Midnight hour for SMEs – new ransomware threat exposed

Tim Ladhams

11th Nov 2025

Researchers have identified a new ransomware strain known as Midnight that targets the files small businesses depend on most – databases, backups and archives.

The biggest risk Midnight poses to small businesses is disruption – it targets the files that keep a business running; customer records, financial data, stock systems and backups. When those are locked, a business cannot function properly.

“The potential ‘penalty’ of Midnight isn’t the ransom demand itself; it’s the downtime, the loss of access to essential information, and the stress of trying to restore operations,” Dean Williams, senior systems engineer for Norton – renowned antivirus and scam protection organisation – explains. ”For a small business that doesn’t have a large IT team or spare capacity, even a few days of disruption can have a fatal financial impact.”Midnight reinforces a pattern that cyber security experts have been tracking – ransomware groups retooling leaked code into ‘new’ threats that spread faster, encrypt more efficiently, and demand higher payouts, making attacks faster and harder to interrupt.

Based on the code of a significant ransomware package called Babuk, and adapted by malicious actors, Midnight is an example of how leaked ransomware continues to be recycled into new entities that potentially pose a greater threat than the original they ‘morphed’ from.

Norton first started tracking Midnight earlier this year, when new ransomware samples began appearing that looked similar to older Babuk-based ransomware. “Once we analysed the code more closely, we confirmed that it was built directly from the leaked Babuk source, but with new changes added by the attackers,” Williams says.

Babuk was a well-known ransomware group a couple of years ago. Its source code leaked online, which meant that anyone could download it and create their own version. Midnight is essentially a reworked version of Babuk.

Midnight focuses heavily on the systems that store a business’s core operational information – the places where inventory information, customer details and day-to-day business files live. “If those are encrypted, the business can’t access the information it needs to trade,” Williams laments. ”So, even if the attack isn’t particularly sophisticated, the impact feels very immediate because it hits the operational heart of the business.”

One victim of Midnight Norton  dealt with is a small retail business that woke up to find their inventory system and point-of-sale data encrypted. “They couldn’t process transactions or manage stock,” Williams says. “The attackers demanded a ransom, but rather than paying, the business worked with support to restore from backups and clean their systems. It took time, and they did lose revenue during that period, but they recovered. What we consistently see is that the businesses that recover fastest are the ones that have good offline or offsite backups.”

On the upside, Williams can share a number of effective and “easily” achievable things small businesses can do to mitigate against the risk of Midnight. “The first is to maintain regular backups and keep at least one backup offline so ransomware can’t reach it,” he recommends.” The second is to use multi-factor authentication for systems like email, banking and accounting software, this makes it much harder for attackers to break in. Keeping all your software updated also makes a big difference, because many attacks take advantage of old security vulnerabilities. And lastly, a small amount of staff awareness goes a long way; things like not clicking unexpected attachments or verifying unusual requests are really powerful habits.”

Norton has released a free decryptor to help small businesses recover files without paying having to pay a ransom. 

This story was originally published on Inside Small Business.