Imagine it’s a regular Tuesday. You open your laptop, pour a coffee, and prepare to go through your emails. But instead, your sscreen freezes. You’re locked out of everything, files, emails, systems, all inaccessible. A message appears. Your data has been encrypted. If you want it back, you’ll need to pay a ransom. The demand? £1 million. And the clock is ticking. You’ve got 72 hours to decide.
This scenario isn’t pulled from a Hollywood thriller. It’s a daily reality for businesses of all sizes, particularly those who think they’ll fly under the radar. Attacks like this are no longer rare or confined to massive corporations. Increasingly, it’s small and mid-sized companies that are being targeted. And the perpetrators? These aren’t lone-wolf hackers operating out of basements. They’re organised, globally connected criminal enterprises operating with purpose and precision.
Welcome to the business of ransomware.
Ransomware Gangs are Running Multi-Million Pound Operations
Most people still picture cybercriminals as shadowy figures behind screens, antisocial, anonymous, disorganised. But that image is outdated. Today’s ransomware operations are remarkably structured. Some might even resemble the businesses they target.
These groups run like startups. They have hierarchies, departments, project managers, and even their own internal tools for tracking successful attacks and payment follow-ups. In some cases, their logistics rival small tech businesses, complete with front-line “support” for victims who need help understanding how to pay the ransom in cryptocurrency.
Much of this is enabled by a growing trend called ransomware-as-a-service (RaaS). Think of it like a franchise model. A core group will develop and maintain the ransomware, the product, and then lease it out to other criminals, who carry out the attacks. In return, they share a cut of the profits. It’s scalable, profitable, and frighteningly efficient.
This method dramatically lowers the barrier to entry. You no longer need technical chops to launch a sophisticated attack, you just need access to the right tools, most of which are available on the dark web for a price. It’s cybercrime at scale, and revenues for some of these groups are estimated in the tens, if not hundreds, of millions.
In fact, global losses from ransomware attacks increase and every year, and analysts warn that this trend is likely to continue.
The Famous Names No One Wants to Meet
There are several ransomware groups making headlines across the cybersecurity world, and many SMBs have never heard of them until it’s too late. Let’s highlight some of the most dangerous players on the field right now:
LockBit: Despite massive takedown efforts, LockBit continues to dominate the ransomware space. Its latest version, LockBit 3.0, is highly advanced, making detection and removal incredibly difficult. They were responsible for the infamous compromise of Royal Mail, initially demanding £65.7 million before settling on £33 million, causing weeks of disruption.
RansomHub: A rising force known for double extortion tactics. Once in, they don’t just lock up your data, they threaten to publish it online if you don’t pay. In August 2024, they hit Halliburton, part of the oil and gas sector, showing just how bold and wide-reaching their sights are.
PLAY: This group targets critical infrastructure: governments, financial institutions, healthcare. They’re known for meticulous planning and exploiting common remote access vulnerabilities. One of their largest attacks knocked out a municipal government’s infrastructure in South America for weeks.
Hunters International: Thought to be a successor of Hive, this group is exceptionally patient. They’ll sit inside systems for months before triggering encryption. That extra time lets them identify and extract the most sensitive data for maximum leverage.
Akira: With over 250 organisations affected, Akira has built a reputation for fast, aggressive action. They thrive on weaker systems, preying on industries from education and health to tech.
And that’s just the mainstream names. Behind them are countless others. Groups like Medusa, Qilin, 8Base, and Rhysida are emerging rapidly, constantly adapting their methods and evading detection. It’s a dynamic underworld where alliances shift, names change, and techniques evolve, sometimes overnight.
Why Are They So Effective?
Ransomware works because attackers understand their targets’ weaknesses, and exploit the basics. Let’s break it down.
First, there’s the method of entry. Most groups still rely on some well-worn tactics:
- Phishing emails tailored to deceive just one inattentive employee.
- Unpatched vulnerabilities in widely used software.
- Stolen or leaked credentials available for sale on the dark web.
- Misconfigured remote access tools or legacy systems left exposed online.
Once inside, cybercriminals don’t move fast. On average, they lurk undetected in systems for days or even weeks. This “dwell time” allows them to map out the network, identify critical systems, and establish control. When they strike, it’s devastating and well-timed, usually when staff are least equipped to respond, like around public holidays or weekends.
Then comes the extortion. Modern gangs don’t just lock your files, they double extort, threatening to leak sensitive client data or financials. Some move to triple extortion, contacting your suppliers, customers, or launching attacks like DDoS to increase pressure.
It’s a strategy designed to force a decision: pay quickly or face growing reputational and operational damage.
The Myth That You’re “Too Small” To Be Targeted
If you think cybercriminals only go after household names, think again. The reality is chilling: small and mid-sized businesses are now the prime targets.
Why? Because they tend to lack dedicated cybersecurity staff, may rely on default or legacy settings, and sometimes have no formal incident response plan. That makes them statistically “easier wins.”
And ransomware groups know this. Many use automated scanning tools that scan the internet for exposed servers, outdated software, and poorly secured devices. If your business ticks those boxes, you could end up on a hit list, no matter your size.
According to recent studies, over [60% of ransomware incidents] now affect businesses with under 200 employees [Based on industry surveys from small business cyber threat reports]. The scale, industry, or location of a business no longer offers protection.
So What Can You Actually Do?
Here’s the good news. While the threat is real, the solutions don’t have to be complicated. You don’t need in-house cyber specialists or a seven-figure IT budget. You just need someone who does this day in, day out, a managed service provider (MSP).
A strong MSP acts like a built-in line of defence:
- Backups that actually work: Many businesses keep backups, but few test them properly. MSPs ensure backups are not only recent, but also validated and securely stored offline or in ransomware-resilient formats.
- Continuous patching: Cybercriminals thrive on old vulnerabilities. MSPs ensure updates happen as needed, minimising exposure.
- Real-time threat monitoring: Around-the-clock eyes on your environment can spot the subtle signals that precede an attack.
- Recovery and response support: If an attack unfolds, you’re not alone. MSPs help contain and clean up the breach, and work on getting your business back online, without panicking or paying.
Think of managed security less like insurance and more like having a fire marshal on staff. If all goes well, you may never notice their daily work. But when flames appear, you’ll be thankful they’re there.
Know Your Enemy, Guard Your Business
Ransomware is changing the game. It’s structured, professional, and geared for profit. These aren’t pranksters looking for bragging rights, they’re global cybercrime syndicates with spreadsheets, budgets, and paydays to hit.
But knowledge is power. By understanding how these groups operate, what they look for, and how they attempt to gain entry, you take the first step toward building a resilient business.
For small and mid-sized companies, cybersecurity doesn’t have to be overwhelming. With the right help, namely an MSP that understands the landscape, you can drastically reduce your risk, stay compliant, and keep your teams focused on moving the business forward.
Don’t wait until you’re staring at a ransomware screen to take action. Build your defences now.