We’ve been warning about this for a while, and now it’s happening in plain sight.

Intelligence from the ACSC and private threat researchers confirms that at least two major ransomware operations have explicitly shifted resources toward Australian small and medium businesses. The reason? We’re softer targets.

What’s Changed

Ransomware gangs used to focus on big fish. Hospital systems, government agencies, large corporations. The payouts could be millions, and the headlines were part of their marketing strategy.

But those big targets have gotten harder. They’ve invested in security teams, backup systems, and incident response plans. Many now have policies against paying ransoms, backed by proper preparation to survive an attack.

So the gangs have adapted.

Attacking 50 small businesses is often easier than attacking one large one. The combined ransom demands might be lower per target ($30,000-$100,000 is typical for SMBs), but the success rate is higher. Less sophisticated defences, more pressure to pay to get the business running again, and less likely to have law enforcement connections.

The Targeting Is Deliberate

Reports suggest these groups are specifically researching Australian businesses. They’re:

• Scraping Australian business directories
• Monitoring LinkedIn for companies announcing growth or changes
• Looking for businesses using known vulnerable software
• Identifying industries likely to pay: medical practices, law firms, accountants, construction companies

The attacks aren’t random spray-and-pray anymore. There’s reconnaissance, there’s planning, and there’s a playbook.

How These Attacks Work

The typical chain for SMB ransomware attacks:

1. Initial access. Usually through phishing (credentials for email or remote access) or exploiting unpatched software (especially VPNs and remote desktop).

2. Dwell time. Attackers sit in the network for days or weeks, learning the environment and identifying valuable systems. They’re also looking for and disabling backups.

3. Data theft. Before encrypting anything, they steal sensitive data. Client lists, financial records, personal information. This gives them extra pressure - pay up or we release the data.

4. Deployment. The actual ransomware is deployed across all systems simultaneously, often on a Friday night or public holiday when response is slow.

5. Extortion. You see the ransom note. Pay within 48 hours or the price doubles. Don’t pay at all and the stolen data goes public.

What Makes SMBs Vulnerable

I’ve seen the same weaknesses repeatedly:

No MFA on remote access. Attackers buy stolen credentials on dark web markets and just… log in. If there’s no second factor, that’s game over.

Delayed patching. Known vulnerabilities in VPNs and edge devices that had patches available for months but weren’t applied.

Backups connected to the network. The backup drive is mounted and accessible. When ransomware hits, it encrypts the backups too.

No endpoint detection. Basic antivirus doesn’t catch modern ransomware, especially when attackers use legitimate system tools (living off the land) rather than obvious malware.

Over-privileged accounts. Everyone’s an admin. One compromised account has full access to everything.

What You Should Do Right Now

If you haven’t been hit yet, consider this your warning. Here’s a prioritised list:

Today:

• Verify MFA is enabled on ALL remote access (VPN, remote desktop, email webmail)
• Check when your firewall/VPN software was last updated
• Confirm you have offline or immutable backups

This week:

• Review who has admin access and whether they actually need it
• Test your backups - actually restore some files and make sure it works
• Check your cyber insurance policy - what’s covered, what’s excluded, what’s the reporting requirements

This month:

• Deploy endpoint detection and response (EDR) if you don’t have it
• Create or update your incident response plan
• Brief your team on the elevated threat

If You’re Already Hit

I hope you never need this section, but if you’re reading this because ransomware just appeared on your screens:

1. Don’t panic. Rash decisions make things worse.

2. Disconnect affected systems from the network but don’t turn them off. Forensic evidence can be lost on shutdown.

3. Call your cyber insurance provider immediately. They’ll have an incident response firm on retainer. Use them.

4. Report to the ACSC via ReportCyber. Even if you can’t wait for their help, the report contributes to intelligence that helps others.

5. Don’t contact the attackers yourself. If you’re going to negotiate (not recommending it, but acknowledging it happens), let professionals handle it.

6. Preserve evidence. Don’t start wiping and rebuilding until you understand how they got in. Otherwise you’ll rebuild a vulnerable system.

Whether to pay is a difficult question beyond the scope of this article. Know that paying doesn’t guarantee decryption, often funds further attacks, and may have legal implications depending on who the attackers are. Most experts advise against paying if you have any alternative.

The Reality Check

I’m not going to pretend implementing perfect security is easy or cheap for a small business. You’re trying to run a company, not a security operations centre.

But the threat is real, it’s targeted, and it’s getting worse. The cost of an incident - financial, operational, reputational - far exceeds the cost of reasonable protections.

Some businesses will read articles like this and do nothing. They’re betting they won’t be hit. With groups now deliberately targeting Australian SMBs, those odds are getting worse by the day.

If you need help getting your security sorted, there are plenty of qualified consultants who specialise in SMB cybersecurity. Some firms, like Team400, combine security expertise with AI automation to help smaller businesses implement protections that would otherwise require dedicated staff.

Don’t wait until you’re staring at a ransom note.