Ransomware attacks against UK small and medium businesses increased by 67% between 2022 and 2024, according to the UK government’s Cyber Security Breaches Survey. Yet despite years of public guidance, improved tooling, and increasingly accessible managed security services, the majority of SMBs remain inadequately protected — not because the solutions do not exist, but because the gap between knowing what to do and actually doing it remains stubbornly wide.
This article examines why ransomware continues to find purchase in the SMB environment, which specific vulnerabilities threat actors are exploiting, and which practical controls produce the most meaningful risk reduction for organisations without dedicated security teams.
Why Ransomware Targets SMBs Disproportionately
The perception that ransomware groups focus primarily on large enterprises is outdated. Modern ransomware operations — particularly Ransomware-as-a-Service (RaaS) groups — have developed affiliate models that make targeting SMBs highly efficient. Affiliates receive a toolkit, infrastructure, and a revenue share, lowering the barrier to entry significantly. The result is a high-volume operation where SMBs are targeted in bulk rather than individually selected.
From a threat actor’s perspective, SMBs offer a compelling combination of factors: they hold valuable data, they frequently carry cyber insurance that funds ransom payments, they have weaker defences than enterprises, and their recovery options are often more limited — making them more likely to pay. The average ransom payment for UK SMBs reached £85,000 in 2024, according to Coveware’s Q4 2024 Ransomware Report, with total incident costs — including downtime, recovery, and reputational damage — frequently exceeding £250,000.
“Small businesses are not small targets. They are the preferred targets. The attack volume, the payment rates, and the defence gaps make the SMB segment the most economically attractive for modern ransomware operators.” — Coveware Q4 2024 Ransomware Report
The UK’s National Cyber Security Centre (NCSC) reported in its 2024 Annual Review that 39% of UK businesses identified a cybersecurity breach or attack in the previous twelve months — and that small businesses represented a disproportionate share of successful ransomware incidents. The data consistently points in one direction: SMBs are not a secondary consideration for ransomware actors. They are the primary market.
The Most Exploited Vulnerabilities in SMB Environments
Understanding which specific weaknesses ransomware operators exploit is essential for prioritising defensive investment. The 2024 Verizon Data Breach Investigations Report identifies three primary initial access vectors responsible for over 80% of ransomware incidents:
1. Credential-Based Attacks on Internet-Facing Services
Remote Desktop Protocol (RDP) exposure remains the single most common ransomware entry point in SMB environments. Many organisations opened RDP access during the shift to remote working and never properly secured or closed it. Threat actors use automated credential stuffing and brute-force tools to identify exposed RDP instances and gain access with stolen or guessed credentials. In environments without multi-factor authentication, a single compromised password is sufficient to establish a foothold.
Shodan and similar tools allow anyone to enumerate internet-facing RDP services within a given IP range. Ransomware affiliates routinely scan entire country-level IP allocations for exposed services, building target lists at scale. UK business IP ranges are regularly scanned — often within minutes of a new service being exposed.
2. Phishing and Malicious Email Attachments
Email remains the most reliable delivery mechanism for ransomware payloads and the malware that enables them. Modern phishing campaigns targeting SMBs are sophisticated enough to bypass standard spam filters — using compromised legitimate domains, HTML smuggling, and password-protected archives to evade detection. The Verizon DBIR notes that the median time from a phishing email being opened to credential entry is under 60 seconds, giving automated defences very little time to intervene.
Business Email Compromise is increasingly used as a precursor to ransomware deployment — attackers establish persistence through a compromised mailbox before laterally moving to deploy ransomware across the environment.
3. Unpatched Software and Vulnerabilities
Exploitation of known vulnerabilities in internet-facing software accounts for a significant proportion of ransomware incidents. SMBs frequently run unpatched versions of VPN clients, firewall management interfaces, and web applications. The gap between vulnerability disclosure and patch application in SMB environments is often measured in months rather than days — providing a substantial window for exploitation.
Notable examples include vulnerabilities in Fortinet, Citrix, and Ivanti products that were widely exploited against SMBs months after patches were available. The NCSC’s Vulnerability Intelligence service consistently shows that patch adoption in the SMB segment lags enterprise deployments by four to eight weeks on average.
Why Standard Advice Fails in Practice
The advice given to SMBs on ransomware defence is not wrong. Back up your data. Patch your systems. Use multi-factor authentication. Train your staff. It is good advice. The problem is the gap between what is recommended and what is actually implemented and maintained over time.
Three specific failure modes explain why standard advice under-delivers in practice:
Backups exist but are untested — Many SMBs have backup solutions in place, but have never tested a full restoration. A backup that has never been restored is not a reliable backup. Ransomware operators specifically target backup infrastructure, deleting or encrypting backup copies before deploying the main payload. Without immutable, off-site, or air-gapped backups that have been recently tested, a backup solution provides false confidence rather than real protection.
MFA is partial rather than universal — Organisations frequently enable MFA on email but not on VPN, remote desktop, or cloud management consoles. Threat actors specifically probe for authentication gaps, targeting the unprotected entry points. Partial MFA deployment can actually increase risk by giving organisations false assurance while leaving significant gaps unaddressed.
Patching is reactive rather than systematic — Without a managed patching process, software updates are applied inconsistently and often only when something breaks. Internet-facing services accumulate unpatched vulnerabilities over months. Without regular vulnerability scanning and a defined patching schedule, the risk profile grows continuously.
What Actually Works: Controls With Proven Impact
The NCSC’s Cyber Essentials framework — the UK government’s baseline cybersecurity certification — identifies five technical controls that address the majority of common cyber attacks, including ransomware. Independent research supports the effectiveness of these controls. IBM’s Cost of a Data Breach Report 2024 found that organisations with mature implementations of these fundamental controls experienced 40% lower incident costs than those without.
Implement MFA Universally and Enforce It via Policy
Multi-factor authentication applied universally — not selectively — eliminates credential-based attacks as a viable entry vector in the overwhelming majority of cases. Microsoft’s own telemetry shows that MFA blocks over 99.9% of account compromise attacks. The critical word is universally: MFA must be enforced on all internet-facing services, including VPN, RDP, cloud platforms, and email. Conditional access policies in Microsoft 365 and Azure AD provide the mechanism to enforce this without relying on individual users to opt in.
Maintain Immutable, Tested Backups
Effective backup against ransomware requires three elements: the 3-2-1 rule (three copies, two different media, one offsite), immutability (backups that cannot be modified or deleted by compromised accounts), and regular restoration testing. Microsoft 365 data requires specific backup solutions — the platform’s built-in retention does not constitute a backup against ransomware scenarios where data is encrypted rather than deleted.
Eliminate Unnecessary Internet Exposure
Conducting a regular review of internet-facing services — using tools such as Shodan or the NCSC’s free Check Your Cyber Security service — identifies exposed services that should be restricted or removed. RDP should never be exposed directly to the internet; remote access should be mediated through a VPN with MFA enforced. Every unnecessary open port is a potential entry point.
Implement a Systematic Patching Schedule
Internet-facing services should be patched within 14 days of a critical vulnerability disclosure, and within 30 days for high-severity vulnerabilities. Automated patch management tools can enforce this schedule without manual intervention. Vulnerability scanning — even using free tools such as OpenVAS — provides visibility into the current patch state of your environment.
Deploy Email Security Controls Beyond Basic Spam Filtering
DMARC enforcement (p=reject), anti-phishing policies with impersonation protection, and Safe Attachments and Safe Links in Microsoft Defender for Office 365 collectively address the email-based delivery mechanisms most commonly used in ransomware campaigns. Attack simulation training, which sends realistic phishing emails to staff and provides immediate feedback when they click, has been shown to reduce click rates by 60-70% over 12 months, according to KnowBe4’s 2024 Phishing Benchmarking Report.
The Role of Managed IT Support in SMB Ransomware Defence
The controls described above are not technically complex. What they require is consistent implementation, ongoing maintenance, and regular review — which is precisely what most SMBs cannot reliably deliver in-house. A business owner managing their own IT while also running day-to-day operations will not consistently apply patches within 14 days, will not regularly test backup restorations, and will not have the visibility into their environment to know when a new service has been inadvertently exposed to the internet.
This is where a managed IT provider with genuine cybersecurity capability changes the risk profile fundamentally. A managed service provider that monitors your environment continuously, applies patches systematically, manages your Microsoft 365 security configuration, and conducts regular backup testing converts the controls described above from aspirations into operational reality. For SMBs without dedicated security staff, this is not a luxury — it is the only realistic way to achieve and maintain the baseline that Cyber Essentials represents.
The economics are straightforward: the average cost of a managed IT support contract for a 20-user SMB is a fraction of the average ransomware incident cost. The question for most SMBs is not whether they can afford managed IT support — it is whether they can afford not to have it.
Key Takeaways and Action Plan
Ransomware defence for SMBs does not require enterprise-grade tooling or a dedicated security team. It requires consistent implementation of a small number of high-impact controls, maintained over time. If you take nothing else from this article, prioritise these five actions in the order listed:
Audit your MFA coverage today — identify every internet-facing service and verify MFA is enforced, not optional.
Test your most recent backup restoration — if you cannot restore from backup within your recovery time objective, your backup strategy needs revision.
Run a Shodan search on your public IP range — identify any services exposed to the internet that should not be.
Check the patch status of your internet-facing services — prioritise VPN clients, firewall interfaces, and any publicly accessible web applications.
Review your email security configuration — verify DMARC is set to enforcement, not monitoring, and that anti-impersonation policies are active.
None of these steps requires a significant budget. All of them meaningfully reduce the probability of a successful ransomware attack. The organisations that complete this audit and act on the findings will be substantially harder targets than those that do not — and in an environment where ransomware affiliates are selecting targets at scale based on observable vulnerabilities, being a harder target is often sufficient.
Author Bio
This article was contributed by Ocean Telecom, a managed IT support and cybersecurity specialist based in Oswestry, Shropshire, UK. Ocean Telecom provides managed IT support, cybersecurity monitoring, Microsoft 365 management, and business telecoms to organisations across Shropshire, North Wales, and the wider UK. Visit oceantele.com for more information.
