TL;DR

  • You're not the target — you're the rung. APT groups use small and medium businesses as stepping stones to bigger fish via supply chain compromise, credential theft, and infrastructure hijacking.
  • Scattered Spider, Lazarus, and Volt Typhoon are the three groups most likely to burn your business in 2026 — through social engineering, ransomware, and stealthy network squatting respectively.
  • Three cheap detections — unusual MFA enrollment alerts, outbound C2 traffic monitoring, and privileged account anomaly detection — can catch these groups before they ladder up through your environment. None require a SOC.

It's 6:47 AM on a Tuesday and your bookkeeper's phone buzzes with an Okta push notification. She didn't request it. She hits "Approve" anyway because she's late dropping the kids at school and it's probably just IT doing maintenance. That single tap just gave Scattered Spider a session token into your Microsoft 365 tenant. They'll sit there for three weeks, reading your email, finding out who your biggest client is, and crafting the exact phishing lure that gets them into that client's network. Congratulations — your 12-person engineering firm is now the supply chain compromise vector for a breach that'll make the AFR front page.​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌​​‌​​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The uncomfortable truth for Australian SMBs in 2026 is that you don't need to be interesting to be useful. You just need to trust someone who is. Here are the three APT groups turning businesses like yours into ladder rungs — and what you can actually do about it.

Scattered Spider: The English-Speaking Identity Thieves

Scattered Spider — tracked by CrowdStrike as Scattered Spider and by Microsoft as Octo Tempest — is unique among APT groups for one unsettling reason: they sound like your mate from Brisbane. Native English-speaking operators run sophisticated social engineering campaigns that bypass technical controls by targeting the human in the loop [1].​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌​​‌​​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

How they get in: SIM swapping, MFA fatigue attacks (bombarding employees with push notifications until someone cracks), and help-desk impersonation where attackers call your IT provider claiming to be a new starter who lost their phone. Their initial access broker ecosystem means access to your environment gets packaged and sold to ransomware affiliates within 24-48 hours [2].

What makes SMBs vulnerable: Most small businesses use Microsoft 365 with default security settings. MFA is on, but it's basic push-based MFA — the kind Scattered Spider specialises in defeating. Worse, SMBs with 5-25 staff rarely have conditional access policies, meaning a single compromised account grants access to everything. One breached bookkeeper's account → read access to every supplier invoice → complete mapping of who you pay and how much.

The supply chain angle: Scattered Spider operators conduct reconnaissance on a target's vendors and service providers. If you're an architecture firm that does work for a defence contractor, your email threads with that contractor are the intelligence payload. The group doesn't breach you to steal from you — they breach you to become you when emailing their real target [3].

Lazarus Group: Ransomware That Funds Nuclear Programmes

Most SMB owners hear "Lazarus Group" and think North Korean crypto heists. That was 2022. In 2026, the Lazarus subgroup Andariel is running Medusa ransomware operations that have already hit Australian healthcare nonprofits and educational facilities [1]. The average ransom demand is $260,000 — and unlike commodity ransomware gangs, Lazarus operators don't negotiate. They know hospitals, aged care providers, and disability services will pay because downtime directly threatens human lives.

How they get in: Lazarus operators exploit unpatched VPN appliances and public-facing applications. The group deploys a three-stage toolkit: infostealers to harvest credentials, remote access trojans like Comebacker for persistence, and Medusa ransomware for the final encryption event [1]. They're also increasingly targeting managed service providers — compromising one MSP gives them access to dozens of downstream SMB clients.

Why Australian SMBs should care: The Australian Signals Directorate's 2025 Threat Report identified healthcare and aged care as the fastest-growing ransomware target sector. If you run a medical practice, allied health clinic, or NDIS provider, you're in the crosshairs. But the broader concern is Lazarus's supply chain methodology: they compromise the weakest link in a service chain — often a small IT vendor or cloud service provider with privileged access to multiple downstream organisations [4].

The detection that would have caught them: Lazarus operators rely on known C2 infrastructure patterns and use specific DNS query behaviours that stand out against normal enterprise traffic. A basic DNS firewall or a simple outbound traffic monitoring rule — looking for beaconing patterns to known-bad IP ranges — would generate the alert that most SMBs are missing entirely.

