Skip to content
HomeBlogCybersecurity

Why Ransomware Gangs Love Small Businesses (2022 Data)

glowing blue padlock hologram standing firm on a dark motherboard as red glitch particles dissolve

Ransomware gangs don’t reserve their best tricks for Fortune 500 targets — they aim squarely at small businesses, where defenses are thinner, payouts come faster, and headlines are rare. The economics are simple: a $50,000 demand against a 40-person firm with no tested backups gets paid more reliably than a $5 million demand against a bank. This year’s data makes the pattern hard to ignore.

Why small businesses are the preferred target

Criminal groups now operate like software companies, complete with affiliates, payroll and customer service for victims. Affiliates buy network access in bulk, and small-business access is cheap because it’s abundant — weak passwords, no multi-factor authentication, unpatched remote access.

Small firms also feel maximum pressure to pay. A regional distributor losing $30,000 a day in orders can’t wait out a three-week rebuild, and attackers price demands just under that pain threshold. Add thin insurance, no incident-response retainer and no security staff, and you have the victim profile criminals openly prefer.

What the 2022 numbers show

This year’s Verizon Data Breach Investigations Report found ransomware in roughly one in four confirmed breaches — its largest share ever, with a single-year jump bigger than the previous five years combined. Incident-response firms consistently report that most of the victims they help have fewer than 1,000 employees, and the bulk have far fewer.

Average demands keep climbing too, from four figures a few years ago to six figures today. Double extortion is now standard practice: attackers steal your data before encrypting it, so even perfect backups don’t end the negotiation — they just change what’s being negotiated.

And the demand is only the opening number. Surveys of small-business victims consistently find that downtime, rebuild labor and lost sales cost several times the ransom itself, with recovery routinely stretching past two weeks. For a firm running on thin margins, the second week of downtime hurts far more than the first.

Average ransom demand ($ thousands)
0125250375500723520182019202020212022Mid-2022 estimate

Industry incident-response survey averages; illustrative.

View data table
Average demand ($ thousands)
20187
201945
2020115
2021180
2022235

How these attacks actually get in

Forget Hollywood. Most ransomware enters through one of three mundane doors: a phishing email that harvests a password, a remote access service like RDP or VPN exposed to the internet without multi-factor authentication, or an unpatched vulnerability in something facing the web.

The fourth route is your vendors. Last year’s attack on a widely used IT management platform pushed ransomware to hundreds of downstream businesses in a single stroke — many learned they were victims before they knew their vendor had a problem. Asking key suppliers how they’d detect a breach is no longer a rude question.

Once inside, attackers commonly wait days or weeks — mapping the network, locating the backups, and quietly copying data out. The encryption you notice on a Tuesday morning usually began as a login two weeks earlier. That dwell time is your detection window, if anyone is watching.

The controls that actually stop ransomware

  • Multi-factor authentication everywhere — email, VPN, remote desktop and admin accounts. This alone breaks the most common attack path.
  • Patching on a schedule, with internet-facing systems first in line.
  • Backups that follow the 3-2-1 rule, with one copy offline or immutable and restores tested quarterly — an untested backup is a hope, not a plan.
  • Endpoint detection and response on every machine, watched by humans who can act at 3 a.m.
  • An incident plan that names who you call first, written before you need it.

None of this is exotic, and that’s the point — gangs feast on small businesses precisely because these basics are missing. Every NetSys client hit by ransomware has been fully recovered without paying a dime, a 100% record we keep by treating backups and monitoring as life-safety systems rather than checkboxes.

Key takeaways

  • Ransomware appears in roughly a quarter of breaches this year, and small businesses are the volume target.
  • Average demands have climbed into six figures, with double extortion now standard.
  • Phishing, exposed remote access and unpatched systems remain the three main doors in.
  • MFA, patching, tested offline backups and monitored endpoints stop the vast majority of attacks.
  • Attackers dwell for days or weeks before encrypting — detection in that window changes everything.

If ransomware hit tonight, how long would you be down? Our disaster recovery services are built to make the answer hours, not weeks.

Reading is free. So is knowing where you stand.

Turn insight into action.

Take a free cybersecurity or AI readiness assessment, or book a call with a NetSys engineer — no obligation, no runaround.