Ransomware-as-a-Service and Why Small Agencies Are Now Targets
A 30-truck EMS service in the Midwest got hit with ransomware on a Tuesday morning. The attack encrypted their ePCR server, their CAD database, and the file share where they kept billing records. They had backups, but the backups were on the same network and got encrypted too. By Wednesday they were running paper triage tags and handwriting PCRs. By Friday the chief was on the phone with a lawyer asking whether they could legally take out a loan to pay the ransom.
Nobody stole from them because they were rich. They got hit because they were reachable.
How Ransomware as a Service Targets Small EMS Agencies
Ransomware-as-a-Service changed the economics of cybercrime. Before RaaS, running a ransomware operation required writing your own encryption code, building a command-and-control infrastructure, setting up payment portals, and managing a leak site. That is a lot of work. It limited the pool of attackers to people who could actually build software.
RaaS flipped that model by turning ransomware into a subscription service. A developer writes the code once and rents it out to affiliates who handle the intrusion part. The affiliate finds a way in, deploys the ransomware, and splits the proceeds with the operator. The affiliate does not need to know how to code, just how to get a foothold in a network.
This is a volume business, which means affiliates are not picking targets based on how much money they have in the bank. They pick targets based on how easy they are to hit and how badly the target needs their data back. A small EMS agency is a good target on both counts. The ePCR system is critical to operations. If it goes down, the agency cannot bill, cannot document, and in some cases cannot legally transport. The pressure to pay is enormous.
The agency also has a thin IT surface. Maybe one part-time IT person or a shared county resource. Legacy Windows servers. Remote desktop exposed to the internet because the ePCR vendor said it needed to be. No MFA on the VPN. The attacker does not need to be sophisticated. They just need to find the one open door.
The Difference Between RaaS and Traditional Ransomware
Traditional ransomware was usually a single attacker or a small group writing their own code. The infection was often opportunistic. A malicious email attachment, a drive-by download, and the machine gets locked. The attacker might not even know who they hit until the ransom note comes back.
RaaS is structured. The operator provides the platform and the affiliate provides the access. The operator takes a cut, usually 20 to 30 percent, and the affiliate keeps the rest. This creates an incentive for affiliates to be aggressive. They are paid for volume, not quality.
The operational difference matters for defenders. Traditional ransomware often used custom malware that antivirus could catch if the signatures were updated. RaaS affiliates tend to use living-off-the-land techniques. PowerShell and PsExec and other remote management tools that already exist on the network are their primary instruments. They do not need to drop a custom binary. The tools the IT staff left behind are all they need.
Initial Access Brokers Explained for Non-Technical Managers
There is a market for network access. It works like this: a specialist finds a vulnerability in a target network. Maybe it is an unpatched VPN appliance, a weak password on a remote desktop port, or a phishing campaign that got them a set of credentials. Once they have a foothold, they do not deploy ransomware themselves. They sell the access to the highest bidder on a dark web forum.
These are called Initial Access Brokers. They are the middlemen of the ransomware economy. They do the reconnaissance and the initial compromise, then cash out and move on. The buyer is a RaaS affiliate who takes over from there.
This matters because it means your network can be compromised for weeks or months before anything happens. The broker holds the access, markets it, negotiates the sale, and transfers it. The affiliate then deploys the ransomware on their own timeline. If you find the broker's initial foothold and close it, you might never see the ransomware at all. But if you never look, you will not know the access was sold until the encryption starts.
Best Ransomware Protections for Small Public Safety Organizations
Most small agencies do not have a security budget. They have an operations budget and a vehicle budget and a supplies budget, and security is whatever is left over. That is the reality. But there are four controls that give disproportionate return for the effort.
1. Multi-Factor Authentication on Everything
MFA stops the most common initial access methods cold. Password spraying, credential stuffing, and most phishing attacks are useless if the attacker cannot get past the second factor. Prioritize VPN access and email and any cloud-based clinical tools. If your ePCR vendor offers MFA, turn it on. If they do not, ask them when they will. This is part of the broader vendor risk picture covered in The Vendor Subprocessor Problem.
2. Immutable Offline Backups
Ransomware affiliates know to look for backup servers and will try to encrypt or delete them before they trigger the main payload. If your backups are on the same network as your production servers, they are not backups. They are a second target. Immutable backups, or physically disconnected backups, are the only way to guarantee you can restore without paying. The 3-2-1 rule still applies: three copies, two different media, one offsite.
3. Endpoint Detection and Response
Traditional antivirus looks for known malware signatures. RaaS affiliates do not use known malware. They use legitimate tools that antivirus does not flag. EDR looks for behavior patterns instead of file signatures. It catches the PowerShell script that should not be running on the dispatch workstation. For small agencies that cannot staff a 24/7 security operations center, a managed detection and response service is the practical option.
4. Network Segmentation
If the receptionist's computer and the ePCR server are on the same flat network, an affiliate who phishes the receptionist owns the ePCR server. Segmentation means putting the clinical systems on their own VLAN with firewall rules that deny everything by default. The blast radius shrinks. The attacker has to work harder to move laterally, and that extra work is often enough to make them move on to the next target.
How to Protect ePCR Systems from Ransomware
ePCR systems are the single most critical application in most EMS agencies. They hold patient data, drive billing, and in many states are legally required for each transport. Losing the ePCR system is not an IT problem. It is an operational problem.
Start by knowing where the ePCR data lives and who is responsible for it. Is it on a local server in the station or in a vendor-hosted cloud? If it is local, the agency owns the full responsibility for patching and backup and access control. If it is cloud-hosted, the vendor owns the infrastructure, but the agency still owns the credential management and the network path.
Either way, the ePCR system should be in its own network segment. It should require MFA for any administrative access. It should have immutable backups that are tested regularly. And the vendor should have a documented incident response plan that includes what happens if their infrastructure is the one that gets hit.
Frequently Asked Questions
If we are a small agency with only a few trucks, why would a global crime group target us?
RaaS affiliates do not target based on wealth. They target based on reachability and criticality. Your agency cannot operate without its dispatch and billing systems. That gives attackers operational pressure against you, regardless of your budget. The affiliate does not care how much money you have. They care how much pressure you will feel when the screens go dark.
We have an antivirus program. Is that enough to stop ransomware?
No. Modern RaaS affiliates use living-off-the-land techniques. They run PowerShell scripts and use remote administration tools that already exist on your network. Antivirus looks for bad files. EDR looks for bad behavior. If you only have antivirus, the affiliate can operate inside your network for days without triggering an alert.
What is an Initial Access Broker and why should I care?
An Initial Access Broker is someone who finds a vulnerability in your network and sells that access to the highest bidder. Your network could be compromised for weeks before a ransomware affiliate buys the access and triggers the encryption. If you are not monitoring for the initial foothold, you will not know the access was sold until it is too late. This is the same pattern discussed in Account Takeover Through Password Reuse.
If we have backups, can we just ignore the ransom and restore?
The short answer is only if those backups are immutable or physically disconnected. Modern ransomware hunts for backup servers and encrypts or deletes them before triggering the main payload. If your backups are on the same network as your production servers, they are compromised too. Test your restore process. A backup you have never restored is a hope, not a plan.
---
The agency I mentioned at the start got lucky. A mutual-aid partner had an offline backup appliance they could borrow, and they rebuilt from a tape that had been rotated out the night before the attack. It took two weeks. They lost the billing data from the day of the attack and the day before. But they did not pay the ransom.
That is the goal. Not to be unhittable. To be hard enough to hit that the affiliate moves on to someone easier.
-- Steven
Need help with your agency’s cybersecurity? Get in touch