Selling ransomware tools fuels a surge in cyber extortion

Ransomware has emerged as one of the most severe threats in cybersecurity, impacting organizations of all sizes—from large global enterprises to small businesses. These attacks are particularly appealing to criminals because they offer a high return with minimal effort. By infiltrating systems and encrypting critical data, attackers can extort significant payments, often inflicting major financial and operational damage, especially on small and medium-sized companies.

According to the RSM US Middle Market Business Index 2025 Cybersecurity Special Report, 26% of middle-market respondents reported experiencing at least one ransomware attack or demand in the previous 12 months (down from 30% in 2024 and 35% in 2023); 31% said their defense measures were unsuccessful against these attacks.

Stats:

RSM US MMBI Cyber Report (Q1 2024):

🔹 Joint CISA/FBI/NSOf Advisory (2021):

🔹 U.S. Critical Infrastructure in 2024:

  • Ransomware complaints to the FBI’s IC3 rose 9% from 2023, with incidents targeting nearly half of the 16 critical infrastructure sectors. Total reported losses hit $16.6 billion, a 33% increase

The threat is expanding further with the rise of ransomware-as-a-service (RaaS). Under this model, skilled cybercriminals develop and sell ransomware toolkits and infrastructure to other actors. As a result, attackers no longer need to be highly technical themselves, driving an unprecedented increase in ransomware incidents.

How RaaS Operations Function

RaaS offerings typically include training resources, technical documentation, and ready-to-use malicious code, all packaged to help buyers launch attacks with relative ease. Here are some important points about how this ecosystem works:

Common RaaS business models include:

  • Subscription: Buyers pay a set amount in cryptocurrency to use the ransomware for a specific time.

  • Affiliate: The developers collect an ongoing fee and take a share of any ransom paid.

  • One-time purchase: A complete toolkit is sold outright to the buyer.

These attacks often combine familiar hacking tools such as Mimikatz with advanced exploitation frameworks like Cobalt Strike. This dual approach allows attackers to leverage both known vulnerabilities and emerging zero-day flaws. In addition, sophisticated social engineering tactics and information gathering further amplify the impact when an attack occurs.

Steps to Reduce Ransomware Risk

Ransomware will remain a persistent danger, and no strategy can eliminate it entirely. However, taking certain steps can significantly reduce the likelihood and severity of an incident:

Stay aware of emerging threats
The National Institute of Standards and Technology (NIST) offers detailed guidance on defending against ransomware and recovering if targeted. Similarly, the US-CERT and CISA regularly share updates on new vulnerabilities and evolving attacker techniques.

Maintain reliable backups
Backups are essential not only for disaster recovery but also for restoring data after an attack. The well-established 3-2-1 backup strategy helps safeguard your backup copies. Remember, attackers often strike after hours and on weekends, so frequent backups are critical.

Deploy advanced endpoint security
Attackers continually refine their tools and techniques, so it’s crucial to have strong endpoint detection and antivirus solutions configured correctly to detect and disrupt threats early.

Develop an incident response plan
Create and regularly update a plan that details how your organization will handle a ransomware event. Because these incidents can quickly become chaotic, responding rapidly helps minimize costs and damage.

Ransomware has long been a concern, but today’s fast-evolving threat landscape means organizations of every size need a clear strategy to prevent and recover from attacks. Investing in a comprehensive security program helps reduce downtime and limit financial fallout.