A surge in ransomware is hitting small and mid-sized businesses, especially those in financial and insurance sectors, with the majority of attacks remaining unreported. With nearly half of UK companies experiencing breaches and double extortion tactics on the rise, business leaders face a quiet but mounting wave of disruption. Owners and CEOs should scrutinize their security strategies or risk operational, financial, and reputational fallout.
DragonForce Ransomware Strikes: Targeting Financial and Insurance Firms
In the past week, the DragonForce ransomware group launched a series of attacks targeting financial institutions and insurance providers, focusing on both U.S. and German markets. At least twelve new victims have been reported, according to PurpleOps. While these numbers may seem modest, targeting was anything but random—DragonForce is going after firms who handle large amounts of sensitive financial data and whose business depends on trust and service continuity.
For business leaders in these sectors, the message is direct. Ransomware is now as much about reputational and regulatory risk as it is about immediate loss of funds. Unplanned downtime can quickly translate into lost clients, regulatory scrutiny, and employee overtime. The operational impact goes beyond IT: business processes, customer service, and even M&A activity can be threatened by data lockdowns or leaks.
What’s notable is the shift in attack sophistication. Groups like DragonForce are adopting tactics that maximize leverage, such as combining data encryption with threats of exposing sensitive information. This evolution in attacker behavior drives up the stakes for targeted businesses, especially those with legacy systems and limited cybersecurity staff.
Many of the DragonForce victims fit the profile of small or mid-market firms: large enough to be lucrative, but not large enough to have a full-time security team or crisis comms resource. For these businesses, even a single breach can be an inflection point, impacting renewal rates, investor confidence, and even insurability for years to come.
What’s Below The Surface: Hidden Ransomware and Industry-wide Risks
While high-profile incidents get headlines, the real numbers are far larger. BlackFog’s Q1 2026 report found just one out of every nine ransomware attacks makes it into the public eye. That leaves over 2,000 undisclosed events in a single quarter—many hitting firms that quietly negotiate or absorb operational losses to avoid publicity. For business owners, this underreporting can create a false sense of security and lead to underinvestment in cyber resilience.
The UK government’s Cyber Security Breaches Survey found that 43% of businesses encountered a security breach or attack in the past year—a figure that rises to nearly 7 in 10 for mid-sized and larger firms. Even with growing awareness, almost half of UK respondents say they are unprepared for a major incident. This mirrors trends in other mature markets, where attack volumes are rising but reporting, controls, and readiness often lag. In the U.S., the risk exposure is similarly acute, especially for verticals handling customer financial or health data.
Technical advances on the attacker side—like double extortion ransomware, which both locks up and exfiltrates data—are driving incident costs higher. Attackers can demand ransoms and, if refused, expose sensitive files to the public or competitors, multiplying the damage. This model heavily pressures business owners, even as the overall payment rate is declining: just 28% of companies are now paying ransoms, down from nearly 63% the year before. This is partly due to improved responses, but also due to regulatory clarity that dissuades ransom payments and the growing appetite to withstand legal and operational blows rather than negotiate with criminals.
A Shifting Threat Model: Ransomware, Silence, and Resilience Gaps
The defining trend is that ransomware is no longer a question of ‘if’ but ‘when’—and increasingly, the breach may never be public unless the attackers want it to be. Business leaders must recognize that the majority of cyber events happen under the radar, often with minimal disruption reported outside the affected company or sector. Attackers are calculating and selective, targeting the sectors where disruption is leverage and reputational damage is costly.
At the same time, the drop in ransom payments signals a pivot: businesses are getting better at backup recovery, limiting exposure, and communicating externally during incidents. Yet, the sheer volume of undisclosed attacks means too many companies are running silent and hoping for the best, rather than investing in controls, crisis playbooks, and rapid detection. For the mid-market, this is not just an IT problem—it’s a core business continuity issue tied to revenue and brand protection.
What Business Leaders Should Consider
- Evaluate your incident response plan: Ensure it’s up to date and tested with executives, not just IT.
- Scrutinize data backup and recovery: Test full recovery drills quarterly and confirm critical data can be restored quickly without ransom.
- Review cyber insurance coverage: Verify your policy covers extortion, downtime, legal costs, and notification requirements, especially for client data.
- Prioritize security awareness training: Make sure every department knows the basics of phishing and ransomware tactics—not just tech staff.
- Demand regular reporting: Ask for quarterly cybersecurity metrics from internal or external teams; undisclosed threats should not remain invisible to board and owners.