Ransomware isn't a big-company problem anymore. The average downtime is 21 days. Most businesses don't survive it.


Stat Source
88% of all ransomware breaches involve small and medium-sized businesses Verizon DBIR, 2025
21–24 days average downtime following a ransomware attack Coveware / Cigent, 2024–2025
$1.53M average recovery cost, excluding any ransom payment Sophos State of Ransomware, 2025
75% of SMBs say they could not continue operating if hit by ransomware StrongDM / ConnectWise, 2025
19,000 UK businesses experienced a confirmed ransomware crime in 2025 — double the 2024 figure UK Cyber Security Breaches Survey, 2025
96% of ransomware attacks target backup locations first VikingCloud, 2025

There is a persistent myth in small business cybersecurity: that ransomware is something that happens to large organisations with complex infrastructure, sensitive data, and the ability to pay seven-figure ransoms. It is a myth that attackers have spent years deliberately cultivating — and profiting from.

The reality, as of 2026, is the inverse. According to the Verizon Data Breach Investigations Report, 88% of all ransomware breaches involve small and medium-sized businesses — compared to just 39% at larger organisations.[1] SMBs are not caught in the crossfire. They are the primary target. They have real data, real money in accessible accounts, and — critically — far fewer defences than the enterprises attackers once focused on.

For UK businesses specifically, the picture worsened sharply in 2025. The UK Government's Cyber Security Breaches Survey found that the number of businesses experiencing a confirmed ransomware crime doubled from less than 0.5% in 2024 to 1% in 2025 — equating to an estimated 19,000 UK organisations.[2] The NCSC's own 2025 Annual Review was unambiguous: ransomware is now the most pressing cyber threat to UK businesses.[3]

If you run a small or medium-sized business in the UK and your ransomware protection plan consists of a basic antivirus subscription and a vague intention to "restore from backup," this blog is for you.

Why SMBs are now the preferred target

The shift is not accidental. It is the predictable result of two converging forces: the professionalisation of ransomware-as-a-service (RaaS), and the hardening of enterprise defences.

RaaS platforms have made ransomware accessible to criminals with no technical skill. Attackers rent a toolkit, identify a vulnerable target using automated scanning tools, and execute. The barrier to entry is negligible. The economics are straightforward: for a criminal group looking to collect £1 million in ransom, it is often easier to hit 20 small businesses at £50,000 each than to target a single enterprise with a mature security team.[4]

What makes SMBs attractive is precisely what makes them vulnerable. They hold customer payment data, personal records, and confidential business information — the same categories of data that attract ransomware operators — but typically lack the network segmentation, endpoint detection, offline backups, and incident response capabilities that larger organisations deploy. The attack is easier. The disruption is more severe. The likelihood of payment is higher.

The Europol Internet Organised Crime Threat Assessment 2025 noted that the availability of subscription-based attack kits is specifically expanding the pool of offenders targeting mid-market and smaller firms, whose operations are easier to disrupt and more costly to restore.[5]


What a ransomware attack actually looks like in 2026

The popular image of ransomware — a skulls-and-crossbones screen demanding Bitcoin — undersells how methodical the modern attack has become. Here is what typically happens:

Initial access: The attacker gains entry via phishing email (responsible for 20% of ransomware incidents), exploited vulnerability (34%), or stolen credentials (22%).[6] In 54% of cases, ransomware is deployed within seven days of initial access — meaning the attacker is already inside your network for up to a week before anything visibly goes wrong.[7]

Discovery and lateral movement: The attacker maps your network, identifies your most critical systems, and — crucially — locates your backups. 96% of ransomware attacks target backup locations specifically, because an organisation with accessible, clean backups has less incentive to pay.[7] Attackers disable or encrypt backup systems before triggering the final payload.

Encryption and extortion: Files are encrypted across affected systems. A ransom note appears. But in 2025, encryption is increasingly paired with data exfiltration: 87% of ransomware attacks now involve the theft of data in addition to — or instead of — encrypting it.[8] This means even organisations that can restore from backup still face the threat of having their data published or sold. Paying the ransom addresses the encryption. It does not address the leak.

The downtime: Recovery from ransomware takes an average of 21 to 24 days according to data from Coveware and Cigent.[9] For a small business, three weeks of operational downtime — with no access to email, customer records, financial systems, or internal tools — is not an inconvenience. For many, it is the end. ConnectWise research found that 75% of SMBs say they could not continue operating if hit by ransomware.[10]

Recovery costs for SMBs average £1.1 million excluding the ransom payment itself — and downtime costs approximately 50 times more than the ransom.[11] The ransom is not the problem. The three weeks offline is the problem.


