← All posts
·2 min read·By Phillip

Ransomware in 2026: The SMB Playbook for St. Louis Businesses

Ransomware crews have shifted tactics again in 2026 — data theft first, encryption second, and AI-driven social engineering everywhere. Here's what SMBs should actually do.

CybersecurityRansomwareSMB

Ransomware in 2026 barely resembles what we were fighting in 2021. The encryption payload is now optional — many crews skip it entirely and just exfiltrate data, then extort you with the threat of publishing it. Cyber insurance carriers have responded by tightening controls faster than most SMBs can keep up with. Here's the shortlist we're actually implementing at Saint Louis clients right now.

What's actually changing

  • Data-theft-only extortion. No encryption event to detect, no ransom note on a screen — just a call, an email, or a post to a leak site. Your first sign of compromise may be the extortion itself.
  • AI-assisted phishing and voice fraud. Deepfaked voicemails from "the CEO" asking finance to move money are now routine. Text-based lures are cleaner, better targeted, and localized to Saint Louis-area vendors.
  • Identity is the new perimeter. Attackers buy session tokens on the dark market and skip MFA entirely. Conditional access and token binding matter more than another training video.
  • MSP and vendor supply-chain attacks. The tool your MSP uses to patch your servers is now a target. Ask your provider how they secure their own stack.

The 2026 SMB baseline

If you can't check every box below, you're behind — and your insurance renewal is going to hurt.

  1. Phishing-resistant MFA on every admin, every identity provider, every remote access path. Push-based MFA is no longer good enough for privileged accounts.
  2. EDR on every endpoint, including servers, with 24/7 monitoring behind it. Antivirus doesn't count.
  3. Immutable, tested backups that live somewhere the domain admin can't reach. Test restore quarterly — not annually.
  4. Email security beyond the default M365 tier. Anti-phishing, safe links, safe attachments, DMARC in enforcement, external-sender banners.
  5. Least-privilege everywhere. Standard users are not local admins. Domain admins log in from privileged workstations only. Service accounts don't share passwords.
  6. Documented incident response plan. With your MSP, your insurer's breach coach, and your legal contact all listed. Practice it.

Where we see people get burned

  • Backups on a NAS that the domain admin account can reach → wiped along with production.
  • MFA everywhere except the one remote-access path an ex-employee still knows about.
  • M365 tenant with the default security posture and no conditional access rules.
  • No offline copy of anything. Ever.

What to do this quarter

Pick one weak link. Fix it. Then pick the next. If you're not sure which one to start with, book a free consultation and we'll walk your environment with you — no sales script, just a real conversation about where you'd be exposed today.