A common misconception is that ransomware attacks are opportunistic — that threat actors are spraying malware indiscriminately and you were unlucky. The reality in 2026 is considerably more deliberate. Most ransomware incidents we respond to result from a structured target selection process involving multiple parties, dark web markets, and explicit criteria around victim revenue, sector, and perceived payment likelihood.
Understanding how you end up in a ransomware group's crosshairs is the first step toward addressing the exposures that put you there.
The Ransomware-as-a-Service Model
Most ransomware operations today are not a single criminal group doing everything themselves. They are structured as ransomware-as-a-service (RaaS) ecosystems: a core team develops and maintains the ransomware platform, and affiliates — independent criminal operators — conduct the actual intrusions and deploy the ransomware in exchange for a share of the proceeds, typically 70–80%.
This separation matters for target selection because the people choosing who to attack are the affiliates, not the ransomware developers. Affiliates operate with significant autonomy. They choose targets, conduct intrusions, determine ransom demands, and manage negotiations. The RaaS platform provides the tooling; the affiliate provides the access and the victim.
Initial Access Brokers: The Middlemen
Many ransomware affiliates do not conduct their own intrusions. They purchase access to victim networks from initial access brokers (IABs) — a separate criminal ecosystem that specialises in compromising corporate networks and selling the access on dark web forums.
IAB listings typically include the target's country, industry sector, estimated annual revenue (often sourced from Companies House or equivalent), and the type of access available — domain admin, VPN credentials, remote desktop, corporate email. Pricing varies from a few hundred dollars for limited access to tens of thousands for domain admin on a large enterprise.
This means your organisation may already have been compromised and listed for sale before a ransomware affiliate even becomes aware of your existence. IAB activity is a significant driver of dark web monitoring value — organisations with monitoring capability can sometimes identify their own infrastructure for sale before it is purchased.
Exposed Services: The Easy Entry Points
Where affiliates conduct their own intrusions, the most common initial access vectors in 2026 remain:
- RDP exposed to the internet — still one of the most common entry points, particularly on non-standard ports where organisations assume obscurity provides protection
- VPN vulnerabilities — unpatched Fortinet, Citrix, Pulse Secure, and SonicWall appliances are consistently exploited within days of public vulnerability disclosure
- Phishing and credential theft — particularly targeting users without MFA on Microsoft 365, where a single successful phish gives access to email, SharePoint, and frequently further internal systems
- Exposed management interfaces — remote management tools, backup consoles, and hypervisor management interfaces left accessible from the internet
Scanning for these exposures at scale is trivial with tools like Shodan, Censys, and custom tooling. An affiliate can identify thousands of potentially vulnerable organisations within hours. This is why patching speed matters — the window between vulnerability disclosure and active exploitation is measured in days, not weeks.
Revenue-Based Target Selection
Ransomware affiliates are running a business. They want victims who can pay, and they size their demands accordingly. Revenue estimation for private companies typically uses Companies House filings, LinkedIn employee counts, industry benchmarks, and in some cases data obtained during the intrusion itself (bank statements, management accounts).
The common threshold for many mid-tier groups is annual revenue over £5–10 million. Below this, the effort-to-reward ratio is unfavourable. Above it, the group can demand six or seven figures and expect serious engagement.
This has an important implication: being a small business does not make you immune. It may make you a less attractive primary target for sophisticated groups, but you may still be purchased by budget-tier affiliates, hit by automated attacks, or targeted because of your relationships with larger supply chain partners.
Sector Targeting
Some ransomware groups — and by extension their affiliates — have explicit sector preferences driven by perceived payment likelihood and operational security concerns. Healthcare, legal, professional services, and manufacturing are frequently targeted because:
- Healthcare organisations face immediate patient safety pressure that increases urgency to pay
- Legal firms hold highly sensitive client data with significant confidentiality value to extortion
- Professional services firms often have high revenue relative to IT headcount and security investment
- Manufacturers face costly operational downtime that creates strong financial pressure to resolve quickly
Critical national infrastructure — energy, water, transport — is a mixed picture. Some groups explicitly avoid it to reduce law enforcement attention; others specifically target it for the leverage it provides.
Supply Chain Access
Targeting a large, well-defended enterprise directly is harder than targeting one of its suppliers or managed service providers. MSPs with remote access to multiple client networks are extremely attractive targets — a single MSP compromise can provide access to dozens or hundreds of downstream victims simultaneously.
Similarly, software supply chain compromises — where a legitimate software update is used to deploy malware — have demonstrated the ability to compromise thousands of organisations simultaneously. If your organisation trusts and installs software from third-party vendors without security review, you are exposed to whatever security posture those vendors maintain.
Dwell Time: They Are Already In
An important operational reality: ransomware is not deployed the moment an attacker gains access. The average dwell time — from initial access to ransomware deployment — is typically weeks to months. Attackers spend this time escalating privileges, mapping the network, identifying and accessing backup infrastructure, exfiltrating data, and ensuring maximum impact when they deploy.
This means that by the time you discover a ransomware incident, the attacker has been present for significant time, has likely accessed your backup systems, and has already exfiltrated data they intend to publish. The encryption event is the final act, not the first.
Detection during the dwell period — before encryption — is possible with appropriate endpoint detection and response tooling, network monitoring, and threat hunting capability. It is consistently underinvested in relative to perimeter security.
What This Means for Your Security Posture
Target selection criteria translate directly into risk reduction priorities:
- Eliminate internet-exposed RDP and management interfaces
- Patch VPN and perimeter appliances within 24–48 hours of critical vulnerability disclosure
- Enforce MFA universally, particularly on email and remote access
- Monitor dark web forums and paste sites for references to your domains and infrastructure
- Audit and segment MSP and third-party remote access
- Deploy EDR with active monitoring — prevention fails; detection before encryption is the realistic goal
- Understand your supply chain: what software has privileged access to your environment, and what is their security posture?
Binary Response provides threat intelligence services, attack surface assessments, and dark web monitoring that directly address the target selection factors described above. Contact us at enquiries@binary-response.com to discuss your exposure.