The insurance trap

Many small businesses believe cyber insurance is the safety net that makes ransomware survivable. The reality in 2025 is more complicated.

In 2024, 63% of small businesses saw their cyber insurance premiums increase by 200% or more, and 27% were unable to secure coverage at any price due to inadequate security controls.[11] Insurers have hardened their requirements significantly: organisations without MFA, without tested backups, and without a documented incident response plan are increasingly being declined or offered coverage so narrow as to be meaningless.

Of the businesses that do have coverage, 42% report that their policy compensated for only a small portion of actual damages.[12] Insurance is a financial backstop. It is not a recovery strategy. And it increasingly requires you to have the controls in place that would have helped you avoid the incident in the first place.


What most SMBs are getting wrong

The UK Government's Cyber Security Breaches Survey 2025 found that while most businesses have adopted basic controls — malware protection (77%), password policies (73%), network firewalls (72%) — more advanced measures remain strikingly underused.[2] Only 40% of businesses have two-factor authentication deployed, 31% use VPNs, and just 22% have a formal cybersecurity incident management plan.

The specific gaps that ransomware actors exploit most reliably are:

  • Backups that are connected to the network. A backup drive mapped to a Windows share is encrypted alongside everything else. 96% of ransomware attacks go after backup systems first — if your backups are reachable, they are gone.[7]
  • No MFA on remote access. The Change Healthcare breach — the largest healthcare data breach in US history, compromising 190 million records — came through a Citrix portal with no MFA configured. It is the same story for the Snowflake breaches that hit AT&T, Ticketmaster, and dozens of others. Remote access without MFA is an open door.
  • No tested incident response plan. Only 22% of UK businesses have a formal plan.[2] The absence of a plan doesn't mean incidents don't happen — it means they take longer, cost more, and are more likely to result in the business not surviving.
  • Assuming the antivirus will catch it. Modern ransomware is increasingly AI-assisted. An MIT study of 2,800 incidents in 2025 found that 80% of ransomware attacks now leverage AI tools — from deepfake voice calls to AI-generated phishing campaigns that evade signature-based detection entirely.[13]

Ransomware protection for UK Small Businesses: what actually works

Effective ransomware protection is not about any single tool. It is a set of layered controls that collectively make an attack harder to execute, faster to detect, and survivable if it succeeds. Here is where to focus:

  1. Implement the 3-2-1-1 backup rule — and test it. Three copies of your data, on two different media types, with one offsite, and one immutable. An immutable backup cannot be altered, encrypted, or deleted — even by an attacker with admin credentials. This is the single most important ransomware protection control for any SMB, because it is what determines whether you pay the ransom or restore from backup. Critically: test your restoration process. A backup you have never restored from is not a backup — it is a theory.[14]

  2. Enforce MFA on every external-facing system. RDP, VPNs, Microsoft 365, remote desktop tools, cloud storage — anything accessible from outside the office. MFA does not stop every attack, but it eliminates the credential-stuffing and stolen-password attacks that account for 22% of initial ransomware access.[6]

  3. Patch aggressively. Exploited vulnerabilities are the #1 initial access vector for ransomware in the UK at 34%.[6] Most exploited vulnerabilities have had patches available for weeks or months before attackers use them. A consistent patching cadence — operating systems, applications, network devices, firmware — closes the most commonly used entry points.

  4. Segment your network. If every device on your network can reach every other device, ransomware that enters through one endpoint can encrypt everything. Network segmentation limits lateral movement — the attacker gets in, but they cannot get everywhere. This is especially relevant for businesses with operational technology (printers, NAS devices, CCTV, POS terminals) on the same network as workstations.

  5. Deploy endpoint detection and response (EDR), not just antivirus. Traditional antivirus works on signatures — it recognises known malware. EDR detects behavioural anomalies: processes that shouldn't be running, unusual file modification patterns, lateral movement across accounts. Given that 80% of modern ransomware now uses AI-assisted evasion techniques, signature-based detection alone is insufficient.[13]

  6. Build and test an incident response plan. Before an attack happens, define who does what. Who declares the incident? Who calls law enforcement? Who communicates with customers? Who contacts your insurer? Who handles the technical containment? A plan that has never been rehearsed is worth very little under pressure. NCSC's free Cyber Incident Response guidance provides a solid framework for UK SMBs to start from.

  7. Train staff on phishing — and keep training them. Phishing accounts for 20% of ransomware initial access, and AI-generated phishing emails are now functionally indistinguishable from legitimate communications in many cases.[6] Regular, realistic simulation exercises — not just annual e-learning modules — are the only way to build genuine detection muscle memory. Research shows employees with consistent simulation-based training are 7 times less likely to fall for a phishing attack.[1]

  8. Consider a managed security provider if internal resource is limited. Most SMBs do not have dedicated security staff. Managed Detection and Response (MDR) services provide 24/7 monitoring, rapid containment, and expert guidance without requiring in-house security headcount. The cost of a managed service is materially lower than the cost of three weeks of downtime.

