Ransomware attacks on small‑ and medium‑sized enterprises (SMEs) in Southeast Asia increased during the first quarter of 2026, according to fresh data from Kaspersky, highlighting the continued vulnerability of smaller firms as cyber‑criminal groups adopt more sophisticated, multi‑stage extortion tactics.
Kaspersky reported that 3.51% of SMEs in its Southeast Asian ecosystem were hit by ransomware in Q1 2026, compared with 2.92% in the same quarter of the previous year. Although the rise is modest, it underscores a lingering risk for a sector that typically lacks the financial resources, staffing, and technical maturity of larger corporations.
In Singapore, the share of targeted SMEs climbed to 0.69% from 0.57% a year earlier. Malaysia experienced a more pronounced jump, rising from 2.09% to 2.74%, and Indonesia increased from 2.83% to 4.01%.
India’s figure rose from 3.18% to 4.07%.
The Philippines, Thailand, and Vietnam saw decreases, with the Philippines dropping from 2.46% to 1.80%, Thailand from 1.28% to 1.12%, and Vietnam from 2.91% to 2.56%. Nonetheless, the overall trend reflects continued exposure rather than a withdrawal of attacker interest.
Why SMEs remain exposed
The numbers are significant because SMEs constitute the backbone of Southeast Asia’s economy. Throughout ASEAN, micro, small and medium‑sized enterprises represent the overwhelming majority of businesses and a large portion of employment. Their extensive reach makes them appealing targets: while individually less defended than large corporations, collectively they are deeply integrated into supply chains, payment systems, and customer data flows.
Ransomware tactics have evolved. In addition to encrypting files and demanding payment, attackers now employ “double extortion,” stealing data before encrypting systems and threatening to publish it unless the ransom is paid. This added pressure is especially challenging for smaller firms, which may lack the capacity to withstand operational downtime, reputational harm, or regulatory consequences.
Kaspersky cautioned that its detection metric reflects only a portion of the attack chain. A typical ransomware incident comprises multiple stages—initial access, reconnaissance, privilege escalation, lateral movement, and data exfiltration—with the encryption Trojan being just the final step. If an attack is halted earlier, it may not be recorded as a ransomware detection.
Consequently, the true extent of ransomware activity targeting SMEs is probably greater than the headline numbers indicate.
Fedor Sinitsyn, a Kaspersky security expert, noted that relying solely on backups is insufficient. “Modern ransomware actors employ double‑extortion tactics—encrypting files and exfiltrating data, then threatening to leak it if payment is not made,” he explained. “A layered cyber‑protection strategy is essential for adequate defense.”
Leak sites reveal a crowded attacker market
Kaspersky’s Q1 2026 malware report also examined ransomware groups by the number of victims added to dedicated leak sites. Clop led the ranking, representing 14.42% of the victims published on Kaspersky‑monitored leak sites, followed by Qilin at 12.34%.
A newer group, The Gentlemen, ranked third. Kaspersky reported that the group emerged around July 2025 and has since expanded rapidly. Its tactics reportedly involve custom tools for covert information gathering within victim systems prior to ransomware deployment, and it is believed to collaborate with initial access brokers who sell compromised access.
This model has become central to the ransomware economy. Instead of breaching each target directly, operators can purchase access, lease infrastructure, outsource negotiations, and leverage leak sites to pressure victims. This specialization lowers entry barriers and complicates defense efforts, making ransomware a multifaceted threat rather than a single malware type.
The cybersecurity competitive landscape is densely populated. Kaspersky competes with global vendors such as CrowdStrike, Palo Alto Networks, Microsoft, SentinelOne, Sophos, Fortinet, Trend Micro, and Check Point, many of which are promoting endpoint detection and response, managed detection and response, and extended detection platforms to mid‑market customers.
For Southeast Asian SMEs, the challenge is often less about product availability and more about implementation. Many firms struggle with patch management, identity controls, endpoint visibility, employee training, and incident response planning, and even when tools are deployed they may not be continuously monitored.
The regional stakes are rising
The ransomware challenge intersects with broader digitisation across Southeast Asia. As companies adopt cloud software, digital payments, e‑commerce platforms, and remote‑work solutions, their attack surface expands. Regulators are also tightening expectations around data protection and cyber‑resilience.
Singapore has adopted a more structured approach through its Cyber Security Agency and sector‑specific requirements. Malaysia, Indonesia, Thailand, Vietnam, and the Philippines have also been strengthening cybersecurity and data‑protection frameworks, though enforcement and organisational readiness vary widely.
Industry data indicates ransomware remains a significant global threat. Verizon’s 2024 Data Breach Investigations Report found ransomware in 32% of the breaches it analysed. IBM’s 2024 Cost of a Data Breach report estimated the global average breach cost at US$4.88 million, a figure that could be existential for many smaller firms, even if regional costs differ.
These figures illustrate why attackers continue to target SMEs. A small manufacturer, logistics provider, clinic, accounting firm, or software vendor may not be the primary prize, but they can serve as a gateway to larger customers or critical supplier relationships. In Southeast Asia’s highly interconnected business environment, SME cybersecurity becomes a broader economic concern, not just an internal IT issue.
Adrian Hia, Managing Director for Asia Pacific at Kaspersky, said attackers increasingly view SMEs as an entry point into broader supply chains. “They are also targeting firms that often lack dedicated cybersecurity teams or comprehensive patch‑management programmes, making them attractive to threat actors.”
Kaspersky’s recommendations, though familiar, are still unevenly adopted: keep software updated, monitor lateral movement and outbound traffic, maintain offline backups, deploy endpoint detection tools, and develop an incident response plan that includes supplier compromise.

