The Growing Threat of Ransomware-as-a-Service (RaaS) Targeting SMEs

In the ever-evolving threat landscape, ransomware is no longer the work of a lone hacker operating in the shadows. It’s now a business model, and an increasingly professionalised one at that. Enter Ransomware-as-a-Service (RaaS): a model that allows even low-skilled criminals to launch devastating attacks by simply buying or subscribing to ransomware kits on the dark web.

While large-scale attacks on global corporations dominate headlines, small and medium-sized enterprises (SMEs) are now firmly in the crosshairs, and for good reason. SMEs often lack the cyber maturity, resources, and internal expertise to detect and respond to these attacks effectively. For cybercriminals, that’s low-hanging fruit.

“We speak to SME owners every week who still believe cybercriminals only target big brands,” says Jai Aenugu, Founder & CEO of TechForce Cyber. “But, in reality, attackers are going after the organisations least likely to have the right protections in place, and that’s often smaller businesses.”

What Is RaaS and Why Should SMEs Be Worried?

RaaS operates much like a Software-as-a-Service (SaaS) platform: the ransomware developers create and maintain malicious software, and “affiliates”, the people actually launching the attacks, pay for access. In return, the developers often take a cut of the ransom profits.

According to the UK’s National Cyber Security Centre (NCSC), “Ransomware continues to be the most significant, serious and organised cyber crime threat faced by the UK.” (NCSC Annual Review, 2023). Separately, the UK Government stated in its consultation titled “Ransomware legislative proposals: reducing payments to cyber criminals and increasing incident reporting” (2025) that the most common business model used by ransomware actors is RaaS. The threat has become so commoditised that attackers can deploy ransomware without writing a single line of code, just a subscription and a Telegram chat away.

A Growing Epidemic - With SMEs on the Frontline

According to the Sophos 2024 Threat Report, cybercrime is increasingly targeting small and medium-sized businesses, noting that: “Cybercrime affects people from all walks of life, but it hits small businesses the hardest.”. This aligns with broader industry trends showing that SMEs often lack the resources and in-house expertise to defend against sophisticated threats like RaaS.

According to the Sophos State of Ransomware 2025 report, while, the average cost to recover from an attack (excluding ransom payments) has dropped by 44%, falling to $1.53 million USD or £1.14 million GBP, the financial and operational impact remains severe. This underscores the urgent need for SMEs to invest in cyber resilience, including employee training, layered security measures, and robust incident response planning.

According to the 2025 Verizon DBIR, ransomware was present in 44% of the breaches Verizon investigated. Among SMEs, ransomware was involved in 88% of breaches, more than double the rate seen in larger organisations (39%). Many lack the resilience to respond effectively, making them prime targets for increasingly sophisticated attacks, with 35% of small organisations believing that their cyber resilience is inadequate, a figure that has increased sevenfold since 2022 (CSO Online 2025).

Why SMEs?

• Many still rely on outdated software or lack multi-factor authentication.
• Cybersecurity training is minimal or non-existent.
• Many don’t have dedicated security teams or incident response plans.

For attackers, this makes SMEs the path of least resistance.

The Professionalisation of Cybercrime

Today’s ransomware gangs don’t look like scenes from Mr. Robot. Instead, they operate more like structured businesses, with corporate-style hierarchies, dedicated customer support, and sophisticated revenue-sharing models. Many offer comprehensive toolkits to their affiliates, including admin and client dashboards, encryption and ransom negotiation utilities, secure file storage systems, and even technical support services (Dark Reading, Ransomware Gangs Innovate With New Affiliate Models, 2025).

Groups like LockBit, Black Basta, and 8Base have leveraged the RaaS model to devastating effect. LockBit, for example, was responsible for more than 24% of all ransomware attacks globally in 2023, according to the U.S. Office of the Director of National Intelligence (Ransomware Attacks Surge in 2023), and over 1,000 attacks according to NCC Group (Annual Cyber Threat Monitor Report 2023).

“These aren’t bored teenagers in hoodies anymore,” Jai notes. “This is big business for them, with brand guidelines, affiliate recruitment, and even customer service teams. If SMEs don’t take that seriously, they’re walking into a trap.”

Paying the Price

The financial toll is brutal. IBM’s 2025 Cost of a Data Breach report puts the global average ransomware breach at $4.44 million USD or £3.34 million GBP, and that figure doesn’t include any ransom payments themselves (IBM, 2025). For SMEs, that’s often a business-ending event.

Worse still, with threat actors targeting backup repositories, less than 10% of organisations recovered over 90% of their servers, and just 51% recovering the majority (Veeam Ransomware Trends and Proactive Strategies, 2025), this means not even back-ups are safe.

Most end up with corrupted or incomplete files, not to mention the reputational damage, “You might pay the ransom and still walk away with nothing, no files, no recovery, and no refund,” says Jai. “And once you’ve paid, you’ve painted a target on your back for future attacks.”

What Can SMEs Do?

This might all sound bleak, but the solution doesn’t lie in fear. It lies in readiness.

Some actionable steps:

• Patch regularly: Most attacks exploit known vulnerabilities.
• Use MFA across all systems: Still one of the easiest wins.
• Back up everything: And make sure those backups aren’t online 24/7.
• Train your team: Your people are your first line of defence.
• Get certified: Cyber Essentials is a strong starting point for SMEs looking to show baseline security.

The NCSC offers free tools like Exercise in a Box to help businesses simulate a cyberattack and test their response plans, or TechForce Cyber’s very own Cyber Incident Tabletop Exercise. These exercises are worth every minute of your time.

“You don’t need to do everything overnight,” Jai advises. “But you do need to start. Even simple measures like updating passwords and enabling MFA can stop the majority of attacks cold.”

Final Thoughts

Ransomware is no longer just a threat to banks and big tech firms, it’s a clear and present danger to SMEs across every sector. The RaaS model has made launching attacks easier and more profitable than ever.

The question for business leaders isn’t if this will come knocking, it’s when, and whether they’ll be prepared when it does.

“Cybersecurity isn’t just an IT problem anymore,” Jai concludes. “It’s a business risk, and it needs to be treated like one. The companies that understand this will be the ones that survive the next wave of threats.”

Ready to Take the First Step Toward Cyber Resilience?

Don’t wait until it’s too late. Book a free Cyber Risk Consultation with TechForce Cyber and find out how prepared your business really is.