Ransomware: A Business Model Scales

Management Summary

The hard truth: ransomware is no longer a “special case,” but industrial day-to-day business for attackers. The RaaS model lowers entry barriers, professionalizes processes, and spreads risk across many actors. Organizations fail less because of missing tools than because of a lack of discipline in basic controls, clear decision paths, and rehearsed playbooks. Anyone who hasn’t defined robust time targets and emergency bridges ends up paying twice during an incident: once to the attackers—and a second time during recovery.

Why RaaS changes everything

In the past, a full perpetrator team was required—technology, infrastructure, and money-laundering channels. RaaS decouples this: developers provide toolkits, affiliates handle initial access, others take care of negotiation and monetization. The result: more campaigns, faster iteration, better “customer support” on the attacker side. For defenders this means attacks arrive more frequently, in more variants, and with greater professionalism. A one-off? No—this is a scaling ecosystem with clear incentives.

Tactics & entry points: the 80/20 levers

Most successful cases still begin through the same doors:

• Phishing and social engineering: credentials, session cookies, rushed approvals.
• Unpatched vulnerabilities in internet-exposed services (VPNs, gateways, web apps).
• Compromised access from third-party systems or via credential stuffing.
• Abuse of LOTL techniques (Living off the Land) to operate in the network without “loud” malware.

Defenders lose time in complex tool landscapes while attackers move fast with standard building blocks. The consequence: reduce friction, increase reliability, set hard SLOs—instead of getting lost in cosmetic measures.

Economic logic: why numbers rise—and stay high

Ransomware remains attractive because the margins work. Data exfiltration before encryption (“double/triple extortion”) maximizes pressure, even when backups exist. At the same time, many organizations are embedded in supply chains: an incident doesn’t just create internal costs, it triggers contractual penalties, disclosure obligations, and operational downtime for partners. As long as these cascades translate into money, the incentive structure for attackers remains stable—regardless of individual arrests or takedowns.

What works immediately—without sugarcoating

• Harden identities: Phishing-resistant MFA (e.g., passkeys/FIDO2), disable weak legacy flows, end-to-end session monitoring. Zero Trust means: verify, don’t hope.
• Make patch SLOs binding: Internet-exposed criticalities in days; internal gaps with clear deadlines. SLO breaches trigger automatic escalation—not emails.
• Email protection + realism-based awareness: Technical checks (authentication, anomalies) combined with scenario-based training that simulates real pressure tactics.
• Backups that actually help: Offline/immutable, restore tests under time pressure, proof of integrity. Without drills, backups are just hope.
• Brake lateral movement: Network segmentation, app allowlisting, default blocking of dangerous scripting tools, hardening of admin workstations.
• Secure supply-chain interfaces: Minimum requirements, access only via vetted bridges, logging obligations, and event-driven testing.

90-day plan against ransomware

Day 0–15 – Situation & baseline

• Identify the top 3 entry points (email, external apps, remote access) and substantiate with facts.
• Capture KPI baselines: MTTD/MTTR by criticality, patch-SLO compliance, MFA coverage, restore time.
• Update roles & approval matrix for incident response (including authorities and communication paths).

Day 16–45 – Hardening & acceleration

• Roll out phishing-resistant MFA, disable legacy protocols, pilot JIT privileges for admins.
• Enforce patch SLOs (change windows, enforcement rights, escalation logic).
• Draw sharp network segments; operate admin workstations and critical servers with elevated policies.

Day 46–75 – Automate & test

• Automate standard responses: isolation, account lock, ticketing, alert confirmation.
• Restore drill: timed recovery of a business-critical system including integrity proof.
• Supply chain: rehearse emergency contacts, change-freeze processes, and protocols for access providers.

Day 76–90 – Anchor impact

• Review KPIs vs. baseline: MTTD/MTTR down, patch-SLO rate up, restore time down.
• Finalize ransom policy and decision tree (including legal guardrails).
• Fix quarterly steering: budget follows proven risk reduction—not gut feeling.

Communication & decision logic in an incident

The biggest cost driver is time lost to uncertainty. Define in advance:

• Who decides on production shutdown, external forensics, communication to customers/authorities?
• Which criteria trigger which escalation (e.g., exfiltration indicators, active encryption, supply chain affected)?
• Which out-of-band channels are used if primary systems are unreliable?

Conclusion: discipline beats a tool zoo

Ransomware isn’t going away—it pays. Defenders win with speed, clarity, and practice: secure identities, close gaps in days, rehearse restoration with proof, and hard-wire decisions in advance. This isn’t “nice to have”; it’s your cost airbag. Anyone who executes the 90-day plan cleanly reduces damage and negotiation pressure—and makes RaaS a bit less profitable.