Ransomware groups don't spend their time trying to crack into the big banks or government agencies because small businesses are easier, faster, and frankly more profitable at scale.
If you're running a business with 10 to 200 staff and you've been assuming you're not interesting enough to be targeted, that assumption is costing New Zealand businesses millions every year.
The NCSC recorded 88 ransomware incidents in 2024/25 - up from 63 the year before. Direct financial losses across all cybercrime in New Zealand hit $26.9 million in the same period and 53% of NZ SMEs experienced a cyber threat in the first half of 2025 alone, up from 36% the year before.
The numbers aren't slowing down. The businesses being hit aren't getting bigger and the attackers aren't getting less sophisticated - they're getting more organised.
So why are small businesses the ones bearing the brunt of it? The answer is less about what you have and more about what you don't have and understanding that distinction is the first step toward doing something about it.
Most people have a rough idea of what ransomware does: it locks you out of your files and demands payment to get them back. That's accurate as far as it goes, but it dramatically understates what a modern ransomware attack looks like.
The original ransomware model was relatively simple. An attacker encrypts your data, you pay the ransom, you get a decryption key, you move on - hopefully. That version still exists. But what the NCSC and global security researchers have documented over the last few years is a significant evolution in both the tactics and the business model behind ransomware attacks.
Double extortion is now standard. Attackers don't just encrypt your data - they steal it first. Then they threaten to publish it publicly or sell it to competitors unless you pay. This means that even if you have perfect backups and can recover your systems without paying, the threat of your clients' data, your financial records, or your business information being leaked gives attackers a second lever. Paying the ransom doesn't guarantee the data won't be leaked anyway.
Triple extortion goes further still. After encrypting your data and threatening to leak it, attackers start contacting your clients and customers directly - threatening to release their personal information unless they pressure you to pay, or demanding separate ransoms from them entirely. For professional services firms, healthcare providers, or law firms handling sensitive client information, this isn't hypothetical. It's happening to businesses in New Zealand right now.
Ransomware-as-a-Service (RaaS) has changed who can run these attacks. Skilled developers build ransomware tools and rent them to less technically capable criminals - called affiliates - who run the attacks and split the proceeds, typically 60/40. The barrier to entry has collapsed. You no longer need to be a sophisticated hacker to launch a ransomware campaign against a New Zealand SME. You need a credit card and a willingness to pay for access to a ready-made attack kit.
This is the threat environment NZ small businesses are operating in. Not lone hackers in basements. Organised criminal enterprises with customer service teams, payment processing infrastructure, and franchise models.
The most common myth in cybersecurity - one the NCSC specifically calls out - is "we're too small to be a target." It's been repeated so often that many business owners have made it the foundation of their security strategy.
It's wrong and it's worth understanding exactly why.
Attackers are rational actors. They weigh the effort required against the likely return. A large enterprise might have a SOC, a dedicated security team, 24/7 monitoring, and incident response procedures that can contain an attack within hours. The return on effort for attacking them is uncertain.
A small business with 30 staff, one generalist IT person, no dedicated security monitoring, and backups that haven't been tested in six months? That's a known quantity. The attacker knows roughly what they'll find, roughly how long it'll take, and roughly what the business will pay to avoid downtime.
The NCSC puts it plainly: "You might just be an easy win."
Supply chain attacks are one of the fastest-growing categories of cybercrime globally. SMEs are often part of larger supply chains - they're suppliers, service providers, contractors, or technology vendors to enterprises, government agencies, or large organisations.
Compromising your environment might be the attacker's actual goal. But more often, you're the path to something bigger. One SME's breach can expose the network of every larger organisation you're connected to and those connections are exactly what attackers are looking for.
The NCSC documented a case where 19 New Zealand organisations - including small businesses, councils, and MSPs - were compromised through the same known vulnerability. One weak point, 19 victims. That's supply chain risk made concrete.
