Ransomware Targeting Shift: Why Smaller Businesses Are Now the Primary Victims

Two of Britain’s most recognized brands got hit within weeks of each other in 2025. Marks & Spencer lost hundreds of millions of pounds in market value almost overnight. The Co-op Group — over 2,500 UK locations — watched attackers claim continued access even after the company believed the breach was contained. These were not isolated incidents or bad luck. They are proof of a well-documented ransomware targeting shift in how ransomware groups choose their victims. And if you run a mid-market business in the U.S., the targeting logic now points at you.

What Actually Happened at M&S and Co-op

Details continue to emerge, but the core facts are clear. The Marks & Spencer attack — attributed to a threat group known as Scattered Spider — disrupted online ordering, froze contactless payment systems in stores, and forced the company to pull job listings and suspend certain online operations for weeks. Ransomware was deployed after attackers had already spent time moving through the network undetected.

The Co-op attack followed the same pattern. Attackers gained access, the organization identified the intrusion, and the response itself caused significant operational disruption. Then came the detail that should stop any business owner cold: the attackers claimed they still had access to Co-op systems even after the company believed it had contained the breach. We will come back to why that matters.

Both incidents share one entry point: social engineering. Specifically, a technique called help desk impersonation. The attackers did not crack a sophisticated technical barrier. They talked their way in. This ransomware targeting shift — from purely technical exploits to human-based entry — is what makes these attacks so difficult to stop without the right controls in place.

Why Ransomware Groups Are Changing Their Targeting Logic

For most of the 2010s, ransomware groups chased the biggest targets. Hospitals, municipal governments, critical infrastructure, Fortune 500 companies. Big organizations have big reputations to protect — the logic was they would pay a large ransom quickly.

That logic has been eroding. Large enterprises have dramatically increased their security investment since high-profile attacks like Colonial Pipeline and the Kaseya incident forced boards to act. Security teams grew. Detection and response capabilities improved. The return on effort for hitting a well-defended enterprise shrank.

At the same time, governments got more aggressive. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and international counterparts began coordinating infrastructure takedowns, seizing cryptocurrency wallets, and indicting operators. Attacking a major hospital or pipeline now carries real law enforcement risk.

The result: mid-market and smaller organizations became comparatively more attractive. Not because the ransom is as large, but because the effort required to compromise them is dramatically lower. The math shifted. This ransomware targeting shift is now well-documented across threat intelligence reports, and it is accelerating. Organizations that once felt too small to be targeted are now squarely in the crosshairs — precisely because of that assumption.

The Down-Market Migration: From Enterprise to Mid-Market

Scattered Spider is instructive here. The group reportedly behind the M&S attack is not a nation-state actor with unlimited resources. It is a loosely organized, largely English-speaking criminal network whose playbook relies on social engineering — help desk impersonation and phone-based fraud — rather than technical exploits. Low-tech entry point. High-damage outcome. This ransomware targeting shift to social engineering means any organization with a help desk or IT support function is potentially in scope.

What makes this group particularly relevant to mid-market business owners is that their approach scales down without friction. They do not need a zero-day vulnerability. They need an organization where:

• The help desk does not require confirmed, out-of-band identity verification before resetting credentials
• Multi-factor authentication has not been enforced on critical systems — or can be bypassed
• Once inside, there is limited monitoring to detect unusual movement across the network
• Backups exist but have never been tested, or are reachable from the same environment that gets encrypted
• There is no documented, practiced incident response plan — meaning the first hours of a breach are chaotic rather than structured

Every one of those conditions is more common in a 50-person service business or mid-market retailer than in a global enterprise. Attackers know it.

The Co-op detail about continued access after believed containment points to a deeper problem. Containment without thorough forensic investigation is not containment — it is a pause. Organizations without continuous visibility into their environments cannot know what an attacker has touched, what credentials were harvested, or what persistence mechanisms were left behind. The ransomware targeting shift toward mid-market businesses exploits exactly this visibility gap.

What This Means for NJ and Philadelphia-Area Business Owners

If your business operates in South Jersey, the Philadelphia metro, or anywhere in the region, the M&S and Co-op incidents are not stories about somewhere else. They describe the threat environment your organization is operating in right now. The ransomware targeting shift documented in these UK attacks is a global phenomenon — geography offers no protection.

Ransomware groups do not filter by revenue. They filter by the value you hold relative to how hard you are to compromise. A 40-person accounting firm in Cherry Hill, NJ with weak credential policies and no real monitoring is a far easier target than a 5,000-person enterprise with a dedicated security team — and a successful attack still yields client data, financial records, and access to client systems that translate into ransom or resale value.

The sectors most affected by this down-market ransomware targeting shift include retail and distribution (as M&S and Co-op illustrate), professional services firms, healthcare-adjacent businesses, and nonprofits. These organizations share a common profile: they handle sensitive data, they have operational dependencies that make downtime painful, and their IT environments have often grown organically without a deliberate security architecture underneath them.

