The ransomware attack that shut down a Pittsburgh accounting firm last spring wasn't carried out by some elite hacker with years of training. It was executed by someone with no programming skills who rented the tools from someone who did.

Ransomware-as-a-Service (RaaS) works on a franchise model. The technical operators build the malware and infrastructure, then license it to affiliates who run the actual attacks. The affiliate handles targeting and execution. The developer takes a cut of every successful ransom, typically 20-30%, while the affiliate keeps the rest.

This shift matters because it changes who's targeting your business and why. You're no longer dealing with sophisticated hackers who need years of training. You're dealing with opportunistic criminals who bought a subscription service. The barrier to entry dropped from expert-level programming to basic computer literacy and a willingness to commit felonies.

How the Ransomware Franchise Model Works

Ransomware-as-a-Service operates exactly like a legitimate software business. The core developers create the malware, build the payment infrastructure, maintain victim chat support, and handle the technical complexity. They recruit affiliates through underground forums, often advertising with customer testimonials and success metrics like any other business.

The revenue split varies by group, but typically breaks down 70-80% to the affiliate who executes the attack and 20-30% to the RaaS operator who provides the platform. Some groups take a flat fee instead. LockBit, before law enforcement disrupted it in February 2024, was charging affiliates $300 per month for basic access to their ransomware kit. For that fee, you got the malware, encryption keys, a victim communication portal, and technical support.

Most RaaS groups have evolved beyond simple file encryption. They now practice "double extortion," which means they steal sensitive data before encrypting systems, then threaten to publish it online if the ransom isn't paid. This creates two pressure points: the immediate operational disruption from encrypted files, and the longer-term reputational and regulatory risk from exposed data.

The sophistication varies widely. High-end groups like BlackCat provide multilingual victim support, detailed payment instructions, and even negotiation services. Lower-tier groups might be three people with a Discord server and a basic encryption tool. But the business model is fundamentally the same: outsource the actual crime to affiliates while taking a percentage of the profits.

Why Small Businesses Are the Perfect Target

RaaS affiliates aren't targeting small businesses because they're valuable. They're targeting them because they're accessible. The FBI's Internet Crime Complaint Center received 2,385 ransomware complaints in 2023, representing $34.3 million in adjusted losses. That's the reported incidents only. The Verizon 2024 Data Breach Investigations Report found ransomware was involved in 24% of all breaches.

The math is simple for attackers. A Fortune 500 company might have a 50-person security team, advanced threat detection, and incident response procedures. A 15-person accounting firm in Squirrel Hill has antivirus software and maybe a part-time IT consultant. The automated scanning tools that affiliates use can find vulnerable systems in minutes. They're looking for unpatched software, weak remote access setups, and default passwords.

Ransom demands are sized to what businesses can actually pay. A RaaS affiliate isn't asking a local dental practice for $10 million because they know it's impossible. They're asking for $75,000 because that's in the range where the practice might have insurance coverage, business credit, or emergency funds. It's painful but not existential.

The psychological pressure is calculated too. Small business owners often have personal guarantees on business debt and their personal wealth tied up in the company. When ransomware hits on Thursday and payroll is due Monday, the pressure to pay can be overwhelming, even when paying doesn't guarantee that systems will be restored or that the criminals won't strike again.

Tuesday Afternoon at a 12-Person Accounting Firm

Here's what a ransomware incident looks like from the victim's side, based on Sophos's "State of Ransomware 2024" report and incident response data. The business owner sees almost nothing until it's too late.

The entire sequence from initial infection to completed encryption typically takes 12-24 hours for a small business network. The Sophos report found that the median time from initial access to encryption was 5 days globally, but that includes enterprise attacks where criminals spend weeks gathering intelligence. For small businesses, the timeline compresses significantly because there's less network complexity to navigate.

What makes this particularly devastating for small businesses is the timing. The attack often completes over a weekend or holiday when no one is monitoring systems. By the time staff discovers the encryption, the criminals have had hours to perfect their access and destroy recovery options. The business faces immediate operational shutdown with tax season approaching or payroll due in days.

What Your Cyber Policy Actually Covers When Ransomware Hits

A comprehensive cyber insurance policy can be the difference between recovering from a ransomware attack and closing permanently. But understanding what's actually covered requires reading beyond the marketing materials. Here's what a good cyber policy typically includes for ransomware events, plus the fine print that can trip you up.

The war exclusion controversy deserves special mention. In 2022, Lloyd's of London issued guidance requiring insurers to exclude losses from nation-state cyber attacks. The problem is attribution: when RansomHub encrypts your files, is it cybercriminals or state-sponsored actors? The answer might determine whether your claim gets paid. Most policies now include some form of war exclusion, though the language varies significantly between carriers.

The MFA requirement has become nearly universal among cyber insurance carriers since 2022. Underwriters will specifically ask about multi-factor authentication on email, remote access, and administrative accounts. If you can't demonstrate MFA implementation, many carriers will either decline coverage or price it prohibitively high. This isn't just a checkbox exercise, they're actually checking during claims investigations.

Security Steps That Actually Reduce Your Premiums

Cyber insurance carriers aren't just asking about your security posture out of curiosity. Every question on the application directly affects your premiums. More importantly, these aren't just insurance requirements, they're the specific controls that RaaS affiliates look for and avoid when scanning for vulnerable targets.

The backup requirement deserves emphasis because it's the one control that determines whether you'll feel forced to pay a ransom. RaaS groups specifically target and destroy backup systems before encrypting production data. If your backups are connected to your network full-time, they're not really backups in a ransomware context. Many businesses discovered this the hard way in 2023.

These requirements aren't theoretical. When you file a ransomware claim, the insurance company will verify that you actually had these controls in place. They'll check your MFA logs, review your backup procedures, and validate your EDR deployment. If you claimed to have MFA enabled but it wasn't actually configured on the compromised account, your claim can be denied. The verification process is thorough and getting more sophisticated each year.