Why Ransomware Groups are Zeroing in on SMBs
Ransomware groups are breaking away from familiar playbooks, operating with less structure and more opportunism. But the biggest shift isn’t in the malware itself. It’s in the target.
The modern ransomware strategy is all about leverage. Instead of going after the biggest fish, attackers are now zeroing in on critical supply chain partners—often small and mid-sized businesses (SMBs)—who can’t afford to say no.
When one vendor goes down, the ripple effects are severe and immediate. Hit just one small business embedded deep in the supply chain and you can stall payroll, delay shipments, or disrupt essential services across hundreds of downstream companies. The pressure to restore operations fast is exactly what attackers count on.
In our 2025 Ransomware Report, we analyzed 150 ransomware groups and over 6,000 victims to understand how attacker tactics are evolving. What we found is that while the number of victims continues to climb—up 123% over the past two years—breaches increasingly stem from smaller organizations that play an outsized role in the supply chain.
This shift isn’t just changing who gets attacked, it’s upending how risk spreads. To protect against ransomware in 2025, organizations must look beyond their own walls and gain real visibility into the vulnerabilities hidden across their supply chains.
Video: Midsize Businesses Become Ransomware’s Biggest Targets
Watch me walk through the section of the 2025 Ransomware Report dedicated to this topic: Midsize Businesses Become Ransomware’s Biggest Targets: 2025 Ransomware Report.
From Isolated Attacks to Chain Reactions
The ransomware ecosystem used to be dominated by a handful of major groups like LockBit and AlphV. But when those groups were dismantled, a power vacuum formed and chaos followed.
Over the past year, 52 new ransomware groups emerged, bringing the total to 96 active groups. These new players are smaller, less structured, and often operate without clear leadership or coordination. This decentralization also changed the very nature of attacks.
Instead of going after large enterprises directly, threat actors now focus on smaller vendors and service providers—the connective tissue of critical operations. Compromising just one key link in the supply chain—whether a billing vendor, logistics coordination platform, or third-party IT service provider—can cause widespread operational paralysis across multiple organizations.
It’s a chain reaction by design, and it’s working.
Why SMBs Are in the Ransomware Crosshairs
As enterprise companies continue to harden their cybersecurity defenses, attackers are shifting their focus to easier, more vulnerable targets: SMBs.
Our research shows a clear trend:
- Only 11% of known ransomware victims in 2024 had annual revenue over $100M (down from 26% the year prior)
- SMBs earning under $20M are now the most frequently targeted, with a clear focus on those earning between $4M and $6M
Why the shift? SMBs often lack the budgets, robust security infrastructure, and technical capabilities that larger corporations have. That makes them easier to breach—and an easy entry point into entire supply chains.
But it’s not just about weaker defenses. SMBs are also perceived as more likely to pay ransom demands. Paying up means avoiding business-crippling downtime and the reputational damage of exposing customers, partners, and sensitive data to a breach. With so much at stake, many SMBs choose the fastest path to recovery, even if it means paying a ransom.
Rather than chasing one big payout, ransomware groups are seeking repeatable, lower-risk returns—and SMBs are at the center of that strategy.
Faster, Smaller Payouts: Ransomware’s Volume Strategy
Over the past year, the average ransom payment dropped by 35%, and only 25% of victims chose to pay. At first glance, that may seem like a win for defenders. But in reality, it’s merely a signal that attackers are betting on volume instead of value.
Attackers now make a demand, set a timer, and take what they can get. Instead of holding out for multimillion-dollar payouts, attackers issue modest demands designed to be just painful enough for SMBs to pay quickly and quietly. It’s a volume play—lower stakes per victim, but more frequent and scalable across the fragmented ransomware ecosystem.
While this “pay up and make it go away” mindset may feel like a quick fix to avoid downtime or reputational fallout, it just reinforces attackers’ tactics and keeps them coming back for more. And once a company pays, it’s often marked as an easy target.
Many ransomware victims are now hit multiple times—sometimes by the same affiliates using different strains of ransomware, and sometimes by entirely new groups that find their name on a public leak site. In 2024, 14 companies were hit by two ransomware attacks within a single week, and in 32 cases, the second attack came within a month. Sometimes, companies are lulled into a false sense of security, thinking the threat has passed, only to be hit by another attack months later.
This cycle is no accident—it’s a business model. By targeting small but essential vendors, threat actors have created a scalable method of disruption that impacts entire industries.
The Real Cost of Overlooking Third-Party Risk
Ransomware in the supply chain isn’t a theoretical risk—it’s already playing out. The MOVEit and CDK Global attacks are just two recent, high-profile incidents that prove how targeting a single service provider can lead to widespread disruption across entire ecosystems.
Clop's Cleo Campaign
In late 2024, the ransomware group Clop exploited two critical vulnerabilities in Cleo, a widely used Managed File Transfer (MFT) platform, paralyzing retail and logistics companies relying on its unpatched software. In two months from the time Cleo announced the first victims, the campaign impacted nearly 400 victims, primarily in supply chain-reliant sectors like Manufacturing (131 victims), Wholesale Trade (61 victims), and Transportation & Warehousing (54 victims). Clop's strategy targeted industries at the core of the supply chain, aiming to create operational chaos.
CDK Global
In July 2024, automotive software provider CDK Global was hit with a ransomware attack and a $25 million demand. The attack impacted around 3,000 car dealerships across the U.S., who weren’t able to access customer records, process transactions, or manage their inventory. The disruption lasted for days and caused extensive financial and reputational damage—not just for CDK, but for every business that depended on its platform.
Spot the Weakest Links In Your Supply Chain
Every business is part of a broader ecosystem. And whether you’re a 10-person team or a global enterprise, your cybersecurity posture is only as strong as the providers you rely on. In this interconnected environment, third-party risk management (TPRM) is non-negotiable.
Our 2025 Third-Party Breach Report found that ransomware is the most common known attack vector in third-party breaches, accounting for nearly 67% of incidents. But while supply chain exposure is now ransomware's fastest-growing entry point, many organizations still rely solely on traditional TPRM practices—like annual questionnaires and point-in-time reviews—that fail to capture fast-moving threats.
What security teams need is real-time visibility across the third-party risk landscape. That’s where Black Kite’s Ransomware Susceptibility Index® (RSI™) comes in.
RSI™ uses machine learning and continuous cyber risk monitoring to help organizations understand with precision the likelihood of a ransomware attack against their most critical vendors. Assigning every vendor a ransomware susceptibility score ranging from 0.0 (low risk) to 1.0 (high risk), it gives security teams a clear, prioritized view of supply chain exposure so they can take action before an attack hits.
Know Your Weakest Link Before Attackers Do
Ransomware groups have stopped aiming for the biggest payday and started aiming for the biggest impact. That means going after the overlooked, underprotected vendors that keep supply chains running, knowing a single disruption can trigger massive disruptions.
The path forward isn’t just about defending your own perimeter. It’s about securing the extended ecosystem your business depends on. With tools like RSI™, organizations can shift from reactive to proactive, equipping themselves with the insight needed to break the attack chain before it ever starts.
Want more insights into where ransomware is headed next? Read the 2025 Ransomware Report to see what’s changing—and what it means for your supply chain.