Nobody is hunting you

The world's oldest spider lived in the same hole for forty-three years and never picked a target — and that is now your security model.

There was a spider in Australia who lived in the same hole for forty-three years.

Her name was Number 16 — assigned by a researcher in 1974 who pegged her burrow as part of a study and then kept checking on it for four decades. A female trapdoor spider, she'd dug a vertical tunnel as a juvenile, capped it with a hinged silk-and-dirt door, and waited.

Sit at the bottom of a hole. Feel the lid for vibrations. Eat whatever walks across.

She never picked a target in her life. She is the longest-lived spider ever recorded.

She didn't hunt. She didn't choose. Some of the vibrations were beetles. Some were the wind. Most days, nothing. Occasionally something the right size crossed the door, and the trapdoor opened.

This is now your security model. Or rather, the security model of the people coming for you.

Most founders carry the wrong mental picture. They imagine a hooded figure choosing their company specifically, studying the team page, doing reconnaissance, plotting. That can happen later. But most attacks don't start that way.

They start with somebody sitting in a hole and feeling for vibrations.

Nobody has to hunt you. Something is scanning you.

The internet is small.

There are roughly 3.7 billion publicly routable IPv4 addresses, and a free open-source tool called ZMap, released by University of Michigan researchers in 2013, can scan all of them on a single port in under forty-five minutes. Anyone can download it. Many people have.

So here is what actually happens.

Somebody picks a flaw: a bug in a popular VPN, a misconfigured database, a forgotten admin panel, a leaked credential pattern. They write or rent a scanner that fingerprints whatever has that weakness on the public internet, and tries it against each result.

They go to bed.

In the morning they have a list.

The list is not sorted by industry, revenue, headcount, or whether anyone on your team went to Stanford. It is sorted by the order the scanner found you in.

Your company is on that list because you have something facing the internet that the scanner recognized. There is no opinion about your company anywhere in this story.

Sorry.

Where the army of scanners came from

Cybercrime used to look more like a hunt.

The big-game crews — Conti, REvil, DarkSide — picked targets and worked them. They wanted whales. Hospitals, pipelines, large manufacturers, Fortune 500s. Spend months inside a network, steal the data, encrypt the systems, demand millions.

Then, in February 2022, an insider dumped tens of thousands of Conti's internal chat messages online.

What the leak revealed was, frankly, stupid.

Conti was not a movie villain. It was a software company with crime as the product. Salaries. Bonuses. Managers. Recruiters. People asking for time off. Some recruits apparently thought they were joining something closer to ad-tech and only worked out what was happening later.

The brand became toxic. The company dissolved. But the people, code, tactics, and affiliate networks did not disappear. They scattered into the rest of the ransomware economy. Government advisories now describe groups like Akira as having possible links to the defunct Conti operation.

The important change was not that the talent vanished. It was that the model changed.

The new generation runs on volume.

Ransomware groups still hit large organizations. But the downmarket version is industrialized: scan broadly, buy access, reuse tooling, automate the boring parts, and monetize whoever answers the door. Small and medium-sized businesses are not the exception to this model. They are the market.

You are easier to reach. You patch more slowly. Your backups may or may not work.

That is enough.

What they actually do with you

This is where the story usually stops.

"Ransomware" is the word everyone knows, and it is the headline outcome: encrypt the files, demand payment, pray the decryptor works. Sometimes it doesn't.

KNP was a 158-year-old British logistics company. The fleet was called Knights of Old; the trucks said "Service With Honour" on the side. In June 2023, attackers linked to Akira got in through one employee account with a weak password and no MFA. They encrypted the company's systems and demanded millions.

KNP had cyber insurance.

It wasn't enough.

The company went into administration that September, and roughly 700 people lost their jobs. The director later said he never told the specific employee whose password it was. "Would you want to know if it was you?"

One weak password. One missing checkbox. 158 years.

But ransom is only one thing a compromised box is good for.

The same scan that finds you can sell you in any of the following ways: