The threat landscape has shifted dramatically over the past 18 months. The days of ransomware groups targeting only large enterprises are firmly behind us. In our SOC, we are now seeing the majority of ransomware incidents directed at businesses with between 50 and 500 employees — organisations that typically lack the security tooling or staff to detect attacks before it is too late.

The Three Biggest Threats We Are Tracking

1. AI-Enhanced Phishing at Scale

Traditional phishing relied on mass, poorly-written emails. The new generation uses large language models to craft highly personalised, grammatically perfect lures drawn from publicly available information — LinkedIn profiles, company websites, press releases. Our analysts have observed a 340% increase in business email compromise attempts against our client base in the past year, with attack quality improving quarter on quarter.

Defences that work: DMARC, DKIM and SPF enforcement; mandatory MFA on email; user simulation training with AI-generated scenarios (fight fire with fire).

2. Ransomware-as-a-Service Targeting SMBs

Groups like LockBit 3.0, BlackCat and Cl0p now operate franchise models — they provide the encryption tooling and infrastructure to affiliates who handle targeting and delivery. This has dramatically lowered the barrier to entry and expanded the pool of potential attackers. SMBs are preferred targets precisely because they often have valuable data, limited backups and no incident response capability.

What protects you: immutable, air-gapped backups; EDR on every endpoint; network segmentation to limit lateral movement; a tested incident response plan.

3. Exploitation of Unpatched Systems

The average time between a CVE being published and active exploitation has shrunk to under 72 hours for high-severity vulnerabilities. Organisations still running monthly patch cycles are exposed for weeks. In 2024, over 60% of successful breaches we investigated traced back to a known, unpatched vulnerability.

The fix is not complicated: automated patch management with verified deployment confirmation, and a vulnerability scanning programme that reports on exposure within 24 hours of new CVE publication.

What Our SOC Is Doing About It

We have retooled our threat detection playbooks to specifically target the indicators associated with these attack chains. That means SIEM rules tuned for AI-generated phishing patterns, EDR behavioural policies that catch ransomware encryption activity within seconds of initiation, and automated containment that isolates a compromised endpoint before the damage spreads.

In Q4 2024 alone, our automated containment prevented what our analysts estimate would have been seven successful ransomware deployments across our client base.

Practical Steps You Can Take This Week

  • Enforce MFA on every account — no exceptions, no exemptions
  • Run a vulnerability scan and remediate anything rated Critical or High
  • Test your backup restoration process — not just whether backups exist, but whether you can actually recover from them
  • Deploy DMARC in enforcement mode on your primary email domain
  • Ensure your EDR solution has behavioural detection enabled, not just signature-based scanning

If you would like a free assessment of your current exposure, our team is available for a 30-minute review at no cost or commitment.