The New Normal for Ransomware Attacks? Inside 2025’s Surge on Small and Medium Sized Businesses

Prior to 2025, ransomware groups were fewer and tended to focus on larger organizations. That’s no longer the case. This year, SMBs were squarely in the crosshairs, as ransomware hit them hard, and the numbers tell the story. Threatdown’s latest State of Ransomware Report shows roughly one quarter of SMBs fell victim to an attack this year, revealing a big jump from 18.6% in 2024. What’s driving this spike? Cybercriminals are viewing SMBs as “low-hanging fruit” because they often have less robust security infrastructure and tend to have smaller IT budgets. This trend coupled with AI-powered phishing schemes, ransomware groups exploited weak or compromised endpoints, and stole credentials to break into business-critical systems. For businesses with limited security budgets, these tactics have made ransomware a growing and costly threat, forcing many to rethink how they protect themselves and respond when the worst happens.

Over the past three years, the number of active groups using ransomware has doubled, thanks to cheap, ready-made malware and AI tools that make launching attacks easier than ever. As a result, less experienced criminals are now capable of causing more serious damage. The big players are losing their grip too: the top ten threat groups now account for only half of all attacks, down from nearly 70% before. The ways attackers break in are also shifting. Phishing still leads the pack at 46%, but Hornetsecurity reports a sharp rise in breaches through compromised devices (26%) and stolen credentials (25%). On top of that, multi-extortion tactics have become standard. Criminals will not only just lock up your files; they’ll steal your data and threaten to leak it, piling on the pressure to pay.

Yet, there’s some good news in the fight against ransomware. Fewer companies are paying up. In 2025, only 13% of victims handed over a ransom, down from 16.3% the year before. Businesses are getting smarter with stronger backups, better disaster recovery plans, and faster incident response. Coordinated international law enforcement pressure on major groups like LockBit and BlackCat are also making attackers nervous. Even when payments happen, the price tag is shrinking. Average payouts fell from about $2 million in 2024 to roughly $1 million this year. It’s a sign that ransomware groups are shifting to a “high-volume, low-demand” strategy in order to be successful.

If there’s one takeaway for SMBs in 2025, it’s that security must be about anticipation and resilience. As the cyber risk company, Black Kite, points out, proactive security hygiene is critical. That means managed detection and response (MDR), strong identity controls, and better credential management are vital to counter the surge in credential-based attacks. Investing in adaptive detection technologies, like behavioral analytics and AI-driven tools, can make a big difference when traditional defenses fall short. Education matters too. Decision-makers need better situational awareness so they can make smart security investments instead of reactive ones. Lastly, don’t be too quick to overlook the value of business continuity planning. For SMBs, the financial hit from ransomware can be devastating, so the time is now to rehearse your incident response, backups, and recovery.

This year has proven two things: that ransomware attacks aren’t going away, and that preparation makes all the difference. The businesses that invested in strong security practices, smarter detection tools, and solid recovery plans were the ones that braved the storm. The message for SMBs is simple. Don’t wait for an attack to expose your security weaknesses. You must plan ahead, train your team, and rehearse your response, so when disaster strikes, your security measures jump into action.