Small businesses routinely handle data that's extremely valuable to attackers: client financial records, personal identification information, legal documents, healthcare records, payment card data, business email conversations. The volume is smaller than a large enterprise. The security protecting it is usually far weaker. That's an attractive trade-off for an attacker.
For professional services businesses in particular - law firms, accountancies, financial advisers, consultancies - the confidentiality of client data is both a legal obligation and a commercial imperative. That makes the threat of exposure a powerful lever, and makes those businesses specifically attractive targets.
The NCSC research found that many SMEs still lack what the security community considers basic hygiene: multi-factor authentication isn't universal, backup testing is inconsistent or nonexistent, patch management is ad-hoc, and security monitoring is essentially absent.
Most small businesses don't have a dedicated security person. Their IT support is generalist. Security gets pushed down the priority list until something goes wrong. And by then, the cost of that deprioritisation is sitting in front of them on a ransom demand screen.
Understanding the entry points matters, because most of them are preventable. Ransomware rarely arrives through sophisticated zero-day exploits that only nation-states could produce. It arrives through the ordinary, everyday vulnerabilities that every business has.
Seventy percent of cyberattacks on NZ SMEs originate from email - phishing scams designed to get someone to click a link, open an attachment, or enter their credentials into a fake login page. The NCSC consistently reports phishing as the dominant attack vector, and it's easy to understand why: it works.
Modern phishing emails are not the badly-spelled Nigerian prince messages of 2005. They're targeted, personalised, and convincingly legitimate. Attackers use LinkedIn data, breach databases, and publicly available information to craft emails that look like they're from your bank, your software vendor, your HR team, or a client you recognise.
The NCSC specifically noted in 2025 that attackers are calling IT helpdesks directly, impersonating staff using information gathered from LinkedIn and previous breach data, and attempting to reset passwords or weaken MFA. It's been used against multiple New Zealand organisations.
Software vulnerabilities are discovered and published constantly. When a patch is released, the clock starts - because attackers immediately begin scanning for organisations that haven't applied it yet. An unpatched system is a known, documented, publicly listed weakness. All an attacker needs to do is find it.
For small businesses without a structured patch management process, systems can remain unpatched for months. The NCSC documented exactly this scenario - 19 NZ organisations compromised through the same known vulnerability, all of them running software that should have been patched.
If someone on your team uses the same password for their work email, their personal Gmail, and the accounting software they use every day, a breach of any one of those services gives an attacker potential access to all of them. Credential stuffing - using username and password combinations harvested from previous breaches - is one of the most common and effective attack methods in use today.
Multi-factor authentication (MFA) is the most reliable defence against credential-based attacks. If a stolen password isn't enough to log in without a second factor, the attack stops there. Yet MFA is still not universal across NZ SMEs - a gap that attackers are actively exploiting.
The shift to remote work dramatically increased the attack surface for most businesses. Remote Desktop Protocol (RDP), VPNs, and remote access tools that weren't properly configured or secured became entry points. Attackers scan for exposed RDP ports constantly - it's automated, it's fast, and it finds victims every day.
Understanding the full impact of a ransomware attack goes well beyond the ransom itself. Most businesses focus on the ransom demand - whether to pay, how much it is, whether paying actually works. That's the smallest part of the damage.
The immediate operational impact of a ransomware attack is systems that don't work. Depending on how deeply the ransomware has spread through your environment, that could mean individual machines, entire networks, or complete operational shutdown.
For a business doing $1 million in annual revenue, a single day of complete downtime represents roughly $4,000–$8,000 in lost productivity - before accounting for the revenue you're not generating, the clients you can't serve, and the work that's backing up. Extended downtime - which is common when businesses don't have tested recovery processes - can run into weeks.
The NCSC documented a NZ agriculture producer whose entire IT infrastructure was infected with ransomware, halting production entirely. That's not an IT problem. That's a business survival problem.
Recovering from a ransomware attack without paying the ransom requires either restoring from clean backups (if they exist and are unaffected) or rebuilding systems from scratch. Both are expensive, time-consuming, and typically require specialist expertise that most small businesses don't have in-house.
