With the cloud becoming the primary means of accessing a growing number of software offerings, it seems like every application is migrating to an “as-a-service” delivery model these days. So it should come as no surprise that ransomware has jumped onto the cloud bandwagon.

Meet ransomware-as-a-service (RaaS), a pre-packaged, easy-to-deploy means of locking up data networks then extorting their owners for payment — usually in the form of Bitcoin or other type of cryptocurrency — to unlock them.

Like the most popular forms of managed services, RaaS might include round-the-clock tech support and user forums dedicated to getting the most out of the application. Buyers can acquire the “solution” in a number of ways, including by monthly subscription, one-time license fees or profit sharing with the software provider. However it might be supplied, RaaS has a common goal: to inflict digital mayhem and rake in huge profits in the process. It’s a major reason why ransomware revenues soared to an estimated $20 billion in the U.S. last year, according to Cybersecurity Ventures.

Reportedly available on the dark web since around 2016, RaaS has ramped up quickly since then as a means of propagating ransomware. The global supply chain, made up of multiple independent partners of all sizes and degrees of technological sophistication, is especially vulnerable to attack. Big manufacturers, distributors and retailers might think themselves safe, having spent millions on tight security measures within their own houses, but the smallest and most inconsequential supplier can serve as a doorway to a wealth of sensitive data about customers and operations. By some estimates, two-thirds of all cyber attacks are currently coming through the supply chain.

Mobile devices, which have exploded in number and applications over the past decade, are popular vectors for infection. “Say a subcontractor of a developer is coming in to build an API-based software extension for a client,” says Padmini Ranganathan, global vice president of product strategy with SAP Procurement. “How do you know their code is secure? Or that they’re protecting the devices they’ve using?”

Networks need to be equally vigilant in protecting embedded systems within the cloud, Ranganathan says. And while cloud technology isn’t an automatic security threat, it raises risk levels with the proliferation of devices linked to the internet of things. Companies need to respond by carrying out stringent audits of all devices and systems that have access to their data, both externally and internally, he says.

With RaaS making it easier for cyber criminals to hold networks for ransom, one would think that private companies and government agencies would be taking special care to protect their data. The rash of ransomware attacks in recent years suggests that this isn’t the case. In 2021 alone, victims have included an oil pipeline, meatpacker, chemical distributor, auto manufacturer, even a ferry service on Martha’s Vineyard. There seems to be no pattern regarding the entity being hit — only that they all proved vulnerable to a form of attack that has become alarmingly easy to stage.

Smaller vendors — or big ones, for that matter — might argue that they lack the resources to invest in cybersecurity. Ranganathan suggests that they aren’t viewing the problem with the proper frame of mind. To be sure, proper security measures can be expensive to acquire, and serve as a temporary drag on the balance sheet. But what’s the cost of recovering from a cyber attack — especially a ransom demand that might run into the millions of dollars? Or the fallout from losing customers who are furious that their sensitive personal data was compromised due to neglect by a retailer or service provider? “We underestimate the concept of value at risk,” says Ranganathan.

One important aspect of cybersecurity doesn’t necessarily cost more. It’s awareness and diligence on the part of employees about the threat of breaches through any number of systems and devices. Nothing should be trusted at the outset; often a successful attack can be chalked up to human carelessness, not vulnerabilities in the technology.

Hackers’ techniques, of course, keep evolving. Today’s ransomware attack is likely to take on a whole new form in the years ahead. Technology will strive to keep pace with the ever-changing threat, but constant vigilance on the part of systems designers and even the most casual users is key.

Companies need to pay the same attention to system security as they do the more dazzling world of sales, marketing and new-product development. Says Ranganathan: “We can’t take our eyes off architectural hygiene in the name of rapid innovation.”