Ransomware is no longer the preserve of elite cybercriminals. Ransomware-as-a-service (RaaS) models have made disruptive attacks cheap, scalable and accessible. Medium-sized businesses, which often can’t afford any downtime, now sit squarely in the crosshairs of a growing pool of unsophisticated attackers who no longer need advanced capability to launch disruptive campaigns.
Two-thirds (67%) of medium-sized firms reported a cyber breach or attack in the past 12 months, according to the Department of Science, Information and Technology’s UK Cyber Security Breaches Survey 2025 – a rate significantly higher than that of smaller firms. The most common types of breaches or attacks were phishing attempts, followed by other impersonation attempts and viruses or other malware. These often serve as entry routes for ransomware operators.
Thanks to the prevalence of low-cost RaaS kits circulating on the dark web, alongside the increased sophistication of automation capabilities built into these tools, mid-market organisations have become prime targets for cyber attackers. Moreover, such companies may have less headroom to cope with business disruption and thus could be more likely to pay the ransom to restore continuity.
Where UK defences fall short
It’s not just their willingness to pay that makes medium-sized businesses attractive targets for ransomware attackers. Attackers increasingly forego precision strikes, relying instead on automated scans that can identify vulnerable systems among the crowd. The NCSC Annual Review 2024 highlights repeated exploitation of basic weaknesses such as unpatched systems, weak authentication practices and exposed remote access services, all of which are routinely scanned for by RaaS operators using automated tools.
Europol’s Internet Organised Crime Threat Assessment 2025 report, show a similar pattern across Europe, noting that the availability of subscription-based attack kits is expanding the pool of offenders who rely on automated tools to find any environment that has not implemented essential controls.
As more offenders adopt these accessible tools, attack patterns increasingly gravitate toward organisations whose operations are easier to disrupt and more costly to restore, setting the stage for attackers to prioritise medium-sized firms that might pay out when compromised.
Building operational resilience
Medium-sized organisations often hold sensitive operational and personal data. Yet their security controls can vary across legacy and cloud environments in ways that create exploitable gaps. These hybrid networks are large enough to enable attackers to move laterally once initial access is gained, but not always mature enough to resist the attack in the first place.
For vulnerable firms, strengthening resilience at this point requires consistent execution of the controls that limit attacker movement and support reliable recovery. These measures form the foundation of an effective response to ransomware and reduce the operational impact of an intrusion, as outlined in the guidance from the NCSC and the Cybersecurity and Infrastructure Security Agency.
To defend against RaaS attacks, CIOs and CISOs should take the following actions:
- Maintain immutable, offline backups that are tested regularly for recovery readiness.
- Segment networks to restrict attacker movement after initial access.
- Enforce multi-factor authentication on all privileged accounts and remove dormant or unused credentials.
- Review and harden remote access pathways, including VPNs and third-party connections.
- Run tabletop exercises to validate containment procedures and identify operational gaps.
- Evaluate vendor and contractor access to reduce exposure introduced through supply chains.
- Use cyber insurance reporting and peer benchmarking to understand recurring failure points.
As RaaS groups continue to refine their playbooks, organisations must treat these measures as the baseline for digital hygiene. Firms that revisit controls regularly, test their assumptions under pressure and build response processes that can absorb fast and frequent intrusions, will be best placed to withstand the next phase of ransomware activity as criminal groups evolve their tactics.
Strengthening long-term readiness
Improving security fundamentals is key for resisting increasingly frequent attacks. But a mindset shift is also required if firms are to develop digital resilience in the long term. Strengthening internal controls is half the job. The rest involves developing habits that support faster decisions, clearer escalations and coordinated recovery. Firms that commit to these are better positioned to handle whatever direction RaaS development goes next.
Ransomware is a growing threat for organisations. Companies that continually test their processes with the aim of evolving their defences can better control how an incident unfolds. Progress comes from steady refinement, direct accountability and a willingness to adjust as attackers shift their tactics.
Ransomware is no longer the preserve of elite cybercriminals. Ransomware-as-a-service (RaaS) models have made disruptive attacks cheap, scalable and accessible. Medium-sized businesses, which often can't afford any downtime, now sit squarely in the crosshairs of a growing pool of unsophisticated attackers who no longer need advanced capability to launch disruptive campaigns.
Two-thirds (67%) of medium-sized firms reported a cyber breach or attack in the past 12 months, according to the Department of Science, Information and Technology's UK Cyber Security Breaches Survey 2025 – a rate significantly higher than that of smaller firms. The most common types of breaches or attacks were phishing attempts, followed by other impersonation attempts and viruses or other malware. These often serve as entry routes for ransomware operators.
Thanks to the prevalence of low-cost RaaS kits circulating on the dark web, alongside the increased sophistication of automation capabilities built into these tools, mid-market organisations have become prime targets for cyber attackers. Moreover, such companies may have less headroom to cope with business disruption and thus could be more likely to pay the ransom to restore continuity.
