Most organizations assume ransomware operators spend weeks profiling their targets before striking. New research from the Sophos X-Ops Counter Threat Unit (CTU) dismantles that assumption for the vast majority of attacks.

The Sophos CTU analyzed extensive telemetry and incident data and reached one core conclusion: ransomware groups do not pick victims based on industry, location, revenue, or strategic value. They scan the internet for exposed systems, find a weakness, and move in. The question attackers ask is not “which company should we hit?” It is “who has an open door?”
What the Sophos CTU Research Found
The Sophos X-Ops CTU report challenges one of the most persistent misconceptions in cybersecurity: that ransomware attackers run deliberate, targeted campaigns against carefully selected organizations.
For financially motivated groups, that is rarely true. Ransomware operators cast a wide net across the internet using automated tools. They scan for known vulnerabilities, exposed ports, misconfigured services, and weak or missing authentication. When they find an exploitable weakness, they gain initial access.
At that point, they have not decided to deploy ransomware yet. They first assess the victim’s network to determine how much money they can extract. That post-compromise evaluation drives the ransomware deployment decision, not any prior research into the organization itself.
Chester Wisniewski, Field CISO at Sophos, explains the financial logic clearly: threat groups target vulnerabilities that give them access to multiple organizations at once, because that approach maximizes their revenue with the least overhead.
The implication is direct: your organization’s reputation, revenue, or industry does not protect it from ransomware. Your security posture does.
How Attackers Actually Choose Their Victims
The opportunistic attack model works because it scales. Ransomware operators do not need to hand-pick targets when automated tools do the reconnaissance for them.
Here is what attackers look for when scanning:
- Unpatched software with known vulnerabilities
- Exposed remote desktop protocol (RDP) ports
- Weak, reused, or stolen credentials
- Missing or misconfigured multi-factor authentication
- Systems running no endpoint detection software
The moment an attacker finds one of these conditions, that organization becomes the next victim. The victim’s identity is entirely secondary to the weakness they present.
Craig Watt, Senior CETI Consultant at Quorum Cyber, put it plainly in response to the Sophos research: organizations that believe they are “too small” or “too niche” to attract ransomware are operating under a dangerous misconception. Attackers care less about your industry than about your defenses.
The Six Stages of a Ransomware Attack
Each stage of the attack lifecycle reveals where your defenses matter most and where attackers are most vulnerable to detection.
Reconnaissance is the first stage. Attackers scan large numbers of systems simultaneously using automated tools. Most of this work requires no human attention, which is why leaving known vulnerabilities unpatched exposes you immediately.
Infection follows once attackers identify a viable entry point. Common routes include phishing emails, malicious links, compromised credentials, and unpatched software. Attackers also exploit phishing emails sent through compromised Microsoft environments to reach targets with a high degree of legitimacy.
Escalation comes next. Attackers integrate their tools into the compromised system to gain deeper control and establish persistence so that rebooting the device does not remove them.
Scanning follows escalation. Attackers map the network, looking for valuable data, connected systems, backup storage, and additional machines to compromise before triggering encryption.
Encryption is where the damage becomes visible. Attackers lock files and data using strong encryption algorithms, cutting off access for everyone in the organization.
Ransom demand closes the cycle. Attackers deliver a note with payment instructions, almost always demanding cryptocurrency for anonymity. Groups using double extortion also threaten to publish stolen data publicly if the ransom goes unpaid, adding pressure on top of the encryption itself.
How Ransomware Gets Into Your Systems
Ransomware reaches victims through several delivery mechanisms, and most of them exploit human behavior rather than sophisticated technical exploits.
Phishing emails are the most common entry point. Attackers send malicious attachments or links, and once a user opens them, ransomware installs and starts working without any visible sign.
Drive-by downloads work differently. A user visits a compromised or malicious website, and malware installs automatically, often without any click or download prompt from the user.
Malspam delivers malware directly to inboxes through email attachments or embedded links. These messages frequently appear legitimate enough to bypass user suspicion.
Malvertising plants malware inside digital ads. These ads appear alongside normal, harmless content and are difficult to distinguish without specialized detection tools.
Social engineering underpins most of the above. Attackers manipulate users into clicking links, opening files, or sharing credentials by creating urgency, fear, or a convincing appearance of authority.
VPN vulnerabilities serve as another primary entry point, particularly for more systematic groups. Akira ransomware, for example, uses VPN vulnerabilities alongside phishing to enter enterprise environments and then escalates access using credential dumping techniques.
