Posted on Leave a comment

Southeast Asian SMEs remain soft targets as ransomware groups refine extortion tactics

Ransomware attacks against small- and medium-sized enterprises (SMEs) in Southeast Asia rose in the first quarter of 2026, according to new data from Kaspersky, underscoring how smaller companies remain exposed even as cybercriminal groups sharpen their tactics and shift towards more layered extortion models.

The cybersecurity company said 3.51 per cent of SMEs in Southeast Asia within its ecosystem were targeted by ransomware in Q1 2026, up from 2.92 per cent in the same period last year. While the increase is not dramatic, it points to a persistent problem for a segment of the economy that often lacks the budget, staff and technical maturity of large enterprises.

Also Read: Why cyber resilience is the new standard for SME survival

In Singapore, the proportion of SMEs targeted rose to 0.69 per cent from 0.57 per cent a year earlier. Malaysia saw a larger increase, from 2.09 per cent to 2.74 per cent, while Indonesia rose from 2.83 per cent to 4.01 per cent.

Kaspersky’s dataset also included India, where the figure climbed from 3.18 per cent to 4.07 per cent.

The Philippines, Thailand, and Vietnam recorded declines. The Philippines fell from 2.46 per cent to 1.80 per cent, Thailand from 1.28 per cent to 1.12 per cent, and Vietnam from 2.91 per cent to 2.56 per cent. But the broader pattern remains one of steady exposure rather than a retreat in attacker interest.

Why SMEs remain exposed

The numbers matter because SMEs form the operating backbone of Southeast Asia’s economy. Across ASEAN, micro, small and medium-sized enterprises account for the vast majority of businesses and a substantial share of employment. That scale makes them attractive targets for cybercriminals: individually less defended than large corporates, but collectively deeply embedded in supply chains, payments networks, and customer data flows.

Ransomware has also changed. The older model of encrypting files and demanding payment has been supplemented by “double extortion”, where attackers steal data before locking systems and then threaten to publish it if victims refuse to pay. That shift increases the pressure on smaller companies, which may be less able to absorb operational downtime, reputational damage or regulatory scrutiny.

Kaspersky noted that its detection metric captures only part of the attack chain. A ransomware incident typically involves several stages, including initial access, reconnaissance, privilege escalation, lateral movement and data exfiltration. The final deployment of the encryption Trojan is only one part of that process. If an attack is stopped earlier, it may not appear as a crypto-ransomware detection.

That means the actual level of ransomware activity around SMEs is likely higher than the headline figures suggest.

Fedor Sinitsyn, a security expert at Kaspersky, said backups alone are no longer enough. “Most modern ransomware actors use the double extortion approach, where the attackers not only encrypt the victim’s files, but also exfiltrate confidential data and threaten to leak it in case of non-payment,” he said. “A layered cyber protection strategy is hence needed to provide adequate protection from attacks.”

Leak sites reveal a crowded attacker market

Kaspersky’s Q1 2026 malware report also tracked ransomware groups by the number of victims added to dedicated leak sites. Clop topped the list, accounting for 14.42 per cent of victims published on the sites monitored by Kaspersky. Qilin followed with 12.34 per cent.

Also Read: 10 reasons not to pay the ransom in a ransomware attack

A newer group, The Gentlemen, ranked third. Kaspersky said the group emerged around July 2025 and has since expanded rapidly. Its tactics reportedly include custom-built tools for covert information gathering inside victim systems before ransomware deployment. The group is also believed to work with initial access brokers, who sell access to compromised organisations.

That model has become central to the ransomware economy. Rather than breaking into every target themselves, ransomware operators can buy access, rent infrastructure, outsource negotiations and use leak sites to pressure victims. This specialisation lowers the barrier to entry and makes it harder for defenders to treat ransomware as a single type of malware problem.

The competitive landscape in cybersecurity has become correspondingly crowded. Kaspersky competes with global vendors such as CrowdStrike, Palo Alto Networks, Microsoft, SentinelOne, Sophos, Fortinet, Trend Micro and Check Point, many of which are pushing endpoint detection and response, managed detection and response, and extended detection platforms to mid-market customers.

For Southeast Asian SMEss, however, the issue is often less about product availability than implementation. Many firms struggle with patch management, identity controls, endpoint visibility, employee training and incident response planning. Even when tools are deployed, they may not be monitored continuously.

The regional stakes are rising

The ransomware problem intersects with broader digitisation across Southeast Asia. As companies adopt cloud software, digital payments, e-commerce channels and remote work systems, their attack surface expands. Regulators are also tightening expectations around data protection and cyber resilience.

Singapore has taken a more structured approach through the Cyber Security Agency of Singapore and sector-specific requirements. Malaysia, Indonesia, Thailand, Vietnam and the Philippines have also been strengthening cybersecurity and data protection frameworks, though enforcement and organisational readiness vary widely.

Industry data suggests ransomware remains a material global threat. Verizon’s 2024 Data Breach Investigations Report found ransomware was present in 32 per cent of all breaches it analysed. IBM’s 2024 Cost of a Data Breach report put the global average cost of a breach at US$4.88 million, a level that would be existential for many smaller companies even if regional costs vary.

Those figures help explain why attackers continue to pursue SMEs. A small manufacturer, logistics provider, clinic, accounting firm, or software vendor may not be the ultimate prize, but it can offer a route into larger customers or critical supplier relationships. In Southeast Asia’s highly interconnected business environment, that makes SME cybersecurity a wider economic concern, not merely an internal IT issue.

Adrian Hia, Managing Director for Asia Pacific at Kaspersky, said attackers increasingly see SMEs as an entry point into broader supply chains. “They are also being directed at firms that often lack the resources to maintain dedicated cybersecurity teams or implement comprehensive patch management programmes, making them attractive targets for threat actors.”

Kaspersky’s recommendations are familiar but still unevenly adopted: keep software updated, monitor lateral movement and outbound traffic, maintain offline backups, deploy endpoint detection tools, and develop an incident response plan that includes supplier compromise.

Also Read: Thailand is suddenly on the frontline of a new ransomware wave

For SMEs, the challenge is prioritisation. Few can replicate enterprise-grade security operations. But the basics — patching critical systems, enforcing multi-factor authentication, testing backups, limiting privileges and knowing who to call during an incident — can meaningfully reduce risk.

The latest figures do not suggest a sudden ransomware crisis in Southeast Asia. They point to something more durable: a persistent, professionalised threat market that continues to find smaller businesses profitable. For a region whose digital economy depends heavily on SMEs adoption, that is a risk founders, operators and investors can no longer treat as a back-office concern.

 

The post Southeast Asian SMEs remain soft targets as ransomware groups refine extortion tactics appeared first on e27.

Leave a Reply

Your email address will not be published. Required fields are marked *