# Nobody is hunting you > The world's oldest spider lived in the same hole for forty-three years and never picked a target — and that is now your security model. - Canonical URL: https://shielda.ai/blog/nobody-is-hunting-you/ - Published: 2026-05-06 - Author: Vasyl - Reading time: 7 min read - Tags: Ransomware, SMB Security, Attack Surface - Cover image: https://shielda.ai/blog/covers/nobody-is-hunting-you.webp There was a spider in Australia who lived in the same hole for forty-three years. Her name was Number 16 — assigned by a researcher in 1974 who pegged her burrow as part of a study and then kept checking on it for four decades. A female trapdoor spider, she'd dug a vertical tunnel as a juvenile, capped it with a hinged silk-and-dirt door, and waited. Sit at the bottom of a hole. Feel the lid for vibrations. Eat whatever walks across. She never picked a target in her life. She is the longest-lived spider ever recorded. She didn't hunt. She didn't choose. Some of the vibrations were beetles. Some were the wind. Most days, nothing. Occasionally something the right size crossed the door, and the trapdoor opened. This is now your security model. Or rather, the security model of the people coming for you. Most founders carry the wrong mental picture. They imagine a hooded figure choosing their company specifically, studying the team page, doing reconnaissance, plotting. That can happen later. But most attacks don't start that way. They start with somebody sitting in a hole and feeling for vibrations. ## Nobody has to hunt you. Something is scanning you. The internet is small. There are roughly 3.7 billion publicly routable IPv4 addresses, and a free open-source tool called ZMap, released by University of Michigan researchers in 2013, can scan all of them on a single port in under forty-five minutes. Anyone can download it. Many people have. So here is what actually happens. Somebody picks a flaw: a bug in a popular VPN, a misconfigured database, a forgotten admin panel, a leaked credential pattern. They write or rent a scanner that fingerprints whatever has that weakness on the public internet, and tries it against each result. They go to bed. In the morning they have a list. The list is not sorted by industry, revenue, headcount, or whether anyone on your team went to Stanford. It is sorted by the order the scanner found you in. Your company is on that list because you have something facing the internet that the scanner recognized. There is no opinion about your company anywhere in this story. Sorry. ## Where the army of scanners came from Cybercrime used to look more like a hunt. The big-game crews — Conti, REvil, DarkSide — picked targets and worked them. They wanted whales. Hospitals, pipelines, large manufacturers, Fortune 500s. Spend months inside a network, steal the data, encrypt the systems, demand millions. Then, in February 2022, an insider dumped tens of thousands of Conti's internal chat messages online. What the leak revealed was, frankly, stupid. Conti was not a movie villain. It was a software company with crime as the product. Salaries. Bonuses. Managers. Recruiters. People asking for time off. Some recruits apparently thought they were joining something closer to ad-tech and only worked out what was happening later. The brand became toxic. The company dissolved. But the people, code, tactics, and affiliate networks did not disappear. They scattered into the rest of the ransomware economy. Government advisories now describe groups like Akira as having possible links to the defunct Conti operation. The important change was not that the talent vanished. It was that the model changed. The new generation runs on volume. Ransomware groups still hit large organizations. But the downmarket version is industrialized: scan broadly, buy access, reuse tooling, automate the boring parts, and monetize whoever answers the door. Small and medium-sized businesses are not the exception to this model. They are the market. You are easier to reach. You patch more slowly. Your backups may or may not work. That is enough. ## What they actually do with you This is where the story usually stops. "Ransomware" is the word everyone knows, and it is the headline outcome: encrypt the files, demand payment, pray the decryptor works. Sometimes it doesn't. KNP was a 158-year-old British logistics company. The fleet was called Knights of Old; the trucks said "Service With Honour" on the side. In June 2023, attackers linked to Akira got in through one employee account with a weak password and no MFA. They encrypted the company's systems and demanded millions. KNP had cyber insurance. It wasn't enough. The company went into administration that September, and roughly 700 people lost their jobs. The director later said he never told the specific employee whose password it was. "Would you want to know if it was you?" One weak password. One missing checkbox. 158 years. But ransom is only one thing a compromised box is good for. The same scan that finds you can sell you in any of the following ways: * **Cryptominers.** Quietly install a miner on your servers and rent your AWS bill to print Monero. You pay the invoice. They keep the coins. You notice when the bill triples. * **Botnets.** Your machines, that warehouse IP camera, that office router nobody's logged into since 2019 — all conscripted into a network the operator rents out by the hour for DDoS, click fraud, or password spraying against the next round of victims. Your bandwidth, somebody else's job. * **Stolen credentials.