← Back to blog
Cybersecurity Small Business

Why UK Small Businesses Are the Number One Target for Ransomware

Ransomware attacks on UK small businesses have reached a level that the National Cyber Security Centre now describes as the most significant cybersecurity threat facing UK organisations. Yet most small business owners still think of ransomware as something that happens to hospitals, councils, or large corporations — not to a ten-person accountancy firm in Leeds or a fifteen-person logistics company in Birmingham. That assumption is dangerously wrong, and it's costing UK businesses millions of pounds every year.

Why Ransomware Targets Small Businesses Specifically

The logic is straightforward from an attacker's perspective. Large enterprises invest heavily in cybersecurity: dedicated security teams, enterprise-grade firewalls, 24/7 monitoring, incident response plans. Small businesses typically have none of these. At the same time, small businesses hold genuinely valuable data — customer records, financial information, employee data, intellectual property — and they're far more likely to pay a ransom quickly to restore operations because they can't afford extended downtime.

According to the NCSC's Cyber Security Breaches Survey 2024, 50% of UK businesses experienced some form of cyber incident in the previous 12 months. Small businesses were disproportionately represented among those that suffered significant financial or operational impact. Many reported that they had not believed they were a likely target before the attack occurred.

The economics of targeting small businesses

Ransomware has become a volume business. Criminal groups use automated tools to scan the internet for vulnerable systems, deploy ransomware at scale, and collect relatively modest ransoms — typically £2,000 to £20,000 for a small business — from thousands of victims simultaneously. The individual ransom demand is set low enough that paying feels easier than the alternative, but high enough to be highly profitable at volume. You don't need to be an attractive individual target — you just need to be vulnerable.

How Ransomware Actually Gets In

Understanding the entry points helps you understand why certain defences matter more than others.

Phishing emails

The majority of ransomware infections begin with a phishing email — a message designed to trick an employee into clicking a malicious link or opening an infected attachment. These emails have become increasingly convincing, often impersonating HMRC, Companies House, a supplier, or even a colleague. A single employee clicking a single link is enough to deploy ransomware across an entire network within minutes.

Exposed Remote Desktop Protocol (RDP)

Remote Desktop Protocol allows you to connect to a computer remotely. Many small businesses have RDP enabled on their servers or workstations for convenience, often accessible directly from the internet. Attackers scan constantly for exposed RDP services and use automated tools to try common username and password combinations. Without multi-factor authentication and IP restrictions, an exposed RDP port is effectively an open door. Our post on multi-factor authentication covers why MFA is so critical for services like this.

Unpatched software

Software vulnerabilities — in operating systems, browsers, and business applications — are discovered and exploited regularly. Microsoft, Adobe, and other vendors release patches to address these vulnerabilities, but only if someone is applying them. Many small business IT environments have servers or workstations running software that hasn't been patched for months or years. Every unpatched system is a potential entry point.

What Happens When Ransomware Strikes

The sequence is fast and destructive. Once ransomware executes on a single device, it typically moves laterally across the network — identifying shared drives, backup systems, and connected devices — before encrypting everything simultaneously. The encryption happens in minutes. By the time anyone notices something is wrong, the damage is often complete.

The ransom demand arrives as a text file on the desktop or as a changed desktop background: pay a specified amount in cryptocurrency within a defined timeframe, or the decryption key is deleted permanently. Some ransomware groups also exfiltrate data before encrypting it, threatening to publish sensitive business or customer data publicly if the ransom isn't paid — a tactic known as "double extortion."

Recovery without paying is possible only if you have clean, tested backups that the ransomware hasn't also encrypted. Many businesses discover at this point that their backups were either incomplete, outdated, or also affected by the attack.

How to Reduce Your Risk

The NCSC's Cyber Essentials scheme identifies five technical controls that, if properly implemented, protect against the majority of common cyberattacks including ransomware:

  • Firewalls — properly configured to block unnecessary inbound connections
  • Secure configuration — removing default passwords, disabling unused services
  • Access control — ensuring users only have the access they need
  • Malware protection — up-to-date endpoint security on all devices
  • Patch management — applying security updates promptly across all systems

Beyond Cyber Essentials, tested offline or immutable backups are the single most important additional control. If ransomware can't reach your backups, you can recover without paying. Lasetech provides cybersecurity monitoring and managed backup services that address these controls as part of a managed IT support arrangement — meaning the fundamentals are covered continuously, not just at point-in-time reviews.

Frequently Asked Questions

Should a small business pay a ransomware demand?

The NCSC and the UK government advise against paying ransoms. Payment funds criminal organisations, does not guarantee that decryption keys will work, and marks your business as one willing to pay — which can make you a target for repeat attacks. If you have clean backups, recovery without paying is often faster than waiting for a decryption key. If you don't have backups, the situation is more difficult, which is why prevention and backup testing are so critical.

Does cyber insurance cover ransomware attacks?

Many UK business cyber insurance policies cover ransomware, including ransom payments, recovery costs, and business interruption losses. However, insurers are increasingly requiring evidence of basic security controls before issuing policies, and claims may be denied if the breach resulted from a failure to apply patches or implement basic controls. Check your policy carefully and discuss requirements with your insurer or IT provider.

How long does it take to recover from a ransomware attack?

Recovery time varies enormously depending on the scale of the attack and the quality of your backups. Businesses with recent, tested, offline backups may be able to restore operations within one to three days. Businesses without adequate backups can face weeks of partial operation or complete data loss. The NCSC provides ransomware guidance with steps to follow if you're affected.

What is Cyber Essentials and is it worth getting?

Cyber Essentials is a UK government-backed certification scheme that verifies your business has implemented five fundamental security controls. It costs from around £300 for the basic self-assessed certification and provides a genuine baseline of protection. It's also required by some government contracts and increasingly requested by larger clients as a supply chain security requirement. For most UK small businesses, it's both achievable and worthwhile.