← All Resources

Published · Cybersecurity · Business Continuity

Why ransomware is hitting small professional-services firms

Ransomware is no longer just a big-company or hospital problem. In the FBI's 2025 Internet Crime Report, some of the most frequently hit ransomware victims outside the critical-infrastructure sectors were small professional-services firms: law offices, contractors, engineering and architecture practices, and consultancies. If you run a small firm in one of these fields, here is what the data shows and the practical steps that lower your risk.

What the 2025 FBI data shows

Ransomware is a type of malicious software that locks up your files and systems until a ransom is paid. According to the FBI's Internet Crime Complaint Center (IC3), 2025 saw more than 3,600 ransomware complaints with reported losses exceeding $32 million. The FBI is explicit that this figure is artificially low: it usually excludes lost business, downtime, wages, and third-party remediation, and many organizations report directly to FBI field offices instead. The true cost is far higher.

The pace of new threats is striking. In 2025 the FBI identified 63 new ransomware variants, an average of about five new strains every month. The most reported variants included Akira, Qilin, Play, LockBit, and Medusa.

Most telling for small businesses is where the attacks landed. Beyond the critical-infrastructure sectors, the FBI received more than 1,400 ransomware complaints from non-critical businesses, and the most affected industries read like a directory of local professional services:

  • Legal services (18%), including law firms and estate-planning practices
  • Contracting services (17%), including electricians and general contractors
  • Engineering and architectural services (10%), including land surveying
  • Consulting services (7%), including project management and marketing
  • Small manufacturing (5%), including furniture and building materials

Why small firms are attractive targets

Attackers are not picking these firms at random. Small professional-services businesses combine several qualities that make them ideal victims:

  • Valuable, sensitive data. Client records, contracts, financials, designs, and case files are exactly the kind of information a firm cannot afford to lose or leak.
  • Lean or outsourced IT. Many firms have no dedicated security staff, so gaps in backups, patching, and access control go unnoticed until an attack exposes them.
  • Low tolerance for downtime. When billable hours stop, revenue stops. That pressure makes a firm more likely to pay quickly to get back to work.
  • Trusted connections. A compromised firm can be a stepping stone to its clients and partners, which makes it doubly valuable to an attacker.

How to protect your firm from ransomware

The FBI's recommended defenses are well established and affordable at small-business scale. Work through the six steps below. None of them is exotic, and together they remove the footholds ransomware depends on.

Step 1

Keep offline, immutable, tested backups

Backups are the single most important ransomware defense, because they let you restore instead of paying. To be effective they need to be more than a copy on a connected drive.

  • Store backups offline or off-site so attackers cannot reach them from the network they just encrypted.
  • Make them immutable, meaning they cannot be altered or deleted, and encrypt them.
  • Test restoration regularly. A backup you have never restored from is a guess, not a safety net.
  • Cover your whole environment, including servers, workstations, and cloud data such as Microsoft 365.

Step 2

Turn on multi-factor authentication everywhere

Many ransomware attacks begin with a single stolen password. Multi-factor authentication (MFA) requires a second proof of identity, so a stolen password alone is not enough.

  • Enable MFA for all services, especially webmail, VPNs, and any account that reaches critical systems.
  • Prefer an authenticator app or passkey over text-message codes where possible.
  • Cover remote access in particular, since exposed remote-access tools are a common entry point.

Step 3

Enforce least privilege and eliminate default passwords

The less access each account has, the less damage a single compromise can do.

  • Give every user only the access they need to do their job, and nothing more.
  • Audit accounts with administrative privileges and remove rights that are no longer required.
  • Change default passwords on every device and service, and require strong, unique credentials. A password manager makes this practical.

Step 4

Segment your network

A flat network, where everything can reach everything, lets ransomware spread freely. Segmentation contains it.

  • Separate critical systems from general user devices and from guest or public access.
  • Restrict traffic between segments so an infection in one area cannot immediately reach your file server or backups.
  • Isolate guest Wi-Fi from your business network entirely.

Step 5

Deploy endpoint detection and monitor for lateral movement

Catching an attacker early, before files are encrypted, is the difference between an incident and a disaster.

  • Use endpoint detection and response (EDR) tools that flag unusual behavior on each device.
  • Log and review network traffic, including lateral movement between systems, which often signals an attacker spreading through the network.
  • Act on alerts quickly. Monitoring only helps if someone is watching and able to respond.

Step 6

Patch fast, prioritizing known-exploited vulnerabilities

Timely patching is one of the most cost-effective steps a firm can take.

  • Keep operating systems, software, and firmware up to date.
  • Prioritize internet-facing systems and any vulnerability known to be actively exploited.
  • Automate updates where you can, so patching does not depend on someone remembering to do it.

Common questions

Should we pay the ransom if we are hit?

The FBI discourages paying. Payment does not guarantee you will get your data back, it does not guarantee the attacker will not leak it anyway, and it funds further crime. The better position is to never need to decide, which is what tested offline backups give you. If you are hit, contact law enforcement and file a report at ic3.gov.

Are small firms really at risk, or is ransomware mostly a big-company problem?

Small firms are squarely at risk. In 2025 the FBI received more than 1,400 ransomware complaints from businesses outside the critical-infrastructure sectors, and the hardest-hit industries were small professional-services firms: legal, contracting, engineering and architecture, and consulting. Attackers favor them precisely because they hold valuable data but often lack dedicated security staff.

What is the most important thing we can do first?

Get your backups right. Offline or off-site, immutable, encrypted, and regularly tested backups are the one control that lets you recover without paying a ransom. After that, turn on multi-factor authentication everywhere, starting with email and remote access.

How much does ransomware actually cost a small business?

Far more than the ransom itself. The FBI notes that reported loss figures usually exclude downtime, lost wages, lost business, and remediation costs. For a firm that bills by the hour, days or weeks offline can dwarf the ransom demand, which is why prevention is so much cheaper than recovery.

Want to know if your firm could recover from ransomware?

Veldtech builds layered, defense-in-depth protection for small businesses: immutable backups, MFA, network segmentation, endpoint monitoring, and patching, delivered as a managed service. We work with firms in Sacramento, Citrus Heights, and across Northern California. See our cybersecurity approach or get in touch.

Contact Veldtech