Volt Typhoon: The Silent Squatters

Volt Typhoon — a PRC state-sponsored group tracked by the Five Eyes intelligence alliance — doesn't steal money or encrypt files. They steal residency. The group's playbook is to compromise edge networking devices (routers, firewalls, VPN concentrators) and establish long-term, low-observability persistence that goes undetected for 12-18 months [5]. Their target is critical infrastructure — energy, water, transport, communications. But they don't breach those targets directly.

The SMB vector: Volt Typhoon operators compromise the small engineering contractors, maintenance providers, and field service companies that have legitimate VPN access into critical infrastructure environments. A 15-person SCADA integrator in Newcastle with a standing site-to-site VPN into a water treatment plant is worth more to Volt Typhoon than a direct attack on the plant itself [5]. No one monitors the contractor's firewall logs. No one questions why that VPN tunnel transferred 14 GB of data at 3 AM for three consecutive nights.

Living-off-the-land: Volt Typhoon almost never deploys malware. They use native Windows and Linux tools — PowerShell, WMI, SSH, RDP — to move laterally and exfiltrate data. This makes them invisible to signature-based antivirus and endpoint detection that SMBs typically run [6]. The only reliable detection is behavioural: monitoring for new privileged account creation, unusual process ancestry chains, and abnormal network flows.

Three Detections Any SMB Can Set Up This Week

None of these require a security operations centre, a dedicated analyst, or a six-figure tooling budget. Each can be implemented with tools you probably already have.

1. MFA Enrollment and Credential Modification Alerting

Scattered Spider's entire business model collapses if you notice when a new MFA device gets registered or a password reset occurs outside business hours. Microsoft 365 includes this alerting natively in the Unified Audit Log. Enable it. Configure a flow that sends a real-time notification to the business owner's phone whenever a new authentication method is registered. Yes, it'll trigger during legitimate onboarding. The five-second sanity check is worth the signal.

2. Outbound C2 Connection Monitoring via DNS Filtering

Lazarus malware phones home. It has to. Commodity DNS filtering services — Quad9 (free), Cisco Umbrella (AUD $3-5/user/month), or even the threat intelligence feeds built into most enterprise-grade firewalls — block known C2 domains based on continuously updated threat feeds. If your firewall or DNS resolver can query a threat intelligence blocklist, you've just forced Lazarus operators to burn infrastructure trying to reach your endpoints.

3. Privileged Group Membership Change Monitoring

Volt Typhoon operators need to create local admin accounts or add compromised accounts to privileged groups to move laterally. Every Windows environment logs these events. Group Policy can forward Security Event ID 4728 (member added to security-enabled global group) and Event ID 4732 (member added to security-enabled local group) to a central log or email alert. If a new domain admin appears at 11 PM on a Saturday, someone needs to know before Monday morning.

FAQ

Your MSP should absolutely be handling technical controls, but APT groups actively target MSPs precisely because they hold the keys to dozens of clients. Ask your provider three specific questions: Do you enforce phishing-resistant MFA internally? Do you monitor for credential abuse across all client tenants? Would you detect a Volt Typhoon-style VPN squat on your own infrastructure? If any answer is "no" or a vague yes, your supply chain risk is higher than you think.

Scattered Spider operators automate credential harvesting at scale. Your size is irrelevant — your access is what matters. If your email account has ever cc'd someone at a larger organisation, your business is an attack vector. The question isn't whether you're a target; it's whether you're the target or the stepping stone to one.

Enrol in the ACSC's free cyber threat alerting service and enable MFA number matching (not push-based MFA) for all Microsoft 365 accounts. Number matching forces users to type a two-digit code from the login screen into their authenticator app, completely defeating MFA fatigue attacks. This takes 15 minutes in the Microsoft Entra admin centre and costs nothing.

Scattered Spider's average time-to-ransom after initial access is under 48 hours. Lazarus operators conduct reconnaissance for 2-5 days before deploying ransomware. Volt Typhoon sits quietly for months. Different urgency, same consequence: if you're not monitoring for initial access indicators, you won't know until the invoice arrives — whether that's a ransom note or a data exfiltration you can't explain to the OAIC.

Conclusion

APT groups don't need to care about your business to destroy it. They just need you to trust the wrong email, run the wrong update, or connect to the wrong customer's network with the wrong credentials. The three detections above — MFA alerting, DNS-based C2 blocking, and privileged account monitoring — are low-cost, high-signal controls that turn your business from a convenient stepping stone into a noisy, unappealing target. None requires a security team. All three together cost less than the excess on a cyber insurance policy that won't pay out because you didn't have MFA on your admin accounts.

