There’s a new trend in cybersecurity in recent years: Hackers’ ransomware profits are falling, but the number of attacks is increasing. Much like a virus, ransomware groups are simply reacting to changes in the cybersecurity environment and evolving accordingly.

Larger organization are opting not to pay ransoms at all, so hackers are targeting smaller businesses with smaller ransoms to make up the shortfall. The ransomware itself is also evolving to breach stronger cybersecurity defenses.

While large corporations might actually benefit from these changes, small- and medium-sized businesses stand to lose big. If you’re running an SMB, you might have already noticed an uptick in phishing attempts or other suspicious activity at the edges of your company. The latest data explains why.

How ransomware works

Ransomware is a type of malware that hackers use to lock access to data, systems, and networks. Then they demand a ransom payment from the owners in return for unlocking access. It’s typically distributed through email attachments, text messages, and websites, but creative hackers have even used job interviews(yeni pencere) and propositions via Signal(yeni pencere) to try to deploy ransomware.

Governments don’t recommend paying ransoms and can actually punish businesses for doing so. For example, both the UK Government (yeni pencere)and the US government(yeni pencere) place financial sanctions on ransomware attackers, and payments made to them can result in fines or jail time.

To see the full ransomware landscape, we need to understand how organizations of different sizes are being targeted. This is one of the reasons we launched our Data Breach Observatory.

Businesses of all sizes are affected by ransomware, but in recent years trends show that ransomware groups are focusing less on targeting large organizations for large payouts and more on smaller businesses for smaller payouts. So, what can we infer from research exploring these trends?

The state of ransomware in 2025

Cybersecurity-as-a-Service firm Sophos releases an annual report investigating the reality of ransomware. According to the 2025 Sophos State of Ransomware report:

  • The average (median) ransom demand has dropped by one-third (34%) over the last year, coming in at $1,324,439 in 2025 compared to $2 million in 2024.
  • The average (median) ransom payment has fallen by 50% in the last year, down from $2 million in 2024 to $1 million in 2025.
  • The primary factor behind this drop is a reduction in the percentage of ransom payments of $5 million or more, down from 31% of payments in 2024 to 20% in 2025.
  • For the third year running, victims identified exploited cybersecurity vulnerabilities as the most common technical root cause of attack, used in 32% of incidents.

The value of individual payments has decreased dramatically. We can attribute this to several factors. Larger businesses are more invested in organizational cybersecurity and more aware of potential threats than in the past, helping them evade more attacks. Larger businesses are also more aware that authorities recommend not bargaining with hackers or paying ransoms, and that this can in fact be illegal. Data encryption and backups are also becoming more commonplace for organizations of all sizes, reducing the risk of data loss and decreasing the motivation to pay a ransom.

For example, Australian airline Qantas did not pay a ransom or negotiate when it was targeted by the collective Scattered Lapsus$ Hunters, leading to a data breach affecting 5.7 million Qantas customers. The Australian government maintains that this was the correct action and has not commented with regards to a potential fine for the data breach.

To make up the losses from failed attacks like Qantas, ransomware groups are targeting small businesses more frequently but demanding less. SMBs are less likely to have adequate defenses and more likely to capitulate because their financial circumstances tend to be more fragile. One Verizon report suggests ransomware represents 88% of cybersecurity attacks on SMBs, versus just 39% for large companies.

How to protect your small business against ransomware

Ransomware protection doesn’t have to be expensive for SMBs — with the right tools and the right preparations, any business can protect itself effectively.

Be prepared

No business is too small to be interesting to cybercriminals. Even if your business has four clients and two employees, you’re still creating sensitive data that is valuable to hackers. It’s less likely that SMBs have the resources for a full-time cybersecurity expert, so education for every employee helps make your organization’s cybersecurity a team effort. Some of your best tools against falling prey to a ransomware group include:

  • Educating team members about ransomware attacks to eliminate risks such as clicking suspicious links in emails or failing to spot a spoofed email.
  • Creating an incident response plan helps your organization understand exactly what data you have, where it’s stored, and what security measures you’re putting in place to keep it safe.
  • Creating a culture of transparency and openness. Team members should feel comfortable asking questions about cybersecurity and flagging potential risks.
  • Employing threat detection and network monitoring for your business network to identify suspicious login attempts and make sure to enable two-factor authentication.

Find the right tools

It can be difficult to see the value in proactive measures against ransomware, especially when it comes to ROI but remember: Prevention is more affordable than paying to recover after a breach. Secure day-to-day tools can be cost-effective while still protecting your business:

  • A secure password manager keeps your business’s passwords encrypted, ensuring that they can’t be exfiltrated by hackers. It also allows for safe sharing of passwords where necessary without compromising security.
  • Robust anti-phishing and anti-malware protection for your email provider can prevent your team members from even receiving dangerous emails.
  • An encrypted drive is the safest place for all of your business data. Choosing an easy-to-use solution that team members can use safely from any device and any location greatly reduces the risk of unauthorized access. You can also use encrypted cloud storage for backups, rending ransomware attacks powerless.
  • Having team members use a VPN to access your business network greatly improves access controls and protects against malware and man-in-the-middle attacks.

Expect ransomware attacks

As an SMB, you might assume your organization is too small(yeni pencere) to be of interest for a ransomware attack. In fact, you’re very likely to be targeted because you’re an SMB. Even if hackers receive a smaller payout, a lack of infrastructure and resources makes an attack far more likely to succeed. To maximize your business’s chances of surviving a ransomware attack, you need to have the right contingencies in place. It’s safer to make plans for an attack that doesn’t happen than fail to plan for a successful attack.

  • Back up your key systems and storage regularly. In the event that you lose access, recovering from a backup greatly reduces your downtime.
  • Network segmentation helps you to shut off access faster if a hacker does manage to breach your network.
  • Use zero-trust principles to ensure that every team member only has access to the data they need and no more.
  • Keep apps updated to avoid zero-day risk exploits.