Help Wanted, Bad Actors Apply Within

• Ransomware-as-a-Service has become a highly organized business.
• “Junk gun” ransomware is flooding the market, lowering the barrier to entry for attackers.
• Lacking visibility and strong monitoring, smaller businesses are now the prime targets.
• A handful of proactive capabilities can help undermine RaaS efforts.

Cybercrime is hiring, and no experience is required. Thanks to cheap Ransomware-as-a-Service (RaaS), anyone with an internet connection can apply (please don’t). 

No coding skills? No problem. These plug-and-play ransomware kits make it as easy as subscribing to a streaming service—but instead of watching movies, attackers are holding your critical data hostage.

Since the mid 2010s, RaaS groups have armed its affiliates with a full suite of attack tools, from exploit kits to automated malware deployments, often in exchange for a subscription fee, one-time fee or a share of the profits. But now, with the rise of “junk guns”—affordable, low-grade ransomware—loaded bogeys piloted by newbies are flooding the digital battlefield.

The rise of accessible cybercrime

Cybercriminals have been busy teaming up, scaling up and cashing in. By 2021, organized ransomware cartels were tag-teaming highly targeted campaigns and pulling off multi-extortion schemes. Though it isn’t a new technique, groups selling RaaS are increasingly operating like full-fledged corporations and even offer tiered pricing options to victims—pay to delay data exposure, download stolen data, or destroy it all.

In 2024, RansomHub facilitated over 600 hits on organizations across healthcare, finance and government sectors, making it the most active RaaS group of the year. Attackers are thriving in this new era of organized cybercrime—sharing, reusing and rebranding tools and source codes—fueling a billion-dollar underground market where profit is easy and risks are low. 

But big ransomware cartels aren’t the only criminals on the block wielding RaaS. Regular Joes (disgruntled employees, small-time hustlers or aspiring hackers) are now dishing out the funds for a one-time payment for petty revenge, a quick payday or a shot at joining the big leagues.

Take Kryptina ransomware, which started out as a simple $20 attack toolkit with an $800 customizable option that ultimately was released for free. These bargain-bin kits may seem basic, but they’re still loaded guns pointed right at attackers’ favorite targets—small to midsize businesses (SMBs). 

The high cost of low visibility

Organizations of all sizes are facing crippling downtime, financial loss, data breaches and reputational damage—sometimes even after paying ransom. For SMBs, limited monitoring infrastructure and fewer formal reporting processes means these attacks are more likely to go undetected and unreported, which only reinforces SMBs as irresistible prey to greedy attackers.

But it also means the right visibility can go a long way for SMBs. With real-time threat intelligence, more comprehensive monitoring and simplified reporting, SMBs can stay ahead of these opportunistic attacks and keep their data (and reputation) out of the crosshairs.

Avoid becoming their next target

Enterprise-grade ransomware is now available to all (yikes). But so is enterprise-grade protection (phew). 

Protecting your assets is up to you, but you don’t have to do it alone. With Symantec and Carbon Black in your stack you can gain deep insights into threats thanks to one of the largest civilian threat intelligence networks in the world. We make it easy to track, analyze and share intelligence with law enforcement and government agencies so your SMBs can stay ahead of emerging threats. 

Unsure where to start? That’s ok. Here are just a few of the capabilities you can consider ramping up in your environment to help fortify your defenses.

• Expand visibility across networks, users, endpoints and applications. 
  Carbon Black’s advanced endpoint detection and response (EDR) solution gives you keen insight into every corner of your environment, so you can focus on rapid response and reduce dwell time. We’ll even tip you off as problems arise and store that data for 180 days, simplifying your forensic investigations.
• Protect overlooked assets and shrink your attack surface.  
  Stop ransomware from hitching a ride on software and sneaking into your environment. Carbon Black App Control enforces a default/deny approach so only trusted applications can run. Mission-critical assets (often thought covered but left exposed by traditional security tools) are also covered, so attackers can’t turn them into their next way in.
• Defend against sophisticated LoTL attacks.  
  Prevent bad actors from using your software against you to exfiltrate or encrypt data. Symantec Adaptive Protection blocks Living-off-the-Land (LotL) attacks faster than your traditional tools can—without disrupting the apps your team relies on.
• Leverage AI to stop ransomware in its tracks. 
  Keep those pesky attackers from slinking around laterally in your environment and setting up ransomware throughout your network with the help of AI. SymantecAI’s natural language processing (NLP) makes it easy to investigate and summarize incidents and data, so you can identify suspicious behaviors and shut them down.

Let’s ruin ransomware’s day

Cybercriminals are working together; it’s time we do the same. And that’s not just lip service. Here’s what one customer had to say once Carbon Black was added to their arsenal.

For the latest expert intel on ransomware, check out Ransomware 2025: A Resilient and Persistent Threat, from the Symantec and Carbon Black Threat Hunter Team.