Article Read Time
Ransomware and data-extortion attacks keep evolving, and small organizations remain prime targets. In 2024, ransomware complaints against U.S. critical infrastructure rose 9%, and total cybercrime losses across categories hit a record $16B, according to the FBI. Translation: the threat is growing, even as some attackers collect less per incident.
Below are the 10 most common pressure points we see—and practical, right-now steps you can take.
1) “Double/Triple Ransomware Extortion” becomes the norm
Attackers don’t just encrypt files; they also steal data and threaten to leak it—or harass your customers—to force payment. The Verizon DBIR shows ransomware is deeply intertwined with system-intrusion breaches, often hinging on stolen credentials. Action: Treat every ransomware attempt like a data breach. Enable MFA everywhere, and pre-draft your legal/communications playbook for potential data exposure.
2) Identity is the new perimeter (credential theft and MFA fatigue)
Most intrusions start with compromised identities: phished passwords, reused credentials, or “MFA fatigue” push spam until someone taps “approve.” Action: Enforce phishing-resistant MFA (FIDO2/passkeys) for email, VPN, and admin tools; block legacy protocols; and monitor impossible-travel and unusual login alerts.
3) RDP/remote-access and misconfigured cloud
Attackers still love exposed Remote Desktop Protocol and weakly secured cloud shares. Small teams often “set and forget” remote access for vendors or staff. Action: Close direct RDP from the internet; require VPN with MFA; review cloud-share permissions quarterly; and rotate keys/tokens. CISA’s Stop Ransomware guidance is a strong checklist.
4) Email-borne initial access (phishing & business email compromise)
A single click can launch an encrypt-and-exfiltrate playbook. Phishing remains the most common entry point for small orgs. Action: Continuous, short training; report-phish buttons; and email security that sandboxes links/attachments. Practice “pause before you click” drills and run tabletop exercises.
5) Ransomware as a Service (RaaS) and affiliate churn
Law-enforcement takedowns have disrupted big ransomware groups like LockBit and AlphV, but affiliates regroup and rebrand quickly. Net effect: more opportunistic attacks, often against more minor victims. Action: Patch externally exposed systems fast, harden backups, and hunt for standard RaaS tradecraft (PSExec, Cobalt/Sliver beacons, new local admins) in your logs.
6) Supply-chain and MSP risk
Attackers increasingly target IT providers and software vendors to pivot into many small customers at once. Action: Vet your MSP’s controls (MFA on all remote tools, role-based admin, EDR on their jump hosts). Limit third-party access windows and scope; require logs for all privileged actions. Consult CISA small-business guidance to frame vendor questions.
7) Sector-specific targeting (health, municipal, critical services)
Healthcare and public services remain high-pressure targets because downtime is costly and visible. Even if you’re not in a hospital, the lesson is resilience. Action: Identify your “can’t-be-down” systems, define manual workarounds, and test them. Align to CISA/sector advisories when applicable.
8) Data theft without encryption (“pure extortion”)
Some crews skip encryption entirely to reduce noise, steal sensitive files, and demand hush money. Action: Minimize what you store, shorten retention, encrypt data at rest and in transit, and log data egress (large downloads, unusual zip/archive creation). Have a breach-notification decision tree ready.
9) Backup sabotage and recovery failures
Attackers look for your backups first, deleting or corrupting them. Recovery costs—not the ransom—drive the most damage for SMBs, with seven-figure averages reported across org sizes. Action: Follow 3-2-1(+1) backups: 3 copies, 2 media, 1 off-site, +1 offline/immutable. Test restores quarterly; store admin creds for backup systems separately.
10) New Ransomware variants and fast-moving TTPs
Groups like Play or Interlock highlight how quickly techniques shift. Small orgs can’t track every name; focus on mitigations that blunt whole classes of attacks. Action: Patch edge devices, disable unused services, least-privilege everywhere, EDR on endpoints/servers, and log the basics (auth, process start, PowerShell, DNS). Monitor CISA advisories for concrete, up-to-date mitigations.
Your First 10 Moves (Do-Now Checklist)
- Turn on MFA everywhere (admin accounts first, then all users). Use phishing-resistant methods where possible.
- Harden and test backups (offline/immutable + quarterly restore drills).
- Close risky remote access (no open RDP; require VPN with MFA; restrict vendor windows).
- Patch internet-facing systems within days (especially VPNs, email gateways, firewalls, hypervisors).
- Email security + user drills (sandbox links/attachments; monthly 5-minute trainings; easy “report phish” button).
- Endpoint detection & response (EDR) on servers and workstations; monitor for credential theft and lateral movement.
- Least-privilege access (separate admin accounts; remove standing domain admin; rotate keys/tokens).
- Log the fundamentals (auth, process, PowerShell/Script, DNS) and set alerts for abnormal behavior.
- Vendor/MSP due diligence (MFA, logging, role-based access, incident terms in your contract).
- Build a simple incident plan (who to call, how to isolate, when to notify, and a tabletop exercise twice a year). Start with CISA’s Stop Ransomware resources.
The data shows attackers are leaning harder on stolen identities and fast-moving affiliates. At the same time, victims who prepare MFA, backups, EDR, and tested plans recover faster and pay less (or not at all). If you’re a small organization, you don’t need a giant budget. You need the right 10 moves, done consistently. We can help you implement and test each one.
Commonwealth Sentinel will help you face your organization’s growing cyber security threats. We can assess your existing IT security and collaborate with your team to safeguard your data and assets. At Commonwealth Sentinel, we stay focused on cyber security so you can focus on other things. Contact us today or sign up for a free consultation.
At Commonwealth Sentinel, we are focused on cyber security so that you can focus on other things.