December 16, 2021 By David Bisson 2 min read

Ransomware attackers are creating ‘industry standards’ and using them to define an ideal target for their campaigns.

The Ideal Target: Location, Revenue and Other Criteria

In July 2021, KELA discovered 48 discussion threads on dark web marketplaces. There, users claimed to be digital attackers looking to buy access into networks. The intelligence solutions provider found that actors connected with Ransomware-as-a-Service (RaaS) schemes, including operators, affiliates and middlemen, had created nearly two-fifths of the threads. From those discussion threads, KELA determined that ransomware actors look for certain criteria when looking to purchase accesses.

These factors include the following:

  • Geography: Nearly half (47%) of the ransomware actors mentioned the United States as the desired location of their victims. Next on the list were Canada, Australia and European countries at 37%, 37% and 31%, each.
  • Revenue: On average, ransomware attackers wanted their victims to be making a minimum of $100 million, though they sometimes specified different ransom amounts for different locations. Attackers said they wanted over $5 million for U.S. victims, for instance, while they specified a desired revenue of at least $40 million from “the third world” countries.
  • Disallowed Sectors: Almost half (47%) of ransomware attackers said that they were unwilling to purchase access to companies involved in health care and schooling. Slightly fewer (37%) turned down targeting the government sector, whereas about a quarter of ransomware actors asserted that they wouldn’t purchase access to nonprofit groups.
  • Disallowed Countries: Some attackers refused to target businesses or agencies located in Russian-speaking countries. They seem to have chosen this under the logic that local law enforcement there wouldn’t bother them if they didn’t attack the region. Others ruled out targeting South America as a region, as well as third-world countries. They believed they wouldn’t gain enough money from an attack there.

How These Criteria Stack up to Recent Ransomware Attacks

The findings discussed above are consistent with some of the ransomware attacks that made headlines earlier in 2021. Take the Colonial Pipeline attack as an example. With its headquarters based in Port Arthur, Texas, the Colonial Pipeline Company made $1.32 billion in revenue in 2020, according to Dun & Bradstreet. The company does not operate in one of the disallowed sectors discussed above. Instead, Colonial is a major critical infrastructure business in the United States. The FBI and other federal law enforcement agencies targeted the DarkSide RaaS gang after the attack because of attacks like this.

The Kaseya supply chain attack was another incident that accorded with the above criteria. The IT management software company maintains its headquarters in Miami, Florida. In addition, at the end of 2019, Kaseya’s value exceeded over $2 billion.

How to Defend Against Ransomware

KELA explained that businesses and agencies can defend themselves against ransomware attackers in three ways. First, they can use security awareness training to educate employees and the C-suite. This will teach them how to safeguard their data and how to help spot suspicious behavior in their employer’s systems. Second, they can use vulnerability management to monitor their systems for known weaknesses. From there, they can fix those flaws first. Lastly, they can use an updated asset inventory to monitor their devices and systems for suspicious behavior.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today