Which Organizations Ransomware Hits the Most
Smaller organizations absorb a disproportionate share of ransomware damage, and the Sophos CTU research identifies exactly why: smaller businesses typically carry smaller security budgets, run leaner IT teams, and maintain weaker baseline defenses. These conditions make them consistently easier targets for opportunistic attackers who prioritize low resistance over high value.
This directly contradicts the belief that small organizations fly under the radar. Ransomware operators are not evaluating your company’s profile. They are evaluating your attack surface.
Sector data reinforces this. IBM’s 2024 threat analysis found that 67% of healthcare institutions reported ransomware attacks in the first three quarters of 2024, with average ransom demands exceeding $5.2 million. The software development sector saw ransomware attacks rise 16.7% between Q2 and Q3 of 2024.
These numbers do not reflect deliberate targeting of those sectors. They reflect shared software vulnerabilities that exposed many organizations within those sectors at the same time.
Why Sector-Wide Attack Spikes Happen Without Sector Targeting
When ransomware activity spikes across a particular industry, it appears coordinated. It usually is not.
The Sophos report explains that these spikes trace back to shared technological dependencies. When a critical vulnerability surfaces in a widely used business application, every organization running that application becomes an opportunistic target overnight. The apparent sector specificity is a side effect of shared software, not a deliberate campaign.
The MOVEit breach demonstrates this precisely. Attackers discovered a single SQL injection vulnerability in a widely used file transfer tool and exploited it across all of its users in one campaign. Over 2,500 organizations across multiple industries were hit. None of them were individually selected. They all ran the same vulnerable software.
Releasing a patch does not guarantee organizations will apply it. The window between patch release and deployment is exactly where ransomware operators operate. This is the same pattern seen when actively exploited zero-day vulnerabilities go unpatched across enterprise environments for weeks after disclosure.
When Ransomware Attacks Are Actually Targeted
The Sophos CTU report acknowledges that deliberate targeting does occur, though it represents only a small fraction of the overall ransomware landscape.
State-sponsored actors and ideologically motivated groups select specific victims intentionally, pursuing goals like espionage, critical infrastructure disruption, or public notoriety rather than ransom payment. These actors invest in reconnaissance and use more sophisticated methods than financially motivated opportunists.
Some ransomware-as-a-service (RaaS) affiliates also conduct more systematic targeting. Akira enters systems through phishing emails and VPN vulnerabilities and focuses on enterprises in education, finance, manufacturing, and healthcare. Play (Playcrypt) exploits FortiOS vulnerabilities and exposed RDP servers against high-profile organizations. Qilin customizes its attacks for each victim and applies additional pressure through a proprietary data leak site.
However, for the vast majority of organizations, financially motivated opportunistic ransomware remains the dominant threat. Targeted incidents make headlines because they are unusual, not because they represent the everyday reality of how ransomware operates.
Types of Ransomware to Recognize
Cryptoware is the most prevalent form. It encrypts files so the owner cannot access them without the attacker’s decryption key. Attackers demand payment before providing that key, and paying the ransom provides no guarantee of recovery.
Scareware uses social engineering to alarm victims into paying fake fines or purchasing unnecessary software. It frequently impersonates law enforcement agencies or government officials, claiming the victim’s device contains illegal content.
Screen lockers lock the entire device rather than encrypting files. The victim sees a ransom demand instead of their normal desktop and cannot use the machine until the attacker releases access.
Leakware and doxware skip encryption entirely and instead threaten to publish sensitive information publicly unless the victim pays. Organizations holding proprietary data, patents, or client records are frequent targets of this approach.
Ransomware-as-a-service (RaaS) allows anyone to rent or purchase a complete ransomware package from a criminal group and deploy it against any target they choose. The RaaS provider collects a share of any ransom paid. This model has lowered the technical barrier for launching ransomware attacks to the point where almost no technical skill is required to get started.
How to Protect Your Organization: 8 Key Strategies
The Sophos research carries an encouraging implication: because most ransomware attacks exploit basic, preventable weaknesses, improving your baseline defenses directly reduces your risk of becoming the next victim.
1. Patch consistently: Ransomware operators depend on organizations being slow to patch. Software updates close the known vulnerabilities attackers scan for during the reconnaissance stage. Enable automatic updates where possible and review all software across your environment on a regular cycle.
