December 16, 2021 By David Bisson 2 min read

Ransomware attackers are creating ‘industry standards’ and using them to define an ideal target for their campaigns.

The Ideal Target: Location, Revenue and Other Criteria

In July 2021, KELA discovered 48 discussion threads on dark web marketplaces. There, users claimed to be digital attackers looking to buy access into networks. The intelligence solutions provider found that actors connected with Ransomware-as-a-Service (RaaS) schemes, including operators, affiliates and middlemen, had created nearly two-fifths of the threads. From those discussion threads, KELA determined that ransomware actors look for certain criteria when looking to purchase accesses.

These factors include the following:

  • Geography: Nearly half (47%) of the ransomware actors mentioned the United States as the desired location of their victims. Next on the list were Canada, Australia and European countries at 37%, 37% and 31%, each.
  • Revenue: On average, ransomware attackers wanted their victims to be making a minimum of $100 million, though they sometimes specified different ransom amounts for different locations. Attackers said they wanted over $5 million for U.S. victims, for instance, while they specified a desired revenue of at least $40 million from “the third world” countries.
  • Disallowed Sectors: Almost half (47%) of ransomware attackers said that they were unwilling to purchase access to companies involved in health care and schooling. Slightly fewer (37%) turned down targeting the government sector, whereas about a quarter of ransomware actors asserted that they wouldn’t purchase access to nonprofit groups.
  • Disallowed Countries: Some attackers refused to target businesses or agencies located in Russian-speaking countries. They seem to have chosen this under the logic that local law enforcement there wouldn’t bother them if they didn’t attack the region. Others ruled out targeting South America as a region, as well as third-world countries. They believed they wouldn’t gain enough money from an attack there.

How These Criteria Stack up to Recent Ransomware Attacks

The findings discussed above are consistent with some of the ransomware attacks that made headlines earlier in 2021. Take the Colonial Pipeline attack as an example. With its headquarters based in Port Arthur, Texas, the Colonial Pipeline Company made $1.32 billion in revenue in 2020, according to Dun & Bradstreet. The company does not operate in one of the disallowed sectors discussed above. Instead, Colonial is a major critical infrastructure business in the United States. The FBI and other federal law enforcement agencies targeted the DarkSide RaaS gang after the attack because of attacks like this.

The Kaseya supply chain attack was another incident that accorded with the above criteria. The IT management software company maintains its headquarters in Miami, Florida. In addition, at the end of 2019, Kaseya’s value exceeded over $2 billion.

How to Defend Against Ransomware

KELA explained that businesses and agencies can defend themselves against ransomware attackers in three ways. First, they can use security awareness training to educate employees and the C-suite. This will teach them how to safeguard their data and how to help spot suspicious behavior in their employer’s systems. Second, they can use vulnerability management to monitor their systems for known weaknesses. From there, they can fix those flaws first. Lastly, they can use an updated asset inventory to monitor their devices and systems for suspicious behavior.

More from News

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

Should there be a total ban on ransomware payments?

3 min read - The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after…

5 takeaways from the White House cybersecurity workforce discussion

3 min read - The Office of the National Cyber Director (ONCD) recently hosted a 3-hour discussion on creating a strong cybersecurity workforce; the results are enlightening. The session involved representatives from more than 30 public and private organizations spanning 12 industries. The ONCD advises the United States President on cybersecurity policy and strategy. Its mission is to advance national security, economic prosperity and technological innovation through cybersecurity policy leadership. “In our increasingly digital world, where cyber threats are growing more frequent and more…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today