It is also worth noting that the social engineering methods used in these UK attacks — help desk impersonation, voice phishing, phone-based fraud — require no technical sophistication to succeed against the target. A single employee acting on a reasonable-seeming request from someone claiming to be IT support can hand an attacker everything they need.

What a Well-Run IT Environment Has in Place

A well-run IT environment does not protect your business by hoping attackers choose someone else. It makes the cost of attacking your organization high enough that groups move on. Responding to the ransomware targeting shift means building defenses that eliminate the easy conditions attackers rely on. Here is what that looks like in practice:

• Identity verification strict enough that no credential reset or privileged access change happens without confirmed, out-of-band authentication — regardless of how convincing the caller sounds
• Multi-factor authentication enforced across every system that touches sensitive data or administrative access, with phishing-resistant methods where the stakes are highest
• Continuous monitoring so that unusual behavior — a user accessing systems they have never touched, lateral movement between network segments, large data transfers at odd hours — triggers an alert before an attacker reaches their objective
• Backups isolated from the production environment, tested on a schedule, and recoverable within a timeframe the business can actually survive
• An incident response plan that has been walked through, not just written — so the first hours of a breach are structured, not panicked
• Employee awareness training focused specifically on social engineering, voice-based attacks, and the psychology of urgency that attackers manufacture — not just an annual phishing simulation

That last point deserves emphasis given what happened at M&S and Co-op. The entry point in both cases appears to have been human, not technical. The most sophisticated security stack in the world does not stop an attacker who has already convinced your IT team to hand over a password reset. Addressing the ransomware targeting shift means treating the human layer as a critical control surface, not an afterthought.

At Xact IT Solutions, we have maintained a zero client breach record across every organization we have served since 2004. That is not luck. It is the result of building environments where the controls above are the baseline — not optional features layered on after the fact. If you want to understand what that baseline looks like for your specific environment, our cybersecurity services page is a good place to start, or explore our broader managed IT services to see how we structure ongoing protection.

Key Action Steps to Address the Ransomware Targeting Shift

Understanding the ransomware targeting shift matters. Acting on it is what protects your business. The following steps represent the minimum viable response for any mid-market organization that takes this threat seriously.

Step 1 — Audit your identity verification procedures. What does your IT team or help desk require before resetting a password or granting elevated access? If the answer is a caller’s name and employee ID, that is not enough. Out-of-band verification — confirming through a separate, pre-established channel — should be mandatory for any privileged change, no exceptions. This single control would have disrupted the ransomware targeting shift method used against both M&S and Co-op.

Step 2 — Enforce phishing-resistant multi-factor authentication everywhere. Not just on email. On your VPN, remote access tools, cloud platforms, and any system with administrative access. NIST guidance on identity and access management is consistent: credential-based attacks remain the dominant initial access vector. Multi-factor authentication is the single highest-leverage control against them.

Step 3 — Test your backups, not just your backup process. Many organizations discover during an incident that backups were running but are not restorable, are infected, or take far longer to recover than the business can tolerate. A backup that has never been tested is not a backup. It is an assumption. Given the ransomware targeting shift toward organizations with weak recovery posture, untested backups are a critical liability.

Step 4 — Run a tabletop exercise. Gather your key stakeholders — IT, operations, leadership, legal if applicable — and walk through a realistic ransomware scenario. Who makes the call to take systems offline? Who contacts your cyber insurance carrier? Who communicates with customers? Those answers should be documented and rehearsed before they are needed under pressure.

Step 5 — Get an honest external assessment. Internal teams often know where the gaps are but lack the standing to close them. An external partner can provide both the assessment and a prioritized roadmap based on your specific environment and risk profile — not a generic checklist. With the ransomware targeting shift accelerating, a current, honest assessment is not optional for any organization handling sensitive data or dependent on uptime.

The Bottom Line

The M&S and Co-op attacks are not outliers. They are data points in a clear trend: the ransomware targeting shift is real, deliberate, and accelerating. Ransomware groups are moving down-market, applying enterprise-level tactics against organizations that have not built enterprise-level defenses. The entry methods are getting simpler. The damage is getting worse. And the gap between “we have not been attacked yet” and “we are being attacked right now” is narrower than most business owners realize.

The question worth sitting with is not whether your organization could be targeted. At this point, it almost certainly can be. The question is whether your current IT environment makes an attacker’s job easy or hard — and whether you know the honest answer.

A calm, structured environment is not built in response to a breach. It is built before one. The organizations that stayed out of the headlines this year were not lucky. They were prepared. They understood the ransomware targeting shift and acted on it before an incident forced the issue.

If you want a straight conversation about where your environment stands, Book a Free Cybersecurity Strategy Call. No pressure, no obligation — just a clear-eyed look at what you have and what it would take to close the gaps that matter most.