Ransomware's New Primary Target:
Why SMBs Are Hit 4× More Than Enterprises in 2026

1. A Typical Monday Morning in 2026

A 14-person personal injury law firm opens for business at 9 AM. The paralegal tries to access the client database. Permission denied. She calls IT — which is actually just the office manager who handles the router. He can't log in either. The file server is showing a ransom note: a .txt file named READ_ME_NOW.txt, demanding $95,000 in Bitcoin within 72 hours or client files go public. Three years of case documents, settlement records, and medical histories. Gone.

This is not a hypothetical. INC Ransom group alone claimed 20+ law firms in the first four months of 2026. Personal injury firms were specifically targeted in a 2026 campaign documented by Halcyon, which tracked 200+ ransomware incidents against legal services organizations between 2025 and early 2026. The reason law firms are targeted isn't random — it's the combination of sensitive data, regulatory pressure to resolve incidents fast, and the understanding that protecting attorney-client privilege often matters more to a firm than the actual ransom amount.

Dental practices, accounting firms, and logistics companies are in the same category. Healthcare saw 636 ransomware attacks in 2025 alone, with smaller providers accounting for 26% of those incidents. A patient management system locked down by ransomware in a 2026 incident had an owner who said something that's become almost cliché in incident reports: "I thought we were too small for hackers to notice."

2. Who Gets Hit: The Target Distribution

The shift toward SMB targeting has been building since 2022 but accelerated sharply after law enforcement operations disrupted several large ransomware groups in 2024. The groups that survived and the new ones that emerged focused heavily on volume — targeting dozens of smaller organizations instead of spending months infiltrating one enterprise.

The 42% figure for businesses under 50 employees is striking. This is the category that includes your accountant, your dentist, a three-location restaurant chain, a regional logistics broker. Organizations that almost certainly don't have a full-time IT person, let alone a security team.

What's changed in 2026 is the scale of automation. Attackers use scanning tools to continuously probe the internet for vulnerable systems across millions of IP addresses simultaneously. When a scan hits an exposed service — an old VPN endpoint, a misconfigured remote desktop, an unpatched CMS — it flags it automatically. A human attacker then picks up the lead and initiates targeted intrusion. The economics only work because the initial scanning costs essentially nothing. Your company's exposure becomes a discovered lead before anyone from the outside has even looked at your company specifically.

3. The Groups Behind the Attacks

The ransomware landscape in 2026 is more fragmented than it was in 2023. The major operations — LockBit, ALPHV/BlackCat — were disrupted by law enforcement, but they either reconstituted or spawned successor groups. Here are the four groups most actively targeting smaller organizations right now:

What these groups share is a Ransomware-as-a-Service (RaaS) model. The core developers build and maintain the malware. Affiliates — essentially independent contractors — carry out the attacks and split the ransom revenue, typically 70/30 or 80/20 in favor of the affiliate. This model explains why the volume of attacks can scale so rapidly: you don't need more developers, you need more affiliates, and affiliates are attracted to easy targets. SMBs are easy targets.

4. The Three Gaps That Make SMBs Vulnerable

If you ask a ransomware affiliate why they targeted a particular company, the honest answer would rarely be "because they had interesting data." It's almost always a variant of: "because getting in was easy." The three conditions that create "easy" keep appearing across incident reports.

Gap 1: No one is watching at 2 AM

Enterprise security operations centers run 24/7. When a threat detection system fires an alert at 2:14 AM — unusual SMB connections between hosts that don't normally talk, a new administrative account created outside business hours, 40GB of outbound traffic to an unknown IP — someone responds. In one documented 2026 incident, an 800-location retail chain detected and contained a ransomware attack in 1 hour and 47 minutes because an automated system triggered an alert and a human picked it up immediately.

Most SMBs have no equivalent. The person who would investigate an anomaly is asleep. If the company has a logging system at all, the logs accumulate unreviewed. Attackers know this rhythmically — they frequently trigger final payloads between 1 AM and 4 AM on weekday mornings, after spending days or weeks being methodical during business hours.

Gap 2: Unknown attack surface

Enterprise security teams maintain asset inventories. They know every public-facing system, every IP range, every exposed service. They run scheduled vulnerability scans and get weekly reports on what's changed.

Most SMBs don't know what's exposed. Not because they're negligent — because nobody told them this was something they needed to know. A remote desktop endpoint left open after a COVID-era work-from-home setup. A subdomain running an old WordPress install that nobody maintains. An S3 bucket set to public during a developer test three years ago and never locked down. API keys in a JavaScript file that's been cached by Shodan. These are real attack entry points that companies discover not through proactive scanning, but during post-incident forensics — after the damage is done.

Gap 3: The double extortion problem

The old model was: encrypt everything, demand ransom, restore backups if you don't pay. Most reasonable organizations responded to this by maintaining good backups. So attackers added a second layer: steal first, encrypt second. Now even if you restore from backup within hours, the attacker still has your client data, your financial records, your employee files. They'll publish it unless you pay. Backup discipline no longer neutralizes the threat — it only removes one dimension of it.

5. The 5-Day Attack Window

The median time from initial compromise to ransomware execution dropped from 14 days (2023) to just 5 days in 2025. Attackers have sped up. They've automated more of the internal reconnaissance. The window to catch them before they detonate is narrowing fast.

Here's what those five days typically look like:

6. What a Ransomware Attack Actually Costs

Media coverage focuses on ransom amounts. The actual cost is almost always larger than the ransom, and often larger than the organization expects. Here's where the money goes:

The Mastercard survey finding that 1 in 5 SMBs that suffer a cyberattack go bankrupt or close isn't dramatic language — it tracks with the cost structure above. For a 20-person professional services firm billing $1.5M/year, a $350,000 total incident cost plus 30% client attrition is genuinely existential.

7. Twelve Exposure Points Most SMBs Can't See

The following are not theoretical vulnerabilities. These are the specific conditions that appear most frequently in SMB breach incident reports — the entry points that attackers find before the company does, because attackers run automated scans continuously and most companies scan never.

How many of the above can you answer with confidence right now? If the honest answer is "I don't know" for more than two or three of them, you have an attack surface that's essentially unmapped — which is exactly the condition attackers scan for at scale.

8. The Honest Takeaway

Here's what security vendors rarely say plainly: you cannot make your organization completely unattackable. The threat landscape is too dynamic, the attack surface too broad, and the resources available to a 20-person company too limited to achieve perfect security.

What you can achieve — and what actually shifts the equation — is making your organization a significantly harder target than average. Attackers operate on economics. When they scan a block of IP ranges and your exposed services come back clean, your SSL grades good, your email authentication intact, and your credentials absent from breach databases, they move to the next target. Most SMBs are not being targeted because someone specifically wants their data. They're being targeted because a scan found an open door.

Regular external scanning — running those scans against yourself before anyone else does — is the baseline capability that closes the information asymmetry. It's not a guarantee. It's the difference between knowing your exposure and not knowing. That distinction, at the moment a criminal is deciding which company on a list is worth pursuing, is frequently the one that matters.