For years, the dominant assumption in cybersecurity was that ransomware groups wanted big targets. Large enterprises, government agencies, critical infrastructure — organizations whose scale justified the risk and whose disruption would command ransom payments in the millions. That narrative is still partly true. But the underlying economics of ransomware have shifted in ways that make smaller organizations not a secondary consideration, but a primary one.
The data from the past several years tells a consistent story: small and medium-sized businesses, local governments, educational institutions, and nonprofits are now disproportionately targeted — not despite their size, but because of it.
the numbers don't lie
- 43% of all cyberattacks target small and medium businesses (Verizon DBIR)
- 60% of SMBs that experience a significant breach close within 6 months (National Cybersecurity Alliance)
- 82% of ransomware attacks in recent years targeted organizations under 1,000 employees (Coveware Quarterly Reports)
- 200+ days average time to detect a breach in a resource-constrained organization (IBM Cost of a Data Breach)
These numbers reflect a deliberate evolution in how ransomware groups approach target selection — and understanding that evolution is the first step toward building effective defenses.
how targeting strategy has shifted
The high-profile ransomware incidents that dominate news coverage — Colonial Pipeline, Change Healthcare, MGM Resorts — have an outsized effect on perception. They suggest that threat actors are primarily hunting whales. They're not. Those cases are exceptions, not the rule, and they represent a small fraction of the total ransomware incident volume.
Most ransomware operations today function less like targeted espionage campaigns and more like optimized business operations. Affiliates within the ransomware-as-a-service (RaaS) ecosystem are evaluated on return on effort: what ransom amount can be extracted relative to the time and resources invested in the attack?
Under that calculus, small businesses and local governments often score surprisingly well.
thin or absent security coverage
Organizations without dedicated security staff — which describes the vast majority of businesses under 500 employees — typically have no one monitoring their environment for active threats. There is no SOC watching for unusual authentication patterns, no detection engineering team tuning alerts, no incident response retainer ready to respond. An attacker who establishes a foothold can often operate for weeks or months undetected, increasing the depth of compromise and the leverage they hold at the moment of extortion.
high urgency, lower resilience
A large enterprise that suffers a ransomware attack has painful options: engage response teams, attempt restoration from backup, negotiate, or some combination. A small medical practice or county school district has fewer of those options. Revenue stops immediately. Services to patients or students fail. There is often no dedicated IT team to manage restoration. The operational pain-per-hour of a ransomware attack is substantially higher for smaller organizations — which is exactly the leverage attackers need to demand prompt payment.
weaker backup posture and recovery capability
Enterprise organizations have invested significantly in backup infrastructure, offsite replication, and tested recovery procedures. Smaller organizations frequently rely on ad-hoc backup approaches — periodic external drives, basic cloud sync, or nothing at all. Ransomware operators know this. When they identify a target, they specifically look for and destroy or encrypt backup systems before deploying the main payload. An organization that cannot restore from backup is an organization with far fewer options.
supply chain and lateral pivot value
A local government or small business may also be attractive as a stepping stone. Managed service providers (MSPs) and small IT vendors often hold privileged access to dozens or hundreds of client environments. Compromising an MSP can create leverage across its entire client base — a dynamic that threat actors have exploited repeatedly, including in several high-profile incidents that began with small, under-resourced providers.
Key insight: Ransomware targeting is increasingly driven by affiliate economics — attackers optimize for return on effort, not just ransom size. An SMB that takes three days to compromise and pays $45,000 may generate better ROI for an affiliate than a large enterprise that takes months to penetrate and fights back hard.
the sector breakdown
| Sector | Primary Driver | Typical Ransom Range | Key Risk Factor |
|---|---|---|---|
| K–12 Education | Student PII, operational disruption | $50K–$500K | Constrained IT budgets, legacy systems |
| Local Government | Critical service disruption, public pressure | $100K–$2M | Aging infrastructure, political accountability |
| Healthcare (small) | PHI value, patient safety pressure | $75K–$750K | Operational criticality, HIPAA exposure |
| Professional Services | Client data, supply chain access | $25K–$500K | Privileged access to third parties |
| Manufacturing (SMB) | OT disruption, time-sensitive operations | $50K–$1M+ | IT/OT convergence, thin margins |
what attackers actually look for
Understanding attacker targeting criteria helps organizations prioritize their defenses. RaaS affiliates commonly evaluate targets against criteria including:
- Revenue signals — Visible indicators of organizational revenue (LinkedIn headcount, job postings, public contracts) are used to calibrate ransom demands.
- Exposed remote access infrastructure — RDP instances exposed to the internet, unpatched VPN appliances, and weak authentication on remote access tools are among the most common initial access vectors.
- Public vulnerability indicators — Shodan, Censys, and similar services allow attackers to identify organizations running known-vulnerable software versions at scale.
- Known insurance coverage — In some cases, ransomware operators have targeted organizations based on knowledge of their cyber insurance policy limits.
- Past breach history — Organizations that have previously disclosed breaches are sometimes re-targeted, on the assumption that they have already demonstrated exploitable weaknesses.
Important: Exposed RDP and unpatched VPN appliances account for a disproportionate share of ransomware initial access. These are among the highest-priority items on any hardening checklist — and they require no budget to fix, only time and attention.
what the data says works
The defensive picture is not hopeless. Research consistently shows that a relatively small set of controls — implemented well and maintained consistently — prevents or significantly disrupts a majority of ransomware attacks.
multi-factor authentication
MFA adoption remains the single highest-impact preventive control available. The majority of credential-based initial access vectors are either rendered non-viable or significantly complicated by MFA. Free and low-cost MFA solutions are available for organizations that cannot budget enterprise identity platforms.
offline and immutable backups
A tested, offline backup changes the calculus of a ransomware attack entirely. Organizations that can restore from backup within an acceptable time window have substantially more negotiating leverage — and often don't need to negotiate at all. The critical word is tested: a backup that has never been restored is a backup of unknown quality.
attack surface reduction
Minimizing internet-exposed services is one of the most impactful steps available to smaller organizations. Regular scanning of external-facing infrastructure — free tools like Shodan allow organizations to see themselves as attackers do — helps identify and close exposures before they're exploited.
email security controls
Phishing remains a primary initial access vector. DMARC, DKIM, and SPF configuration closes a large class of spoofing-based attacks. User awareness training — not annual compliance-checkbox training, but regular, realistic scenarios — addresses the human element.
detection and response coverage
All of the above controls reduce the probability of a successful attack. None of them guarantee prevention. Organizations that have no visibility into their environment are flying blind. Earlier detection dramatically limits the scope of impact — a detection that catches attacker activity before lateral movement and ransomware deployment is the difference between a contained incident and an organizational crisis.
the honest assessment
The security industry's default response to the SMB security gap has been to sell down-market versions of enterprise products at prices that are still out of reach for most small organizations. Neither approach has solved the problem.
The gap is structural. It requires structural solutions — different models of delivering security expertise, not just cheaper versions of existing ones. That's the problem CrowdSOC was built to address. But regardless of the tooling and services available, the most important thing any organization can do is understand that they are a target, prioritize the controls that provide the most leverage against the specific threats they face, and build those capabilities before they're needed.
The data is clear. The threat is real. The question for every small and medium organization is not whether ransomware actors are thinking about them — it's whether they're thinking about ransomware actors.