** Your CRM password, your email session cookies, your developer tokens. Repackaged and sold to whichever group specializes in turning them into wire fraud, cloud abuse, or another ransomware case. * **Spam and phishing infrastructure.** Your SMTP server, your domain reputation, your customer trust. Used to send phishing emails. From you. To people who already know your name. A scanner doesn't have a preference. The same compromised box might become ransom this week, a miner next month, a botnet node by Christmas. Everything is monetizable. ## How they actually walk in Three doors, mostly. The first is anything internet-facing with a known unpatched bug: a VPN, a firewall, an admin panel, a remote desktop service, an old web app nobody owns anymore. The second is stolen or weak credentials. Some are guessed. Some are reused from old breaches. Some are stolen by malware from an employee's browser and sold in bulk to whoever wants access. The third is phishing, which has been declared dead every year since 2007 and is still here. Notice what is not on this list. Nobody needed to admire your Series A. Nobody needed to study your org chart. Nobody needed to decide your company was special. You were on a list because something of yours was reachable, and somebody got to your row. After that, they may become very interested in you. Once they are inside, attackers do look around. They check what systems you have, what data you store, whether your backups are reachable, who has admin rights, and how much pressure they can apply. The beginning is impersonal. The ending is not. ## Where SMBs get this wrong The first mistake is: "We don't have anything worth stealing." They are not always trying to steal your product roadmap. They want your compute, your bandwidth, your identity, your customer trust, your cloud account, your email access, or your ability to operate on Monday morning. All of which you have, by default. The second mistake is: "We'll figure it out when it happens." Modern ransomware moves fast. Initial access to encrypted servers can be hours, not weeks. The "we'll deal with it then" plan ends with you reading a Bitcoin tutorial at 3 a.m. while payroll, dispatch, email, invoicing, and customer support are all down. KNP had a plan. It was insurance. The third mistake is treating security like a project you finish. You "got compliant." You "did a pen test." You "set up MFA last year." You "moved everything to the cloud," as if the cloud were a monastery and not a warehouse in Virginia with your config mistakes still inside. Security is not a project. It is a maintenance schedule. The list of things you have facing the internet changes every time you ship, every time someone starts a trial of a new tool, every time a contractor opens a port to debug something, every time a domain gets forgotten, every time a laptop leaves the company without being wiped. Attackers only need the thing you stopped thinking about. ## What to do this week Do the boring things first. Boring is underrated. Boring is what keeps you off the morning list. * **Find out what's facing the internet.** Most SMBs cannot list their own external attack surface. They discover it during incidents, which is a bad time to start. Open your cloud console, DNS records, firewall rules, hosting accounts, SaaS admin panels. Write the list down. * **Put an owner next to every exposed system.** If a VPN, server, database, admin panel, website, or router has no named owner, it will not get patched. "Everyone" is not an owner. "IT" is not an owner. A person is an owner. * **Turn on MFA everywhere there is a login.** Not just email. VPN, admin panels, cloud consoles, source code, finance tools, the password manager itself. Use hardware keys or number-matching push for anyone with admin access. One-time setup. Defends you while you sleep. * **Patch the things that let people in.** Firewalls, VPNs, remote access tools, identity providers. Start public-facing. Subscribe to vendor advisories for what you actually run. * **Test your backups.** Not "do we have backups?" The question is: can you restore the systems you need to operate on Monday morning? Keep at least one backup isolated from normal admin credentials. A backup the attacker can encrypt is not a backup. It is a delayed apology. * **Remove what you do not need.** Old admin panels. Forgotten subdomains. Trial accounts. Open ports. Unused VPN users. Former employees. The safest exposed system is the one that no longer exists. * **Decide who gets called when something breaks.** Not a twenty-page incident response plan nobody has read. A short list: who can shut off access, who can call the insurer, who can talk to customers, who can restore from backup. Or have someone do the boring work for you while you ship features. Asset inventory, exposed-service review, MFA gaps, vendor advisories, patch priorities, backup checks — that is what we built [shielda.ai](https://shielda.ai) for. ## One last thing For forty-three years, Number 16 sat at the bottom of a hole and waited. The strategy was patience, scale, and a willingness to be boring. Most days nothing happened. Occasionally something did. Somewhere on the internet right now, a scanner is finishing a sweep. Tomorrow morning, whoever launched it will check their list. You do not need to be interesting to be on it. You only need to be reachable.