Don't know where to start? Visit consult.lil.business for a free 30-minute cybersecurity triage session. We'll map your supply chain risk, identify the three highest-impact controls for your specific business, and give you a prioritised remediation plan you can hand straight to your IT provider — no jargon, no upsell, no obligation.

References

  1. ThreatHive, "APT Groups Targeting Healthcare in 2026: Who They Are and How to Detect Them," ThreatHive Blog, May 2026. https://threathive.ai/blog/apt-groups-targeting-healthcare-2026/
  2. CrowdStrike, "Scattered Spider: The Elusive Adversary Exploiting Identity," CrowdStrike Falcon Adversary Intelligence, 2025. https://www.crowdstrike.com/adversaries/scattered-spider/
  3. Microsoft Threat Intelligence, "Octo Tempest: A Dangerous and Evolving Threat Actor," Microsoft Security Blog, October 2024. https://www.microsoft.com/en-us/security/blog/2024/10/25/octo-tempest-a-dangerous-and-evolving-threat-actor/
  4. Australian Signals Directorate, "ASD Cyber Threat Report 2024–2025," Australian Government, 2025. https://www.cyber.gov.au/about-us/reports-and-statistics/asd-cyber-threat-report
  5. Cybersecurity and Infrastructure Security Agency (CISA), "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection," Joint Cybersecurity Advisory AA23-129A, May 2023. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a
  6. Netlas, "Top 10 Critical Threat Actors to Watch in 2026: Ransomware, APTs & Defensive Strategies," Netlas Blog, January 2026. https://netlas.io/blog/top_10_critical_threat_actors/
  7. MITRE ATT&CK, "Groups," MITRE ATT&CK Knowledge Base, 2026. https://attack.mitre.org/groups/
  8. ACSC, "Essential Eight Maturity Model," Australian Cyber Security Centre, 2025. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight

TL;DR

  • A hotel company called Sileno recently had 22.9 terabytes of files locked in just 14 hours by ransomware — that's like filling 5,000 DVDs with locked files
  • Modern ransomware works like a super-fast digital burglar that both steals your files AND locks your originals
  • The best protection is offline backups (copies of your files that hackers can't reach) + good security habits
  • This kind of attack can put small businesses out of business permanently, but the right protection is affordable and achievable

What Happened to Sileno?

Imagine you run a hotel business. You have booking systems, guest information, payment records, and years of business files all stored digitally. One morning, you discover that all of it is locked — 22.9 terabytes (that's trillions of pages of documents) scrambled and unreadable.

This happened to Sileno Companies Inc in March 2026. A type of malicious software called "ransomware" swept through their computer systems and locked everything in just 14 hours [1]. Think about that speed: in the time it takes to watch a movie, hackers locked what would take thousands of years to read.

But it gets worse. Before locking the files, the hackers also stole 67 gigabytes of data (about 15 million photos worth) [1]. Now they're demanding money twice: once to unlock the files, and again to not publish the stolen data online.

Why This Speed Is Scary

Old ransomware was slow. It might take days to lock files, giving businesses time to catch it and stop it. Modern ransomware is different:

  • It's automated — Like a robot that works 24 hours without breaks
  • It works in parallel — Like having 100 thieves robbing 100 houses at once instead of one thief hitting one house at a time
  • It's optimized — Built specifically for speed, like a race car versus a regular car

The Sileno attack locked 455 gigabytes per hour [1]. At that speed, a small business with 1 terabyte of data (a typical amount) would be completely locked in just over 2 hours.

The Double Trouble: Stealing AND Locking

Here's the really important thing to understand: modern ransomware does two things:

  1. Steals your files first — Quietly copies your data to the hackers' computers over days or weeks
  2. Locks your files second — Then scrambles your originals so you can't use them

This is called "double extortion," and it changes everything.

Why backups alone aren't enough anymore: If you have great backups, you can ignore the ransom demand for unlocking your files. You just restore from backup. But the hackers still have your stolen data. They can threaten to publish it, sell it, or use it for fraud unless you pay them.

According to cybersecurity research, 77% of ransomware attacks now involve data theft before locking files [2].

