The public mental model of ransomware is wrong in ways that have real defensive consequences. The stereotyped image — a lone hacker in a dark room, targeting organizations for ideological reasons or for the thrill — describes almost nothing that happens in the modern ransomware ecosystem. What's actually happening looks more like a franchise business, with corporate structures, HR functions, negotiation specialists, and affiliate management programs.
Understanding the actual business model matters for two reasons. First, it changes how you think about why you're a target. Second, it clarifies which defensive investments actually disrupt attacker economics — and which ones don't.
the structure of modern ransomware operations
Modern ransomware operates as a multi-tier criminal industry. The different roles are typically played by different actors, often with no direct personal relationship with each other.
developers (core group)
At the center of most major ransomware operations is a small, highly technical development team that builds and maintains the ransomware platform itself. This group writes the encryption engine, builds the command-and-control infrastructure, creates the negotiation portal, and manages payments and decryption key delivery.
Major groups in this category have included LockBit, ALPHV/BlackCat, Cl0p, and others. These groups do not, in most cases, conduct attacks themselves. They operate as platform providers — and they recruit affiliates to do the actual intrusion work.
affiliates
Affiliates are the attackers who conduct the actual intrusions. They license access to the ransomware platform from the core group and execute attacks against targets they've selected. In exchange, they typically pay the core group a percentage of each ransom collected — often 20–30% — and keep the remainder.
This structure is where small and medium organizations become relevant. An affiliate conducting volume-based operations doesn't need each individual ransom to be large — they need a favorable return on effort. An SMB that can be compromised in days and pays $50,000 may generate better economics than an enterprise that takes months to penetrate and fights back hard.
initial access brokers
A specialized third party plays a critical role in the ecosystem: the initial access broker (IAB). IABs specialize in gaining initial access to target networks — exploiting vulnerabilities, purchasing leaked credentials, or conducting phishing campaigns — and then selling that access to ransomware affiliates through dark web marketplaces.
The existence of IABs means that the person who compromises your network is frequently not the person who deploys ransomware against it. A compromised small business network can be listed for sale by an IAB for as little as a few hundred dollars — accessible to any affiliate willing to pay.
support functions
Well-organized ransomware groups have developed operational support capabilities that look remarkably like enterprise functions:
- Negotiators — specialists who manage victim communications and negotiate ransom amounts, calibrating demand based on assessed victim revenue, insurance coverage, and urgency
- Data analysts — who review exfiltrated data to identify high-value material to use as leverage in double-extortion negotiations
- Money launderers — who convert cryptocurrency ransom payments into usable funds through complex laundering chains
- Recruiters — who identify and vet new affiliates for the platform
The double extortion model: Modern ransomware groups typically pursue two forms of leverage simultaneously. First, they encrypt systems to prevent operations. Second, they exfiltrate data before encrypting and threaten to publish it on dark web "leak sites" if payment isn't made. This means that even organizations that can restore from backup still face extortion pressure over the stolen data.
how targets are actually selected
Target selection in volume-oriented ransomware operations is largely automated in the early stages. IABs and affiliates use scanning tools to identify organizations with specific exploitable conditions at scale — exposed RDP, unpatched VPN appliances, or other known vulnerabilities. Organizations matching those criteria appear in results regardless of their size or sector.
Human judgment enters later, when an affiliate decides whether to invest further in a specific target based on the initial access they've obtained. At that point, they're evaluating: what does this organization look like? Do they appear to have a recent backup? Is there active security monitoring? These assessments happen during the pre-encryption phase — sometimes days or weeks before ransomware is deployed.
what makes a target look attractive to an affiliate
- High-revenue indicators — even for small organizations, visible signs of financial activity
- Operational criticality — healthcare, utilities, local government — that creates urgency to restore services
- No visible security monitoring or response capability
- Absence of recent, offline backups
- Sensitive data (medical records, financial data, client PII) that creates double-extortion leverage
- Managed service provider access — a single compromised MSP can unlock many client environments
what makes a target look unattractive
- Evidence of active monitoring and fast response
- Hardened authentication (MFA everywhere makes credential stuffing non-viable)
- Visible backup infrastructure that's offline or air-gapped
- Very low observable revenue (not worth the effort)
the economics of the ransom negotiation
Ransomware negotiations are not random. They follow a fairly consistent structure informed by the attacker's assessment of what the victim can and will pay.
Initial ransom demands are typically set at a multiple of what the attackers believe the victim's cyber insurance policy limit is, or based on their revenue estimate. Negotiation typically results in a reduction — sometimes significant — from the initial demand. Credible evidence that you can't pay, combined with a documented recovery timeline from backup, gives defenders more negotiating position than is commonly understood.
Key data points from recent research:
- ~30% average reduction from initial ransom demand through negotiation (Coveware, 2023–2024)
- ~20–30% typical affiliate revenue share paid to ransomware platform operators
- ~46% of ransomware victims who paid in 2023 still had data published (Coveware Q4 2023)
- Under $1,000 typical price for SMB initial access sold on dark web IAB markets
what this means for your defense
The industrialized nature of the ransomware ecosystem has specific implications for how organizations should prioritize their defenses.
Reduce your scan-visible attack surface. IABs use automated tools to identify exploitable targets. If your organization doesn't appear in those scans, you never enter the initial pipeline. Removing exposed RDP from the internet, keeping VPN and firewall firmware current, and regularly scanning your own external footprint addresses this layer.
Harden authentication universally. Credential-based initial access is the dominant vector. MFA on every external-facing system closes this. This is the single intervention most likely to make your organization invisible to the automated initial access phase.
Make your backup status non-obvious. Affiliates look for backup infrastructure and destroy it before deploying ransomware. Offline or cloud-based backups that aren't discoverable on the local network are significantly harder to identify and target.
Establish visible monitoring. Evidence of active security monitoring — specifically, the ability to detect and respond to intrusion attempts quickly — signals to affiliates that this target will fight back. The economics of getting caught mid-operation, with nothing to show for it, are bad for affiliates. Organizations that can compress time-to-detection become less attractive targets.
None of this guarantees immunity. Sufficiently motivated and capable threat actors will find a path. But the majority of ransomware activity, including most of what targets small organizations, is opportunistic and economically driven. Making yourself a harder, more expensive target redirects that activity somewhere else — which is, practically speaking, the realistic goal.