP can offer SIEM services and help keep small businesses safe.
No matter which option they choose, SMEs must act to protect themselves. The number of ransomware groups is growing, and attacks are getting smarter. To avoid becoming the next victim, they need to improve cyber hygiene and strengthen defences with automated threat detection and response.
About the author
Kennet Harpsoe is Lead Security Researcher at Logpoint, a cybersecurity vendor of SIEM and related technologies. Logpoint helps organisations and partners protect against cyberattacks and streamline security operations by combining sophisticated technology and a profound understanding of customer challenges.
These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit.
If you do not allow these cookies you may not be able to use or see these sharing tools.