2. Enable phishing-resistant multi-factor authentication: MFA was absent or misconfigured in more than half of the ransomware incidents the Sophos CTU analyzed. Attackers bypass basic SMS-based MFA through credential theft and SIM swapping. Switching to passkeys or hardware security keys removes that attack path entirely. If you use Microsoft services, setting up a passkey for your Microsoft account and removing SMS authentication closes one of the most commonly exploited entry points.
3. Deploy endpoint detection and response (EDR). EDR tools monitor every device on your network in real time and let your security team identify and contain threats before attackers move laterally and reach critical systems. Standard antivirus is not sufficient. Modern ransomware is designed to evade it. Keep current on Microsoft Defender vulnerabilities as well, since attackers have developed techniques to weaponize endpoint protection tools against the organizations running them.
4. Maintain immutable, offline backups: Backups that attackers can reach and encrypt or delete give you no recovery path. Store backups offline or in environments completely isolated from your main network. Test restoration procedures regularly before you need them under pressure.
5. Use email filtering and web filtering: Most ransomware enters through phishing emails or malicious websites. Email security that blocks malicious attachments and web filtering that blocks known malicious domains reduces the volume of threats that reach your users before they can make a mistake.
6. Apply the principle of least privilege: Give users and systems only the access they need to do their jobs. When attackers compromise a low-privilege account, they face significantly more friction before they can reach sensitive data or deploy ransomware across the network. Limiting privilege limits blast radius. Credential theft attacks against Microsoft 365 environments demonstrate exactly what happens when accounts carry more access than necessary: a single compromised Microsoft 365 account can expose an entire organization’s data without any malware being deployed.
7. Whitelist approved software: Configure your environment so only approved applications can execute. This prevents ransomware from running even if it reaches a device through a phishing email or drive-by download.
8. Train employees to recognize phishing and social engineering: Human error drives most successful initial access attempts. Regular training that teaches employees how to identify suspicious emails, unexpected attachments, and requests for credentials reduces the frequency of successful infections at the earliest stage of the attack lifecycle.
Build a Security Strategy, Not Just a Security Stack
Sophos issues a clear warning about a pattern common in organizations of all sizes: adding security tools without building a coherent strategy behind them. A large tool stack without outcomes-based thinking still leaves gaps attackers can find and exploit.
Security governance, compliance frameworks, and risk management practices give your tools direction and let you measure whether your security spending is actually reducing your exposure. Without that strategy layer, security teams spend most of their time reacting to incidents rather than hardening the environment proactively.
For smaller organizations without dedicated security staff, managed security service providers offer access to monitoring, incident response capability, and strategic guidance that most internal teams cannot staff independently.
What to Do After a Ransomware Attack
If ransomware hits your organization, moving fast on the right steps limits the damage significantly.
Isolate infected systems immediately: Disconnect affected devices from the network to stop ransomware from spreading to adjacent machines and backup systems.
Identify the ransomware variant: Knowing which strain is involved helps security professionals determine whether decryption tools already exist. Some older variants have known decryption keys circulating among IT professionals and law enforcement agencies.
Do not pay the ransom: Authorities consistently advise against payment. It funds further attacks, provides no guarantee of full data recovery, and marks your organization as one willing to pay.
Contact an IT security specialist: A professional can assess the full scope of the compromise, identify the initial entry point, and guide the recovery process systematically.
Restore from clean backups: If you maintain offline, immutable backups, use them to restore affected systems after wiping and rebuilding every compromised machine from scratch.
Report the incident: In the United States, file a report with the FBI’s Internet Crime Complaint Center (IC3). In the United Kingdom, report to the National Cyber Security Centre (NCSC). Reporting helps authorities track active ransomware groups, identify infrastructure, and build cases against operators.
Stop Thinking You Are Not a Target
Ransomware operators are not reading your annual reports or researching your industry. They are running automated scans across millions of systems, searching for exposed ports, unpatched software, and accounts with no multi-factor authentication. The organization presenting the weakest defenses becomes the next victim.
The FBI’s 2024 IC3 report recorded 3,156 ransomware complaints that year, with adjusted losses exceeding $12.4 million. Ransomware-as-a-service continues to lower the barrier for new attackers, and the volume of groups operating grows each year.
Patching consistently, enabling strong authentication, deploying endpoint detection and response, and maintaining tested offline backups directly address the conditions opportunistic attackers depend on. None of these measures require an enterprise budget. They require discipline and consistency.
Ransomware thrives on basic hygiene gaps. Close those gaps, and you stop presenting the easy path attackers need to succeed.
Cybersecurity Guides
