They don’t just lock your files anymore. They steal your data first, encrypt everything, and then threaten to publish your client information unless you pay. Welcome to double extortion.
If your mental image of a ransomware attack is a single hacker encrypting a computer and demanding Bitcoin, that picture is about five years out of date. Modern ransomware is a sophisticated, scalable, and terrifyingly efficient business. And in 2026, small businesses are the primary target.
The numbers are blunt: in 2025, 88% of ransomware attacks targeted small businesses. Not large enterprises. Not government agencies. Businesses that employ 5 to 50 people, have thin IT resources, and often don’t discover the breach until it’s too late.
Why? Because attackers have done the maths. Large companies have dedicated security teams. Breaking in takes time and risk. Small businesses have weaker defences, less monitoring, and less ability to fight back. Lower ransom demands, but much higher success rates.
How double extortion actually works
The old playbook was straightforward: encrypt files, demand payment, provide a key (maybe). Good backups could get you through it.
Double extortion changes the equation:
- They get in quietly. Through a phishing email, an unpatched system, or stolen credentials. They spend days inside your network, mapping it out.
- They steal your data. Client records, financial information, contracts, employee data. Anything valuable gets copied before you know they’re there.
- They encrypt everything. Once they have what they want, they lock your files and systems.
- They make two threats. Pay to get your files back AND to prevent them publishing your stolen data. Even with backups, they still have your data.
This is why backups alone are no longer a complete defence. If an attacker has your client’s personal information and threatens to publish it, restoring your server doesn’t solve that problem.
Why small businesses are especially vulnerable
VikingCloud’s 2025 study found that 74% of SMB owners self-manage cybersecurity or rely on untrained help. Only 15% work with an external IT provider. That gap is where attackers thrive.
Without monitoring, unusual network activity goes unnoticed. Without a response plan, the first reaction is panic. Without training, staff click the phishing link that opens the door. And CrowdStrike’s 2025 research found 66% of SMBs cite cost as their top barrier to better security.
It’s understandable. But the cost of a breach almost always exceeds the cost of prevention. Total Assure’s 2025 report found supply chain attacks generate average insurance claims of $265,000.
What you can do right now
Get your backups right. The 3-2-1 rule: three copies of your data, on two different media types, with one stored offsite. Make sure at least one backup is offline or air-gapped. Ransomware increasingly targets backup systems too. And test your backups regularly.
Implement MFA everywhere. Multi-factor authentication on email, cloud storage, accounting software, and anything holding sensitive data. It’s free on most platforms and blocks the majority of credential-based attacks.
Train your people. 88% of cyber incidents involve human error. Regular, short sessions using real examples of current scams are far more effective than annual compliance slides. Phishing simulations are uncomfortable but revealing.
Build a basic incident response plan. Four questions: Who do we call first? What do we disconnect? How do we communicate? Where are our backups and how do we restore them? Write the answers down before you need them.
Patch and update. IBM’s 2026 X-Force report found over half of tracked vulnerabilities could be exploited without authentication. Updates close those doors.
This is about preparation, not fear
Ransomware isn’t going away. Criminal groups now sell ready-made ransomware kits, lowering the barrier for attackers. But prepared businesses recover faster, lose less data, and spend far less on remediation.
Dial a Nerd can help you build a backup strategy and incident response plan that fits your business and budget. We’ll make sure your backups work, your critical systems are protected, and you have clear steps to follow if the worst happens. The time to plan is before it happens, not during.