The NCSC also documented a case where an IT provider's virtual machines were encrypted and their backups were deleted - specifically to prevent recovery without paying. This is an increasingly common tactic: attackers don't just encrypt your data, they find and destroy your backups first.
If your backups are connected to your main network, they're not safe backups. They're additional targets.
If personal information belonging to your clients or staff was accessed or exfiltrated during the attack, you have legal obligations under the Privacy Act 2020. Depending on the nature of the breach, you may be required to notify affected individuals and the Privacy Commissioner. The reputational and legal consequences of a notifiable breach compound the direct financial damage of the attack itself.
Paying the ransom is not a guaranteed solution. There are documented cases of businesses paying and not receiving a working decryption key. There are documented cases of receiving the key, decrypting the files, and being attacked again within weeks because the initial vulnerability was never addressed. And there's the principle: paying funds the criminal enterprise responsible and signals that you're a viable target.
The NCSC advises against paying ransoms. Most cybersecurity professionals agree. But when your business is down, your data is locked, and there's no clear recovery path in sight, that principle meets the very human reality of a business owner trying to keep their operation alive.
The best position to be in is one where paying the ransom is never a serious consideration because your recovery options are solid enough that you don't need to.
Protecting your business against ransomware doesn't require an enterprise security budget. It requires the right fundamentals, applied consistently. Here's what moves the needle.
Backups that haven't been tested aren't backups. They're assumptions. The critical questions aren't "do we have backups?" - they're "when were they last tested?", "how long would recovery take?", and "are they isolated from the main network so ransomware can't reach them?"
The 3-2-1 rule is a practical starting point: three copies of your data, on two different types of media, with one copy offsite or in isolated cloud storage. But the backup is only as good as the recovery test. If you don't know your Recovery Time Objective (how long it takes to get back online) and your Recovery Point Objective (how much data you'd lose in a worst case), you don't actually know your recovery capability.
MFA is one of the highest-value, lowest-cost security controls available to any business. It doesn't stop every attack, but it stops a significant proportion of credential-based attacks cold. Every system your team accesses - email, cloud applications, remote access tools, accounting software - should require MFA.
If you're not sure where MFA is and isn't enabled across your environment, a security assessment will map that out clearly.
Patches need to be applied promptly, across every device and system in your environment. Not when it's convenient. Not when IT gets around to it. On a defined schedule, with accountability.
For businesses without a structured patching process, managed services handles this systematically - patches are tracked, applied, and verified without requiring manual intervention from internal staff.
The NCSC consistently reports that most attacks involve social engineering - getting someone to do something rather than exploiting a technical vulnerability. Phishing, pretexting, impersonation. The human layer of your security is often the one that gets exploited first.
Security awareness training isn't a one-off session. It's regular, practical, and ideally includes simulated phishing exercises so your team learns to recognise attacks before they encounter real ones.
You cannot respond to an attack you don't know about. The average time between a ransomware attacker gaining initial access and deploying the ransomware payload is days to weeks - during which they're moving through your environment, identifying targets, and deleting backups. Active monitoring significantly increases the chance of detecting that activity before the payload is deployed.
Managed Detection and Response (MDR) provides 24/7 monitoring of your environment, detecting and responding to threats in real time. For a small business without a dedicated security team, outsourcing that capability is far more cost-effective than hiring for it.
When something goes wrong and at some point, something will - having a clear, documented plan changes the outcome dramatically. Who do you call first? How do you isolate affected systems? How do you communicate with clients? What's the process for engaging your cyber insurer?
Businesses that have tested incident response plans recover faster, spend less, and make fewer decisions under extreme stress. A tabletop exercise runs your team through a simulated attack scenario so you find the gaps in your plan before an attacker does.
It's worth sitting with this for a moment: ransomware is no longer a tool used exclusively by technically sophisticated criminals. It's a franchise model.