The House Lock Analogy

Think of your business data like a house full of valuable stuff:

  • Old ransomware: Smashed your windows and locked your doors. You had backup keys (backups) to get back in.
  • New ransomware: Picks your locks, steals your most valuable items, AND then welds your doors shut. Even if you have backup keys, your stuff is already gone.

This is why modern security needs multiple layers: not just backups, but also security cameras (monitoring), better locks (access controls), and alarm systems (detection).

Related: Your Backups Are Actually Working — But Ransomware Gangs Just Changed the Rules

What This Means for Small Businesses

You might think "I'm too small to target." But that's not how modern ransomware works:

  • It's automated — Hackers run automated attacks that scan the internet for vulnerable businesses, regardless of size
  • The money is in small businesses — Large companies have security teams. Small businesses often don't, making them easier targets
  • The average cost is $4.88 million — That's the global average cost of a ransomware attack, including recovery, lost business, and damage [3]

For many small businesses, a ransomware attack is fatal. Studies show that 60% of small businesses close within 6 months of a significant cyberattack [4].

The Protection Formula (Simple Version)

Good news: the protection against ransomware is straightforward, even for small businesses with limited budgets. Think of it like protecting your house:

1. Offline Backups (The Spare Keys You Keep at a Friend's House)

What it means: Keep copies of your important files on storage that hackers can't reach from your main network.

Why it works: When ransomware locks your files, you simply restore from the offline backup. The hackers can't touch the backup because it's not connected to your network.

How to do it:

  • External hard drives that you plug in only for backups, then unplug and store securely
  • Cloud backup with "immutable" storage (meaning it can't be changed or deleted for a set time)
  • Test your backups regularly by restoring files to make sure they actually work

Real-world data: Even when businesses pay ransoms, 82% can't recover all their data [5]. Working backups are the only reliable recovery method.

2. Network Segmentation (Fire Doors in Your Building)

What it means: Divide your computer network into separate sections so hackers can't move freely between them.

Why it works: If hackers get into one section (like guest WiFi), they can't reach critical systems (like payment processing or employee records).

How to do it:

  • Put guest WiFi on a completely separate network from business systems
  • Use different passwords for different parts of your network
  • Ask your IT person about "VLANs" or "network segmentation" — these are standard, affordable features in business networking equipment

Related: AI Let One Hacker Breach 600 Firewalls in 5 Weeks. Here's the 3-Fix Checklist That Would Have Stopped Every Single One

3. Detection Systems (Security Cameras and Alarms)

What it means: Software that watches for suspicious activity and alerts you immediately.

Why it works: Modern ransomware moves fast (hours, not days). You need automated systems watching 24/7 because humans can't monitor everything.

How to do it:

  • Install EDR (Endpoint Detection and Response) software on all computers — this is like antivirus but much smarter, watching for ransomware behavior patterns
  • Set up alerts for large data transfers (if suddenly gigabytes of data are leaving your network at 2 AM, something's wrong)
  • Use a security service that monitors your systems for you

4. Employee Training (Teaching Everyone to Lock Doors)

What it means: Training your team to recognize and avoid ransomware traps.

Why it works: Most ransomware attacks start with someone clicking a fake email or downloading a malicious file. Well-trained employees are your first line of defense.

How to do it:

  • Regular security awareness training (even 30 minutes monthly makes a huge difference)
  • Teach employees to verify unexpected emails before clicking links or attachments
  • Create a "report first" culture where employees are encouraged to report suspicious messages

The Cost Comparison: Protection vs. Recovery

Here's the reality that every business owner needs to understand:

Prevention costs: Basic ransomware protection (EDR, backups, training, and monitoring) typically costs $5K–$20K per year for a small business.

Recovery costs: The average ransomware attack costs $4.88 million globally [3]. For small businesses, it's often tens of thousands even without paying ransom — plus weeks of downtime, lost customers, and reputation damage.

This isn't fear-mongering. It's simple math: prevention is 100x cheaper than recovery.

The Good News: You Don't Need to Be Perfect

Here's what's encouraging: you don't need to stop every attack. You just need to make your business harder to target than others.

Ransomware attackers are opportunistic. They prefer easy targets. When you implement:

  • Offline backups (they can't lock your recovery)
  • Network segmentation (they can't move freely)
  • Detection systems (you catch them early)
  • Employee training (fewer successful attacks)

You become a harder target. Many attackers will move on to easier prey.

