Ransomware remains one of the most pervasive cyber threats for small businesses. Attackers today favor modular, easy-to-deploy malware families that can be purchased or leased through ransomware-as-a-service (RaaS). Understanding which variants are most active and adopting concrete protections can drastically reduce the chance your company becomes the next victim.

Which ransomware is hitting small businesses the most?

In recent years, LockBit has emerged as one of the most prevalent ransomware families targeting organizations of all sizes, including small businesses. LockBit operates as RaaS, enabling affiliates to execute attacks, spread laterally, and demand payment. Other notable families that continue to affect small enterprises include ALPHV/BlackCat, REvil (also known as Sodinokibi) variants, and smaller commodity strains like Phobos and Medusa. The common thread among these threats is their focus on quick encryption, data exfiltration, and public shaming through leak sites. Because RaaS lowers the barrier to entry, even opportunistic criminal groups can launch effective campaigns against underprepared targets.

How attackers typically breach small business networks

Attackers commonly gain initial access through phishing emails with malicious attachments or links, exploiting unpatched VPNs or remote desktop (RDP) services, buying stolen credentials on the darknet, or leveraging vulnerable internet-facing applications. Once inside, they escalate privileges, move laterally across the network, and deploy ransomware broadly to maximize disruption and leverage in ransom negotiations.

Critical defenses every small business should deploy

1) Regular, tested backups: The single most practical mitigation is a strong backup strategy. Follow the 3-2-1 rule—three copies of your data on two different media, with one copy off-site or air-gapped. Ensure backups are immutable or write-protected where possible and test restores frequently to confirm integrity.

2) Patch management: Keep operating systems, applications, and firmware updated. Many ransomware attacks exploit known vulnerabilities for which patches already exist.

3) Multifactor authentication (MFA): Require MFA for remote access, email, VPNs, and privileged accounts to reduce risk from stolen credentials.

4) Least privilege and endpoint protection: Limit user permissions to reduce lateral movement, and deploy modern endpoint detection and response (EDR) solutions that can detect suspicious behavior, isolate compromised devices, and help with remediation.

5) Network segmentation: Segregate critical systems like file servers, accounting platforms, and backups so an attacker on one segment cannot easily access everything.

People and processes: reducing human error

Employee training focused on phishing awareness, safe web browsing, and reporting suspicious activity is essential. Combine training with processes such as verifying payment requests via a second channel, establishing formal change control for privileged actions, and rehearsing incident response procedures. Small businesses that practice tabletop exercises and keep an up-to-date incident response plan respond faster and reduce damage.

Technical controls that make a difference

Email filtering and web proxies can stop many malicious attachments and links before they reach users. Implement application allowlisting to prevent unauthorized software execution, and use strong logging and centralized monitoring so anomalies are visible early. Disable unnecessary services such as RDP on internet-facing systems or secure them behind VPNs and conditional access policies.

What to do if ransomware strikes

First, isolate affected systems to prevent further spread—disconnect infected machines from networks and backups if necessary. Identify the scope: which files, servers, and devices are encrypted or exfiltrated. Engage a qualified cybersecurity incident response partner if you lack in-house expertise. Preserve evidence for potential law enforcement involvement and consult legal counsel about notification obligations. Avoid knee-jerk decisions; blindly paying a ransom risks funding criminal activity and does not guarantee data recovery. Where payment is considered, weigh options carefully and involve specialists who can guide negotiations and evaluate recovery prospects.

Insurance and vendor relationships

Cyber insurance can provide financial support for recovery costs, incident response, and potential ransom demands, but policies vary widely in coverage. Review your policy terms with a broker who understands cyber risk. Similarly, maintain relationships with trusted backup vendors, managed security service providers, and legal advisors so you can act quickly and confidently during an incident.

Preparing for ransomware is both technical and cultural: it requires layered defenses, disciplined operations, and regular testing. Small businesses that invest modestly in backups, patching, MFA, employee training, and an incident response plan drastically reduce the odds of a successful attack and shorten recovery time if one occurs. A proactive posture—backed by clear processes and the right external partners—transforms ransomware from an existential threat into a manageablе risk that your business can face with resilience.