Ransomware is a business. The operators running it make decisions based on risk-adjusted return, operational cost, and competition — not unlike how legitimate businesses choose markets. When you understand the economics of ransomware operations, the targeting pattern becomes straightforward: mid-market companies, roughly $50 million to $1 billion in revenue, are the primary target segment. Not because attackers have a particular interest in these organizations, but because they offer the best ratio of potential payout to operational complexity and risk.
Understanding why you're a target changes how you prioritize defensive investment.
The targeting calculus
Ransomware operators evaluate potential targets across three dimensions: payout potential, security resistance, and operational and legal risk.
Payout potential correlates most directly with revenue and the degree to which the target's operations depend on the systems being encrypted. A manufacturing company with $200 million in annual revenue that runs production scheduling and supply chain systems on its network has high payout potential — every day of downtime is a concrete dollar figure. A comparable-revenue professional services firm whose business processes are largely document-based may have lower operational disruption from encryption, which translates to lower willingness to pay.
Security resistance is where mid-market organizations become attractive. Large enterprises — Fortune 500 companies, major financial institutions, critical infrastructure operators — have invested in mature security programs, dedicated SOC teams, and tooling that makes initial access, lateral movement, and ransomware deployment substantially harder and more detectable. The operational cost of attacking them is high and the probability of detection before payload deployment is significant. They are, in attacker terms, expensive targets.
Small businesses, conversely, have limited assets and limited ability to pay. A company with $5 million in revenue and $2 million in cash has a hard ceiling on what any ransom demand can realistically achieve. The payout potential doesn't justify the operational investment.
Mid-market companies sit at the intersection of meaningful payout potential and security programs that, while real, are typically under-resourced relative to the attack sophistication available in the current Ransomware-as-a-Service ecosystem.
The Ransomware-as-a-Service model changes the economics
The rise of RaaS operations has dramatically lowered the technical barrier to conducting ransomware campaigns. Ransomware groups like LockBit, ALPHV/BlackCat, and their successors operated (or operate) as affiliate programs — providing the encryption tooling, the negotiation infrastructure, and the data leak site in exchange for a percentage of ransom payments. Affiliates, who conduct the actual intrusions, don't need to develop their own malware. They need initial access skills and the operational capacity to conduct network intrusions.
This commoditization has two consequences for mid-market targeting. First, it enables less sophisticated threat actors to run campaigns against targets that would previously have required nation-state level tooling. Second, it creates a competitive market for targets — affiliates are choosing among available victims based on the same economic calculus described above, and mid-market companies represent a consistently attractive market segment.
Initial access brokers add another layer to this ecosystem. IABs specialize in obtaining and selling network access — compromised VPN credentials, remote desktop access to corporate environments, persistent implants installed through phishing or exploitation. Their customers are ransomware affiliates. The existence of a healthy IAB market means that network access to mid-market organizations is actively bought and sold before any ransomware operator has made a targeting decision. Your compromised credentials may be sitting in a broker's inventory right now.
What mid-market security gaps look like in practice
Post-incident analysis across ransomware cases involving mid-market organizations shows consistent patterns in the gaps that enabled the attack:
- Exposed remote access infrastructure: RDP and VPN endpoints without MFA enforcement, running outdated software versions, or using credentials that have been breached in previous credential dumps. These are the most common initial access vectors — not sophisticated zero-days.
- Flat internal network architecture: Once inside any system, lateral movement is unconstrained. The compromised endpoint can reach every other system on the network because no internal segmentation exists.
- Incomplete backup coverage: Backups exist, but they're on the same network as production systems. Ransomware groups know to encrypt backups along with production data, and they do.
- Limited detection capability: No EDR on all endpoints, SIEM logs not reviewed in real time, no process to alert on anomalous credential usage or lateral movement patterns.
- Long attacker dwell times: Because detection capability is limited, attackers maintain access for weeks or months before deploying ransomware — enough time to fully map the environment and identify the highest-value data for exfiltration and maximum encryption impact.
The double-extortion shift
The standard ransomware narrative focuses on encryption: systems are encrypted, ransom is paid, keys are provided, systems are restored. The current operational model for most sophisticated ransomware groups is double extortion — before encrypting, they exfiltrate sensitive data and threaten to publish it on a leak site if the ransom isn't paid.
Double extortion changes the calculus for organizations that believe good backups eliminate ransomware risk. It doesn't. Even with perfect backup coverage and rapid recovery capability, the threat of publishing sensitive customer data, financial records, employee information, or intellectual property creates payment pressure independent of operational disruption. Double extortion ransom demands are typically calibrated to be less than the estimated cost of regulatory fines and reputational damage from a public data disclosure — a pricing model designed to make payment economically rational even for well-prepared organizations.
Defensive prioritization for mid-market organizations
The entry points that ransomware groups most commonly exploit — exposed remote access without MFA, unpatched public-facing services, credential reuse from prior breaches — are also the most tractable to defend against. External attack surface management identifies exposed RDP, VPN, and remote access endpoints continuously. Credential monitoring identifies when employee credentials appear in breach databases. MFA enforcement on all external-facing access dramatically increases the cost of initial access for any threat actor relying on credential-based attacks.
None of these are exotic security investments. They don't require a full-time SOC or enterprise-grade tooling budgets. They require consistency, coverage, and operational follow-through on findings. The mid-market organizations that have avoided ransomware events aren't the ones with the largest security budgets. They're the ones that systematically closed the specific gaps that ransomware operators depend on.