Every Organization Is a Ransomware Target. Prepare with Breach Containment.
Imagine you’re out fishing and looking to catch your dinner. You don’t care which fish you catch tonight, only that you catch one.
You’re standing at the edge of a massive lake with your fishing rod in your hand. It makes no difference which direction you cast it. Left, right, or straight out, the lake stretches in every direction, and any hook that lands in the water gets you dinner.
That is the image Jen Ellis, founder of NextJenSecurity, used on a recent episode of The Segment podcast to explain how most ransomware groups choose their targets.
The choice is rarely the result of careful research into which organization has the deepest pockets or the most sensitive data. More often, it comes down to whatever is reachable, exploitable, and falls inside a loose set of boundaries that keep the attacker out of trouble with their own government.
For years, plenty of organizations, especially smaller ones but also mid-size enterprises, have treated the absence of an obvious motive as a reason to underinvest in security. If targeting actually works the way Jen described, that logic falls apart.
Almost everyone connected to the internet is standing somewhere in the lake. The question that matters most is what happens after ransomware lands near you, regardless of how likely a target you assumed you were.
A Zero Trust security strategy grounded in segmentation gives an answer.
How attackers target ransomware
Jen pointed out that most ransomware groups operate out of countries that function as safe havens for bad actors. This is either because the activity makes up too much of the local economy to prosecute, or because the host nation tacitly allows it as long as certain lines don’t get crossed.
Those lines are usually about geography and politics. Don’t target organizations at home, and don’t do anything that risks triggering a serious international response.
Inside those boundaries, the rest of the world is fair game, and the boundaries are wide. An attacker exploiting exposed systems across the developed world stays well within the rules that matter to their host nation. Attackers simply need to pick where to exploit.
That is what makes the fishing analogy so useful. The fish that end up on the attacker’s plate are simply whichever ones happened to be in that spot when their hook hit the water. The organizations that get hit are whichever ones happened to be reachable when the attack landed.
AI puts more ransomware attacks in more hands
With today’s AI tools, the barrier to deploying ransomware keeps getting lower, and the number of people capable of deploying it keeps growing.
Jen pointed out that AI is likely to act as a leveler for low-resource attackers. This is particularly true in countries that combine high access to technical infrastructure with high unemployment.
That means the volume of opportunistic, reach-driven attacks is set to increase across the board as more attackers gain access to the AI tools.
The math behind “we’re probably fine because nobody would bother with us” gets worse every year this trend continues.
Why “we’re not a target” is the most expensive sentence in security
Jen told a story about a family-owned shoe factory under pressure to close. It was the kind of business passed down through generations that employs a meaningful share of the people in its town.
If a ransomware attack hit a business like that, the owner would face enormous pressure, with the company’s future and the jobs that depend on it on the line. In that moment, the temptation to quietly pay the ransom and move on becomes real, whatever the policy debate says about it.
What stands out in that story is how existential a ransomware incident can feel for an organization that nobody would call a target in any meaningful sense. Preparation determines how severe an incident feels from the inside, far more than size or visibility do.
A large, well-known enterprise with a tested incident response plan and a segmented environment can absorb a ransomware event as a difficult week. A small business with a flat network and no plan can have the same event end the company.
That difference gets decided well before the attack happens, by the choices the organization made about its own environment.
The security poverty line makes the wrong bet worse
This problem is bigger than any single company.
Jen pointed out that the UK economy, like most developed economies, is overwhelmingly made up of small- and medium-sized businesses. The organizations that are least likely to believe they’re targets, and least likely to have budget for ongoing security investment, make up most of the economy.
Jen described this problem as the security poverty line.
And what makes it even more difficult is that security spending doesn’t work like other safety investments. Installing a fence or a ramp is a one-time project you budget for and complete. Security investment keeps growing year over year, as threats evolve and infrastructure ages. This can make it a much harder sell to leadership that is already stretched thin.
Put all of these factors together with the ease of AI-generated attacks, and the picture gets uncomfortable.
Containment is the one lever every organization controls
Jen brought back an old saying in security: a defender has to be right every minute of every day, while an attacker only has to get lucky once.
That asymmetry isn’t going away. And AI doesn’t change it in any fundamental way, since both sides get access to better tools.
What breach containment changes is what getting lucky once actually means for the attacker.
If an exploit lands on a flat network, that one lucky moment can turn into access across the entire environment. But if it lands inside an environment built on Zero Trust controls, including segmentation, workloads, applications, and systems only communicate with what they need to.
This means one lucky moment for the attacker turns into a contained incident in just one part of the business.
A Zero Trust security strategy grounded in segmentation is one lever every organization has, regardless of size, visibility, or how interesting an attacker might find them.
The ransom payment debate is solving the wrong layer
Jen discussed the debate over banning ransom payments and made a point that is easy to miss in the back and forth.
Banning payments only changes what an organization is allowed to do once an attack has already happened. It does nothing to change how attackers decide who to hit.
Jen used this comparison. Imagine telling someone that handing over their wallet during a mugging is against the law. The mugging still happens, and a victim who hands over the wallet anyway has now broken the law on top of being robbed.
Containment sits earlier in the timeline than any payment decision. A team that has already limited how far an attacker can move laterally doesn’t face the same pressure-cooker choice between paying the ransom or shutting down operations.
The payment debate decides what an organization can do after a breach happens. Containment decides how much of the organization that breach gets to touch. That’s the layer that actually determines the outcome.
Ransomware risk will only grow
Every organization connected to the internet is within reach to ransomware, and the number of attackers capable of acting on that keeps growing as AI tools become more accessible.
None of that changes based on how interesting your organization looks to attackers on paper.
Containment is the one variable in this picture that every organization actually controls. The organizations that build a Zero Trust strategy with segmentation as core infrastructure now are the ones that will keep a ransomware attack from taking down its entire operation.
Breaches are inevitable, and that has always been true for organizations of every size. Keeping those breaches small comes down to building breach containment into your architecture.
Listen to the full episode of The Segment: A Zero Trust Leadership Podcast on Apple Podcasts, Spotify, or our website.
.webp)
.webp)
.webp)
