Ransomware attackers are creating ‘industry standards’ and using them to define an ideal target for their campaigns.

The Ideal Target: Location, Revenue and Other Criteria

In July 2021, KELA discovered 48 discussion threads on dark web marketplaces. There, users claimed to be digital attackers looking to buy access into networks. The intelligence solutions provider found that actors connected with Ransomware-as-a-Service (RaaS) schemes, including operators, affiliates and middlemen, had created nearly two-fifths of the threads. From those discussion threads, KELA determined that ransomware actors look for certain criteria when looking to purchase accesses.

These factors include the following:

  • Geography: Nearly half (47%) of the ransomware actors mentioned the United States as the desired location of their victims. Next on the list were Canada, Australia and European countries at 37%, 37% and 31%, each.
  • Revenue: On average, ransomware attackers wanted their victims to be making a minimum of $100 million, though they sometimes specified different ransom amounts for different locations. Attackers said they wanted over $5 million for U.S. victims, for instance, while they specified a desired revenue of at least $40 million from “the third world” countries.
  • Disallowed Sectors: Almost half (47%) of ransomware attackers said that they were unwilling to purchase access to companies involved in health care and schooling. Slightly fewer (37%) turned down targeting the government sector, whereas about a quarter of ransomware actors asserted that they wouldn’t purchase access to nonprofit groups.
  • Disallowed Countries: Some attackers refused to target businesses or agencies located in Russian-speaking countries. They seem to have chosen this under the logic that local law enforcement there wouldn’t bother them if they didn’t attack the region. Others ruled out targeting South America as a region, as well as third-world countries. They believed they wouldn’t gain enough money from an attack there.

How These Criteria Stack up to Recent Ransomware Attacks

The findings discussed above are consistent with some of the ransomware attacks that made headlines earlier in 2021. Take the Colonial Pipeline attack as an example. With its headquarters based in Port Arthur, Texas, the Colonial Pipeline Company made $1.32 billion in revenue in 2020, according to Dun & Bradstreet. The company does not operate in one of the disallowed sectors discussed above. Instead, Colonial is a major critical infrastructure business in the United States. The FBI and other federal law enforcement agencies targeted the DarkSide RaaS gang after the attack because of attacks like this.

The Kaseya supply chain attack was another incident that accorded with the above criteria. The IT management software company maintains its headquarters in Miami, Florida. In addition, at the end of 2019, Kaseya’s value exceeded over $2 billion.

How to Defend Against Ransomware

KELA explained that businesses and agencies can defend themselves against ransomware attackers in three ways. First, they can use security awareness training to educate employees and the C-suite. This will teach them how to safeguard their data and how to help spot suspicious behavior in their employer’s systems. Second, they can use vulnerability management to monitor their systems for known weaknesses. From there, they can fix those flaws first. Lastly, they can use an updated asset inventory to monitor their devices and systems for suspicious behavior.

More from News

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…

Malware-as-a-Service Flaunts Its Tally of Users and Victims

As time passes, the security landscape keeps getting stranger and scarier. How long did the “not if, but when” mentality towards cyberattacks last — a few years, maybe? Now, security pros think in terms of how often will their organization be attacked and at what cost. Or they consider how the difference between legitimate Software-as-a-Service (SaaS) brands and Malware-as-a-Service (MaaS) gangs keeps getting blurrier. MaaS operators provide web-based services, slick UX, tiered subscriptions, newsletters and Telegram channels that keep users…

New Survey Shows Burnout May Lead to Attrition

For many organizations and the cybersecurity industry as a whole, improving retention and reducing the skills gap is a top priority. Mimecast’s The State of Ransomware Readiness 2022: Reducing the Personal and Business Cost points to another growing concern — burnout that leads to attrition. Without skilled employees, organizations cannot protect their data and infrastructure from increasing cybersecurity attacks. According to Mimecast’s report, 77% of cybersecurity leaders say the number of cyberattacks against their company has increased or stayed the…

Alleged FBI Database Breach Exposes Agents and InfraGard

Recently the feds suffered a big hack, not once, but twice. First, the FBI-run InfraGard program suffered a breach. InfraGard aims to strengthen partnerships with the private sector to share information about cyber and physical threats. That organization experienced a major breach in early December, according to a KrebsOnSecurity report. Allegedly, the InfraGard database — containing contact information of over 80,000 members — appeared up for sale on a cyber crime forum. Also, the hackers have reportedly been communicating with…