The Ransomware Business Model: The State of Cybercrime

Cybercrime is no longer a fringe activity run by lone hackers. It’s a booming underground industry, powered by money, malware, and models that mimic legitimate business operations. Ransomware sits at the centre of this evolution. Its growth isn’t just about more attacks—it’s about more professionalised, scalable, and economically viable cybercrime.

For small and mid-sized businesses, especially, this isn’t just a tech problem. It’s a business risk with financial, legal, and reputational consequences.

Ransomware is Now a Business, Not a Hack

Gone are the days when ransomware was a crude tool used by hobbyist hackers. Today, these operations look like corporations. They recruit staff, offer customer support, run partner programs, and even issue press releases. “Think of ransomware gangs less like basement dwellers and more like sophisticated criminal enterprises,” said Mick Baccio, Global Security Advisor at Splunk. “They’ve really stepped up their game, often with significant financial backing.”

That structure has been accelerated by Ransomware-as-a-Service (RaaS) platforms. These are off-the-shelf ransomware kits complete with hosting infrastructure, encryption payloads, and help desks—ready to rent. “RaaS has made cybercrime easy. No coding skills? No problem,” Christiaan Beek, Senior Director, Threat Analytics at Rapid7 commented.

Ross Brewer, Vice President at Graylog, put it bluntly: “These platforms provide ready-made ransomware kits, complete with technical support, allowing individuals with limited technical skills to execute sophisticated attacks.”

The Economics are Simple: Low Risk, High Reward

Why does ransomware keep spreading? Because it pays. The maths is hard to ignore—especially when the risk of arrest is low. “Ransomware is profitable, and the incentives are clear. Low upfront investment, global scalability, and the potential for huge returns,” said Robert Phan, CISO at JumpCloud.

Groups like LockBit, RansomHub, and Black Basta have pulled in tens of millions annually. Meanwhile, many operate from jurisdictions like Russia or North Korea, where Western law enforcement can’t touch them. “As long as ransomware pays out more than the cost to operate, it will be an activity that threat actors will carry out,” said Phil Skelton, Business Director at eSentire.

Cryptocurrency fuels this machine. It’s anonymous, fast, and borderless—everything cybercriminals want in a payment system. “Cryptocurrency is the backbone of this entire industry,” says Guy Segal, VP at Sygnia. “It’s what makes the systematic transfer of large amounts of money under a veil of anonymity possible.”

Mike Puglia, general manager at Kaseya, argues this anonymity is a core part of the problem: “As long as we allow cryptocurrency to be converted to dollars, pounds or euros anonymously, we throw away 200 years of ‘follow the money’ crime investigation techniques.”

Attackers are Strategic—and Relentless

Modern ransomware groups aren’t spraying random targets. They’re strategic, deliberate, and sometimes surgical in their execution. “Attackers today may even spend considerable time researching their targets to understand their financial situation,” said Graylog’s Brewer. “They set ransom amounts just within the victim’s ability to pay.”

The negotiation process has also matured. “It’s now a sophisticated, multi-layered business transaction,” says Baccio, Global Security Advisor at Splunk. Groups use psychological pressure, custom messaging, and tactics like threatening to leak sensitive data. Sometimes, they research executives, contact suppliers, or time attacks around high-stress business moments—IPO filings, M&A announcements, or public holidays.

According to Jeff Wichman of Semperis, “Ransoms are typically demanded for multiple reasons—regaining access to systems, avoiding leaks, or simply stopping harassment from multiple groups who all want a cut.” Many victims aren’t just hit once. Semperis found 74% of ransomware victims were attacked more than once—and 35% who paid were still unable to recover their data. It’s a vicious cycle.

Why Smaller Businesses are Increasingly in the Crosshairs

Big companies used to be the primary targets. Not anymore. As security improves in the enterprise sector, ransomware groups are focusing more on the “high volume, low resistance” end of the market: small and mid-sized businesses.

Beek told Silicon UK that companies making $5 million annually are “twice as likely to fall victim to ransomware than those making $30–50 million,” and five times as likely compared to those earning $100 million.

Phan added, “The commoditisation of ransomware through RaaS has changed the game. It’s now more profitable to launch high volumes of attacks against less-prepared, smaller organisations.”

These businesses often lack 24/7 monitoring, dedicated security teams, or strong patching policies. As a result, they’re low-hanging fruit. Spencer Starkey, VP at SonicWall, warns: “The security perimeter has disappeared due to remote and flexible working. There is no longer a corporate firewall protecting every device.”

At the same time, threat actors are going after sectors where downtime is most painful: healthcare, education, manufacturing. “Healthcare organisations often have critical data they cannot afford to lose,” Starkey noted. That urgency gives attackers leverage.

Security Must Evolve with the Threat

Traditional perimeter security—firewalls, antivirus, VPNs—is no longer enough. Attackers bypass it regularly through phishing, stolen credentials, or vulnerable third-party services. “Modern ransomware doesn’t care about your network boundaries,” said Phan. “Instead, it looks for weak points wherever they exist.”

What’s needed now is a layered, zero-trust security model. That includes strong identity controls, network segmentation, real-time detection, and strict privilege management. “The Zero Trust model flips this by assuming breach and continuously verifying access,” Phan explained.

AI is also reshaping the battlefield—on both sides. Attackers use it to craft tailored phishing lures and speed up data analysis post-breach. Defenders use it to detect anomalies, predict attack patterns, and respond faster. But AI is no silver bullet. “AI helps cybercriminals move faster,” said Santiago Pontiroli from Acronis. “But it also helps defenders detect threats early and respond quickly.”

The fundamentals still matter. That means consistent patching, multi-factor authentication, employee training, and backup resilience. “All the elaborate new approaches in the world are pointless if you don’t eat your cyber vegetables,” Baccio told Silicon UK.

Finally, planning is key. Simulations, playbooks, crisis communication protocols—these need to be ready before the breach, not during. “Have a clear incident response plan,” Segal said. “Know exactly who to call. Ensure all your critical retainers—incident response, legal, communications—are in place and ready.”

A Business Problem Needs a Business Response

Ransomware is not just a cybersecurity problem. It’s a business problem—an operational risk that demands board-level attention. It thrives because the economics make sense for criminals, and because many businesses still rely on outdated defences and fragmented responses.

The bad actors aren’t going away. They’re recruiting, reinvesting, and retooling every day. For businesses of all sizes, the only path forward is one of preparation, visibility, and resilience. Otherwise, it’s not a matter of if, but when.