Ransomware’s Shifting Sands: Why Small Businesses Are Now in the Crosshairs
The cybersecurity landscape is in constant flux and ransomware is no exception. Recent data from Google Threat Intelligence Group (GTIG) reveals a significant shift in tactics employed by ransomware actors, moving beyond the traditional focus on large corporations to increasingly target smaller businesses. This change, coupled with a growing reliance on data theft rather than encryption, signals a worrying trend for organizations of all sizes.
The Rise of “Ransomware-as-a-Service” and Smaller Targets
For years, ransomware attacks were largely associated with high-profile breaches impacting major enterprises. However, GTIG’s 2025 report highlights a deliberate move towards smaller organizations. Why? These businesses typically possess less robust security infrastructure, making them easier targets. The lower barrier to entry, facilitated by the proliferation of “Ransomware-as-a-Service” (RaaS) models, further exacerbates this issue.
Attackers are realizing that a higher volume of attacks on smaller targets can yield comparable, if not better, returns than attempting to breach heavily defended large corporations. This is a strategic pivot driven by increasing cybersecurity awareness and resilience among larger organizations.
Data Exfiltration Takes Center Stage
Traditionally, ransomware attacks involved encrypting a victim’s data and demanding a ransom for its decryption. While this remains a tactic, GTIG’s data shows a dramatic increase in data exfiltration – the theft of sensitive information – as a primary objective. In 2025, 77% of intrusions involved data theft, a significant jump from 57% in 2024.
This shift means that even if a company can restore its systems from backups, it still faces the threat of sensitive data being leaked publicly, leading to reputational damage, legal liabilities, and potential financial losses. The focus is now on extortion through the threat of data disclosure, rather than solely relying on the disruption caused by encryption.
Exploiting Infrastructure Vulnerabilities: A Modern Entry Point
Attackers are also changing how they gain access to systems. The report indicates a move away from relying heavily on brute-force attacks and stolen credentials, and towards exploiting vulnerabilities in exposed infrastructure. This suggests a more sophisticated approach, requiring attackers to identify and leverage weaknesses in publicly accessible systems to gain initial access.
While attackers continue to favor readily available tools and utilities, this shift in entry point underscores the importance of proactive vulnerability management and robust security configurations for internet-facing systems.
REDBIKE: The Most Prevalent Ransomware Family
GTIG’s Mandiant incident response investigations identified the REDBIKE ransomware family as the most frequently encountered in 2025, accounting for nearly 30% of cases. This highlights the continued effectiveness of this particular strain and the need for organizations to be aware of its tactics, techniques, and procedures (TTPs).
Staying Ahead of the Curve: What Businesses Can Do
The evolving ransomware landscape demands a proactive and layered security approach. Here are some key steps organizations can capture to mitigate their risk:
- Regularly Back Up Data: Maintain offline, immutable backups to ensure data recovery in the event of an attack.
- Implement Strong Access Controls: Enforce the principle of least privilege, limiting user access to only the resources they need.
- Patch Vulnerabilities Promptly: Stay up-to-date with security patches for all software and systems.
- Invest in Endpoint Detection and Response (EDR): EDR solutions can detect and respond to malicious activity on endpoints.
- Employee Security Awareness Training: Educate employees about phishing scams, social engineering tactics, and safe online practices.
FAQ: Ransomware Trends in 2026
- Q: Are small businesses really at greater risk?
A: Yes, GTIG data shows a clear trend of ransomware actors increasingly targeting smaller organizations due to their typically weaker security postures. - Q: Is data encryption still a major threat?
A: While still used, data exfiltration is becoming the primary goal for many ransomware groups, leading to extortion through the threat of data leaks. - Q: What is REDBIKE ransomware?
A: REDBIKE is a prevalent ransomware family identified in nearly 30% of Mandiant incident response cases in 2025. - Q: What is Ransomware-as-a-Service (RaaS)?
A: RaaS is a business model where ransomware developers lease their tools and infrastructure to affiliates, lowering the barrier to entry for cybercriminals.
Pro Tip: Regularly review your incident response plan and conduct tabletop exercises to ensure your team is prepared to handle a ransomware attack.
Desire to learn more about protecting your business from cyber threats? Explore Google Cloud’s Threat Intelligence blog for the latest insights and resources.
