How Ransomware Gangs Pick Their Targets in 2026
Ransomware isn’t random. That might have been true five years ago when spray-and-pray campaigns dominated the landscape, but the threat actors operating in 2026 run structured operations. They select targets carefully, research thoroughly, and strike when they’ve maximised their chances of a payout.
Understanding how they choose their victims is the first step towards making sure your organisation doesn’t end up on their shortlist.
The Reconnaissance Phase
Before encrypting a single file, ransomware operators spend weeks gathering intelligence. They scan for exposed RDP services, check for unpatched VPN appliances, and crawl public job postings to understand what technologies an organisation runs. A job advert looking for a Citrix administrator tells an attacker exactly where to focus their efforts.
They also buy access from initial access brokers. These are separate criminal groups that specialise in compromising networks and selling that access to the highest bidder. A foothold in your network might sell for a few thousand pounds, but the ransomware that follows could cost you millions.
Revenue Determines the Ransom
Attackers research their targets’ financial health. They check Companies House filings, look at annual reports, and even read press releases about funding rounds. The ransom demand gets calibrated against what they believe the organisation can afford to pay.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “Ransomware groups operate like businesses now. They research their targets, calculate potential ransom amounts based on revenue, and even check whether the organisation carries cyber insurance. If you haven’t tested your external perimeter recently, you’re making their job far too easy.”
This financial due diligence means that midsized businesses with decent turnover but limited security budgets sit squarely in the crosshairs. They’re large enough to pay meaningful ransoms but often lack the mature security programmes that would make the attack too costly to execute.
Hardening Your External Footprint
Regular external network penetration testing identifies the same weaknesses that ransomware groups look for. Exposed management interfaces, outdated SSL certificates pointing to legacy systems, and services running on non-standard ports that haven’t been included in your patch management cycle.
Pairing that with continuous vulnerability scanning services gives you an ongoing view of your attack surface rather than a point-in-time snapshot. Threats change quickly, and your monitoring needs to keep pace.
Backups Alone Won’t Save You
The old advice of keeping good backups as a ransomware defence has aged poorly. Modern ransomware operations exfiltrate data before encrypting it. Even if you restore from backups without paying a penny, the attackers threaten to publish sensitive client data, intellectual property, or financial records unless you pay.
This double extortion model means that prevention genuinely matters more than recovery. Invest in keeping attackers out rather than assuming you can simply bounce back after an incident. The organisations that survive ransomware without catastrophic damage are the ones that made the attackers’ job difficult enough that they moved on to an easier target.
