Ransomware attackers are creating ‘industry standards’ and using them to define an ideal target for their campaigns.

The Ideal Target: Location, Revenue and Other Criteria

In July 2021, KELA discovered 48 discussion threads on dark web marketplaces. There, users claimed to be digital attackers looking to buy access into networks. The intelligence solutions provider found that actors connected with Ransomware-as-a-Service (RaaS) schemes, including operators, affiliates and middlemen, had created nearly two-fifths of the threads. From those discussion threads, KELA determined that ransomware actors look for certain criteria when looking to purchase accesses.

These factors include the following:

• Geography: Nearly half (47%) of the ransomware actors mentioned the United States as the desired location of their victims. Next on the list were Canada, Australia and European countries at 37%, 37% and 31%, each.
• Revenue: On average, ransomware attackers wanted their victims to be making a minimum of $100 million, though they sometimes specified different ransom amounts for different locations. Attackers said they wanted over $5 million for U.S. victims, for instance, while they specified a desired revenue of at least $40 million from “the third world” countries.
• Disallowed Sectors: Almost half (47%) of ransomware attackers said that they were unwilling to purchase access to companies involved in health care and schooling. Slightly fewer (37%) turned down targeting the government sector, whereas about a quarter of ransomware actors asserted that they wouldn’t purchase access to nonprofit groups.
• Disallowed Countries: Some attackers refused to target businesses or agencies located in Russian-speaking countries. They seem to have chosen this under the logic that local law enforcement there wouldn’t bother them if they didn’t attack the region. Others ruled out targeting South America as a region, as well as third-world countries. They believed they wouldn’t gain enough money from an attack there.

How These Criteria Stack up to Recent Ransomware Attacks

The findings discussed above are consistent with some of the ransomware attacks that made headlines earlier in 2021. Take the Colonial Pipeline attack as an example. With its headquarters based in Port Arthur, Texas, the Colonial Pipeline Company made $1.32 billion in revenue in 2020, according to Dun & Bradstreet. The company does not operate in one of the disallowed sectors discussed above. Instead, Colonial is a major critical infrastructure business in the United States. The FBI and other federal law enforcement agencies targeted the DarkSide RaaS gang after the attack because of attacks like this.

The Kaseya supply chain attack was another incident that accorded with the above criteria. The IT management software company maintains its headquarters in Miami, Florida. In addition, at the end of 2019, Kaseya’s value exceeded over $2 billion.

How to Defend Against Ransomware

KELA explained that businesses and agencies can defend themselves against ransomware attackers in three ways. First, they can use security awareness training to educate employees and the C-suite. This will teach them how to safeguard their data and how to help spot suspicious behavior in their employer’s systems. Second, they can use vulnerability management to monitor their systems for known weaknesses. From there, they can fix those flaws first. Lastly, they can use an updated asset inventory to monitor their devices and systems for suspicious behavior.