Developers build the ransomware, manage the infrastructure, and take a cut - typically 40% - of every successful ransom payment. Affiliates purchase access to the kit, run the attacks, and keep 60%. The affiliate doesn't need to understand the technical mechanics. They need to know how to find a target, send a phishing email, and wait.
This is why the volume of attacks is increasing year on year. The supply of attackers has expanded dramatically because the barrier to entry has dropped to near zero. AI tools are accelerating this further - automating reconnaissance, credential harvesting, and even the crafting of psychologically targeted phishing messages.
The NCSC's 2025 threat report assessed that more than half of the significant ransomware incidents they analysed were likely to involve Ransomware-as-a-Service. This isn't fringe activity. It's the dominant model.
For NZ small businesses, what this means practically is that the attacker targeting you may have no particular sophistication but the tools they're using do. Defending against those tools requires more than hoping you fly under the radar.
My business is small. Am I really a target?
Yes. The NCSC is explicit about this: small businesses are targeted precisely because they tend to have weaker defences, not in spite of their size. Attackers use automated tools to scan for vulnerable systems at scale - your business size is irrelevant to that process. What matters is whether your environment has exploitable weaknesses.
What should I do if we get hit with ransomware right now?
Isolate affected systems from your network immediately - disconnect them from the internet and from other devices. Do not turn them off, as this can sometimes destroy forensic evidence needed for recovery. Contact your IT provider or a cybersecurity incident response team. Report the incident to the NCSC at ncsc.govt.nz. Do not pay the ransom without taking professional advice first - payment doesn't guarantee recovery and funds criminal operations.
Should we pay the ransom?
The NCSC advises against paying. Paying doesn't guarantee you'll get a working decryption key, doesn't mean the attackers won't attack you again, and funds the criminal enterprise. The better position is having robust backups and recovery processes so payment is never the only option on the table.
How much does a ransomware attack actually cost a NZ business?
Direct costs include recovery, potential ransom payment, emergency IT support, and downtime. The NCSC recorded $26.9 million in direct financial losses across all cybercrime in NZ in 2024/25. For individual SMEs, costs range from thousands to hundreds of thousands depending on the severity and how well-prepared the business was. The hidden costs - reputational damage, lost clients, staff time diverted to recovery - often exceed the direct costs.
We have antivirus. Isn't that enough?
No. Antivirus is one layer of defence against one category of threat. Modern ransomware is specifically designed to evade signature-based detection tools. A complete defence includes MFA, patching, backups, monitoring, awareness training, and an incident response plan. If you're not sure where your gaps are, a cybersecurity assessment will tell you.
What's the difference between MDR and antivirus?
Antivirus looks for known threats based on signatures - it recognises malicious files it's seen before. MDR (Managed Detection and Response) actively monitors your environment for suspicious behaviour, regardless of whether the specific threat has been seen before. It's the difference between a lock on the door and someone watching the premises 24/7. For more on that distinction, our post on what managed services actually does covers it in plain language.
How do I know if my business has already been compromised?
This is a harder question than it sounds, because attackers often spend weeks in an environment before deploying ransomware. Signs to watch for include unusual login activity, unexpected account changes, slow systems without clear cause, or files being accessed at unusual hours. A security assessment or MDR deployment will identify indicators of compromise that basic monitoring misses. We cover this in more detail in our post on how to know if your business has been breached.
If you've read this and you're not confident that your business has the fundamentals covered — tested backups, MFA everywhere, patch management, monitoring, and a response plan — now is the right time to find out where the gaps are.
A cybersecurity assessment gives you a clear picture of your current security posture: what's working, what isn't, and what to prioritise. It's not a sales exercise. It's a map of where you actually stand.
If you're further along and want to understand what ongoing protection looks like, our ransomware protection and recovery services are built specifically for NZ SMEs who need enterprise-grade capability without enterprise complexity or cost.
The businesses that get hit hardest by ransomware aren't the ones that couldn't afford to protect themselves. They're the ones that assumed they didn't need to.
Book a free security consultation →
Or call us: 0508 010 101