Kaspersky: over half of dark web initial access posts target SMBs, according to new research that highlights the increasing attention cybercriminals are giving to small and medium-sized businesses as attractive targets for ransomware, data theft and other cyberattacks.
Kaspersky: over half of dark web initial access posts target SMBs
The findings, released ahead of International SMB Day, underscore the growing need for cybersecurity for SMBs as threat actors continue to exploit businesses with limited security resources and lower levels of cyber resilience.
According to Kaspersky Digital Footprint Intelligence, researchers analysed hundreds of posts published by initial access brokers on dark web marketplaces between January and April 2025 and January and April 2026. The analysis found that offers involving compromised small and medium-sized organisations accounted for more than half of all initial access advertisements during the first four months of 2026.
Initial access brokers are cybercriminals who specialise in gaining unauthorised access to corporate networks before selling that access to other threat actors. Buyers often use the compromised entry points to launch ransomware attacks, steal confidential business information, commit financial fraud or carry out other malicious activities.
The report found that 40 percent of analysed posts offered access to allegedly compromised small businesses, while a further 20 percent targeted medium-sized organisations. Combined, these organisations represented the majority of all initial access offers identified on dark web forums during the study period.
Researchers noted that although small businesses accounted for the largest share of listings, medium-sized organisations remain particularly attractive targets. These companies often generate higher revenues than smaller firms while lacking the sophisticated security infrastructure typically found in large enterprises.
According to Kaspersky, this challenges the widespread misconception that cybercriminals focus primarily on large multinational corporations. Instead, businesses of every size are increasingly being targeted as attackers seek organisations with valuable data and comparatively weaker security controls.
The report also revealed that initial access brokers commonly advertise detailed information about compromised organisations, including their geographic location, industry sector, annual revenue and the type of network access available. Such information enables buyers to select targets that best match their criminal objectives.
Ekaterina Beloborodova, Digital Footprint Intelligence Analyst at Kaspersky, said companies should not underestimate their exposure to evolving dark web threats.
She noted that while posts involving small businesses are more common, medium-sized companies frequently become targets because they combine relatively strong financial potential with security capabilities that may not match those of larger organisations.
Beloborodova emphasised that organisations of all sizes should strengthen their cybersecurity posture by implementing appropriate security technologies, maintaining robust cybersecurity policies and continuously improving employee awareness of emerging cyber risks.
The findings come as cybercrime continues to evolve into a highly organised ecosystem in which specialised groups perform different stages of an attack. Initial access brokers focus solely on obtaining and selling network access, allowing ransomware operators and other criminal groups to launch attacks more efficiently.
To reduce exposure to these risks, Kaspersky recommends that organisations adopt security solutions appropriate to their business size, budget and operational requirements. Scalable cybersecurity platforms capable of detecting advanced threats and integrating easily into existing IT environments can help improve organisational resilience.
For businesses without dedicated cybersecurity teams, managed detection and response services provide continuous monitoring, threat detection and incident response capabilities that would otherwise require significant internal resources.
The report also highlights the importance of monitoring the surface web, deep web and dark web for leaked credentials, compromised business information and fraudulent websites impersonating legitimate organisations. Such monitoring enables businesses to identify potential threats before they develop into larger security incidents.
Beyond technology investments, experts recommend implementing clear policies governing the use of corporate systems, defining user access controls for email accounts, shared files and online documents, and conducting regular employee awareness training to reduce human error.
Regular data backups remain another critical defence, ensuring important business information can be recovered quickly in the event of ransomware attacks or other cyber incidents.
As cybercriminals increasingly target organisations with limited security resources, the latest research serves as a reminder that cybersecurity for SMBs is no longer optional. Strengthening defences against dark web threats, improving staff awareness and adopting proactive security measures can significantly reduce the likelihood and impact of future cyberattacks.