The UK regulatory dimension

UK businesses face specific obligations that ransomware attacks can trigger. Under UK GDPR, a personal data breach must be reported to the ICO within 72 hours of discovery — and a ransomware attack that encrypts or exfiltrates personal data almost certainly qualifies. Given that 87% of ransomware attacks now involve data exfiltration,[8] the assumption should be that any successful attack has also resulted in a reportable breach.

Failure to notify the ICO within the required window can result in fines. More significantly, organisations that cannot demonstrate they had adequate technical and organisational measures in place face greater enforcement risk. The NCSC's Cyber Essentials scheme — which costs from £300 for self-assessed certification — provides a documented baseline of controls that demonstrates reasonable due diligence. It is also a prerequisite for many UK government contracts and is increasingly required by larger clients as supply chain security conditions tighten.


The businesses that survive aren't the luckiest — they're the most prepared.

Ransomware is no longer a background threat that occasionally makes the news when a hospital gets hit. It is an industrialised, automated, democratised criminal operation specifically targeting businesses like yours — because businesses like yours are easier to hit, faster to disrupt, and more likely to pay or fold than the enterprises that have invested in mature defences.

The UK ransomware threat landscape doubled in a single year. The average recovery costs more than £1.1m million excluding the ransom. Three quarters of SMBs say they would not survive an attack. And 96% of attackers go after your backups first — which means the adequacy of your ransomware protection comes down, more than anything else, to whether your backups are immutable, tested, and genuinely unreachable.

Most businesses that get hit thought they were prepared. The gap between confidence and capability is where ransomware lives. Closing that gap starts with an honest audit of where you actually stand — not where you assume you do.

Sources

  1. Verizon, 2025 Data Breach Investigations Report (DBIR). verizon.com
  2. UK Government / DSIT, Cyber Security Breaches Survey 2025. gov.uk
  3. NCSC, Annual Review 2025. ncsc.gov.uk
  4. Deepstrike, Cyber Attacks on Small Businesses (2025): Rising & Costly. deepstrike.io
  5. Raconteur, Ransomware on the Rise: Why Mid-Market Firms Are in the Crosshairs, citing Europol IOCTA 2025. raconteur.net
  6. Brightdefense, 500+ Ransomware Statistics for 2026, citing Sophos State of Ransomware 2025 and Verizon DBIR 2025. brightdefense.com
  7. StationX, Small Business Cybersecurity Statistics and Trends 2026, citing VikingCloud and Cobalt research. stationx.net
  8. Programs.com, The Latest Small Business Ransomware Statistics, citing Sophos State of Ransomware 2025. programs.com
  9. Cigent, Ransomware Recovery Time: What You Should Expect, 2024–2025. cigent.com
  10. ConnectWise, SMB Cybersecurity Statistics and Trends in 2025, citing Vanson Bourne research. connectwise.com
  11. Spacelift, 60 Small Business Cybersecurity Statistics to Know in 2026. spacelift.io
  12. Spacelift, 50+ Ransomware Statistics for 2025. spacelift.io
  13. Varonis, Ransomware Statistics, Data, Trends, and Facts 2026, citing MIT 2025 study. varonis.com
  14. BizTech Magazine, To Prevent Ransomware Attacks, SMBs Need Solid Backup Strategies, November 2024. biztechmagazine.com

more similar articles

Claude logo with black writing and orange icon
Categories: Security

If Claude Mythos can find your vulnerabilities, so can your adversaries

0 min read|Last Updated: April 17, 2026|
A padlock appears on a computer monitor in a dimly-lit office. It references the blog title referencing Ransomware in 2026.
Categories: Security

Ransomware in 2026: What SMBs Need to Know (and Most Don’t)

0 min read|Last Updated: April 17, 2026|
The outline of a red envelope on a dark background with a warning logo on it. The image is designed to reflect the article's title Why Email Is Still the #1 Way Businesses Get Hacked — And What to Do About It
Categories: Security

Why Email Is Still the #1 Way Businesses Get Hacked — And What to Do About It

0 min read|Last Updated: April 10, 2026|
A padlock with a dark background, it is showing login screens from applications, reflecting the article's title MFA Is Not Optional in 2025 Why One Password Is Never Enough
Categories: Identity and Access Management

MFA Is Not Optional in 2026: Why One Password Is Never Enough

0 min read|Last Updated: April 10, 2026|