The Reality Check: This Can Happen to Any Business

Sileno Companies Inc is a real business with real employees and real customers. Their attack happened in March 2026 — not 2016, not ancient history [1]. This is happening today, to businesses of all sizes.

The difference between businesses that survive ransomware and businesses that don't often comes down to one thing: preparation before the attack.

Ransomware isn't a technology problem anymore. It's a business risk, like fire, flood, or economic downturn. Smart businesses prepare for it.

What You Can Do This Week

Based on what we know from the Sileno attack and current ransomware threats, here's your immediate checklist:

  1. Check your backups — Ask your IT person: "Are our backups offline and tested?" If they can't immediately say yes, that's a problem.
  2. Review your network — Are guest networks separate from business systems? Can anyone on the WiFi reach payment systems?
  3. Install EDR — If you're running old-style antivirus only, upgrade to EDR. The cost difference is small, but the protection improvement is massive.
  4. Train your team — Schedule a 30-minute security training session. Cover email safety and what to do if something seems suspicious.
  5. Make a plan — Document what to do if ransomware hits: who to call, how to isolate systems, and how to restore from backup.

FAQ

It depends on how your backups are set up. If backups are connected to your network all the time, yes — ransomware can lock them too. This is why offline backups (storage that's not connected to your network except during backup operations) are essential. Think of it like keeping spare keys at a friend's house instead of under your doormat.

No. Law enforcement, cybersecurity experts, and government agencies all recommend against paying ransoms. Here's why:

  • 82% of businesses that pay still can't recover all their data [5]
  • Paying funds criminal operations and encourages more attacks
  • There's no guarantee the hackers will actually unlock your files or delete stolen data

The only reliable recovery is from backups. If you don't have backups, work with cybersecurity professionals who may have other options.

Recovery time varies based on:

  • Backup quality — If you have tested, offline backups, recovery might take days
  • System complexity — More systems and more data means longer recovery
  • Planning — Businesses with incident response plans recover faster

Average recovery time from IBM's research is 297 days for full business recovery [3], though basic operations can often resume in days if you have good backups and a solid plan.

Think of it like security guards:

  • Antivirus — Checks ID cards against a blacklist of known bad guys. Good for stopping known threats, but misses new ones.
  • EDR (Endpoint Detection and Response) — Watches behavior patterns. If someone is acting suspiciously (trying thousands of doors, carrying unusual packages), EDR flags them even if they're not on any blacklist.

Modern ransomware uses new variants that antivirus doesn't recognise. EDR detects ransomware by watching for ransomware behavior patterns: rapid file encryption, suspicious process activity, and unusual network connections.

There's no one-size-fits-all answer, but here's a reasonable framework for a business with 10-50 employees:

  • EDR software: $500–$2,000 per year
  • Offline backups: $500–$3,000 per year (hardware + cloud storage)
  • Network security (firewall, segmentation): $1,000–$5,000 one-time setup
  • Employee training: $500–$2,000 per year
  • Monitoring service: $1,000–$5,000 per year

Total: $3,500–$17,000 per year for a solid ransomware defense.

Compare this to the $4.88 million average cost of a ransomware attack [3], and it's clear: protection is vastly cheaper than recovery.

References

[1] Cybersecurity News Everyday, "Ransom! Sileno Companies Inc (MAR-2026)," Hendry Adrian, 2026. [Online]. Available: https://www.hendryadrian.com/ransom-sileno-companies-inc-mar-2026/

[2] Coveware, "Global Ransomware Report 2025," Coveware, 2025. [Online]. Available: https://www.coveware.com/global-ransomware-report

[3] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[4] U.S. National Cyber Security Alliance, "Small Business Survey 2025," NCSA, 2025. [Online]. Available: https://www.staysafeonline.org/small-business-survey

[5] Veeam, "Data Protection Report 2025," Veeam, 2025. [Online]. Available: https://www.veeam.com/data-protection-report

You don't have to face this alone. lilMONSTER helps small businesses build protection against modern ransomware without breaking the bank. We assess your risks, design practical protection plans, and make sure you can recover if anything happens. Book a free consultation at consult.lil.business — let's make sure your business stays secure, no matter what threats come your way.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation