Are You Ransomware Attackers’ Ideal Victim?

In 2020, Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), warned that “ransomware is quickly becoming a national emergency.” Since then, things have only gotten worse. A recent survey of 800 IT decision-makers found that over 37% of organisations have been impacted by ransomware, a statistic that points to a doubling of the ransomware threat level since Wales’s warning. In 2022, this number is only going to increase. 

Numerous factors ranging from the rise of hybrid working, poorly secured cloud migrations, and continued pandemic-related disruption will put more organisations on the firing line for cyber attacks. On the other side of the cybercrime frontline, the number of ransomware-as-a-service (RaaS) operators who offer their ransomware strains to “affiliates” is surging. Since 2020, researchers have unearthed at least 130 different ransomware strains distributed through this model, and last year, RaaS groups perpetrated over 60% of ransomware attacks

The target list for cybercriminals is also growing. From large financial institutions to overworked medical centres and struggling nonprofits, every kind of organisation is now on the menu for amoral hackers. In 2021 we saw this clearly with massive attacks on socially critical organisations like the Irish Health Service and the Colonial Pipeline. Yet as the ransomware threat grows further, not every organisation will be equally impacted. Like any business, ransomware has an “ideal customer.” For threat actors who invest countless hours in sourcing victims, probing networks, and exploiting breaches, return on investment (ROI) is vital. 

This blog uses a combination of first-person threat actor accounts and statistical evidence to help you figure out where your organisation sits on the threat actor ROI hitlist. 

Read on to learn more about the nine traits ideal ransomware victims share.

They’re (Mostly) Based in the US and Europe 

Judging by threat actor activity on the dark web, the vast majority of cybercriminals appear to be disproportionately interested in attacking major companies located in the US.

The vast majority of cybercriminals appear to be interested in attacking major companies located in the US.

That being said, while US-based companies are cybercriminals’ top choice, most threat actors don’t limit themselves to a particular geography. Instead, they look for victims in multiple countries. The reason why is simple economics. Although the US is home to potentially more profitable targets than anywhere else, extracting ransoms from organisations based there is comparatively more challenging than in other countries. With ROI top of mind, threat actors are starting to focus on less lucrative but less well-defended geographies. 

According to Aleks, an anonymous member of the LockBit ransomware group, who gave an interview to Dark Reading in 2021, EU-based organisations are becoming increasingly attractive to cybercriminals. To avoid penalties under the GDPR, organisations based in EU member states are, according to Aleks, willing to “pay quickly and quietly” — every cybercriminal’s dream. “A silent attack no one knew about is good for the company’s reputation and our income,” agreed LockBitSupp, a spokesman for cybercrime gang LockBit 2.0, in a Russian-language interview with the YouTube channel OSINT.

Organisations working in the EU are becoming increasingly attractive to cybercriminals.

On the other hand, organisations based in former Soviet states appear to be relatively safe. A surprisingly large proportion of threat actors make it clear that they are not interested in targeting the Commonwealth of Independent States (a confederation of ex-Soviet states), including Russia, Belarus, Ukraine, and Georgia. This gives us a pretty good insight into where the typical cybercriminal might be based. For less ideological reasons, threat actors also appear to avoid countries deemed “poorer,” for example, India, Afghanistan, and Pakistan.

They Have at Least $100 Million in Annual Revenue 

For threat actors, what constitutes a “lucrative” victim can differ. However, the more profitable an organisation is, the more attractive it is as a target. In general, ransomware gangs say that they prefer to go after companies that make at least $100 million in annual revenue. 

The logic behind this strategy is straightforward. Multi-million and, even better, multi-billion dollar companies can afford to pay large ransoms; smaller businesses cannot. On the other hand, as noted by a Mount Locker ransomware operator in an interview with the French technology news site Zataz, targeting larger organisations does take “a lot more time and work.” Ultimately, this means that cybercriminals will go after smaller organisations, as well, as long as the numbers add up. 

Ransomware gangs prefer companies that make at least $100 million in annual revenue. 

It’s not difficult for a cybercriminal to figure out how much a company might be willing to pay. Publicly listed businesses are often legally required to disclose their financial statements. As for other organisations, cybercriminals can often find the financial data they need to set a ransom figure on the dark web.

By setting a ransom demand as a percentage of an organisation’s revenue —  typically 0.1% to 0.5% — cybercriminals can calculate the likely return on ransomware (ROR) that their efforts might generate. 

As the business side of the ransomware “industry” evolves, cybercriminals increasingly show price discrimination regarding ransom demands. The more profitable they think a business is, the less likely they will budge on their initial demands. 

They’re Insured Against Ransomware

Having cyber insurance in place appears to paint a bullseye on an organisation’s networks. 

Several cybercrime representatives have made it clear that they will go after companies that are insured against ransomware if at all possible. Why? Because they almost always pay. This makes insured companies, according to a REvil representative that spoke to Dmitry Smilyanets, a Russian-speaking intelligence analyst at The Record, “one of the tastiest morsels.”

Businesses with cyber insurance are “one of the tastiest morsels.”

Outlining how insurance also helps criminals find victims, the representative said that their favourite thing to do is “hack the insurers first — to get their customer base and work on in a targeted way from there. And after you go through the list, then hit the insurer themselves.” 

One of the reasons the US and the EU are among some of the most targeted regions for ransomware is that companies based there tend to take out cyber insurance. 

They’re in the Following Industries 

Research by NordLocker, which looked at 1,200 ransomware cases between 2020 and 2021, found construction to be the most affected industry by ransomware. It was followed closely by manufacturing, finance, healthcare, education, technology & IT, logistics and transportation, automotive, municipal services, and legal. 

Construction, manufacturing, finance, healthcare, education, technology & IT, logistics and transportation, automotive, municipal services, and legal are some of the most targeted industries by ransomware.

Outside of Nordlocker’s findings, there’s another surprising sector particularly popular among threat actors: the agricultural industry. In 2021, there were multiple attacks on the food and agricultural sector, hitting organisations like the meat supplier JBS foods (who paid an $11 million ransom), with the ransomware group BlackMatter appearing to be behind most of them. The FBI has since released a statement warning companies in this sector to be wary of the threat that ransomware poses and urging agricultural organisations to review their cybersecurity procedures. 

The FBI released a statement urging agricultural organisations to review their cybersecurity procedures. 

The fact that attackers are going after critical infrastructures like healthcare, education, and agricultural businesses is not surprising. They are, after all, easy targets. Still, this goes against some cybercriminals’ self-declared “moral code.” LockBitSupp, for example, claims that they do not attack any organisation “that contributes to the development of personality and sensible values from the ‘survival of the species’ perspective.” Yet later in the same interview, the cybercriminal admits that “Hospitals pay 80% to 90% of the time because they simply have no choice.” 

Any ransomware group that refrains from shutting down a critical business may also have less altruistic motives for doing so. A representative of the BlackMatter ransomware group admitted that certain industries are off-limits to their affiliates not because they are necessary for the common good but because targeting them would attract unwanted attention to the group as a whole. 

Explaining how the public nature of the attacks on Colonial Pipeline and JBS led to the disappearance of REvil and DarkSide, the BlackMatter representative noted that the group researches each potential target to ensure that attacking it will not have any negative consequences on their business operations. Evidently, BlackMatter’s research skills were somewhat lacking. In November 2021, BlackMatter posted on its ransomware-as-a-service portal notifying its affiliates that they were closing their operations due to “unsolvable circumstances associated with pressure from the authorities.”

They Have a Remote or Hybrid Workforce

With over 90% of cyber attacks caused by human error, the lapse in security that comes with remote and hybrid work models has dramatically increased the risk organisations face from ransomware. 

Ransomware attacks now happen twice as often as they did in 2019, thanks, in large part, to remote and hybrid work models. 

However, it’s not just negligent remote employees who are to blame for this growing risk. Rather, employers continually fail to provide employees with hardened devices and rarely insist on secure access methods for applications. As a result, staff often connect to corporate networks with poorly secured personal devices, and password management falls consistently short. According to the cybercriminal LockBitSup’, this makes remote workers an easy target because personal computers are much easier to “infect with a virus and steal account information used to access the companies.”

Other stalwarts of remote and hybrid working, such as remote desktop protocol (RDP) vulnerabilities, are also responsible for the sharp rise in ransomware attacks. Cybercriminals frequently use information stealers to get their hands on remote access credentials, which can then provide an easy way into corporate networks. For example, in an interview with the YouTube channel OSINT, a representative of the REvil group recalled using outdated Pulse Secure and Citrix remote access software to compromise world-leading companies. 

They’re About to IPO or Are Involved in a Merger and Acquisition 

Despite COVID-19, in 2021, global markets soared, and more companies than ever chose to go public. The flurry of legal, technical, and organisational manoeuvring that comes with the shift from private to public ownership is a time of immense change for any organisation. A public share offering is also an excellent opportunity for cybercriminals to launch ransomware attacks. 

Recognising this fact, in November 2021, the FBI issued a report notifying companies that ransomware groups are targeting organisations based on their involvement in significant, time-sensitive financial events such as IPOs and mergers and acquisitions. 

Ransomware groups are targeting organisations based on their involvement in significant, time-sensitive financial events.

Targeting publicly traded organisations, cybercriminals are often keen to leverage share price fluctuations to increase the likelihood of ransoms, using the threat of stock price declines to aid their blackmail efforts. This is not a bad strategy. Research shows that ransomware attacks can indeed affect the price of a victimised company’s shares by as much as 30%

As evidenced by leaked memos from the Darkside cybercrime gang, threat actors are exploiting this fact further by indirectly taking short positions against their victims.

They Host Unpatched Vulnerabilities 

Remember the WannaCry ransomware attack? How about NotPetya? Or maybe the more recent Kaseya attack that affected around 1,500 organisations? All three had one thing in common: a known but unpatched vulnerability. 

As these examples illustrate, poor patch management can have devastating security consequences. Yet 71% of security IT professionals admit that they find patching too complex and time-consuming. Even now, four years after the WannaCry and NotPetya attacks happened, two-thirds of companies have yet to patch the vulnerabilities that caused them. Worryingly, WannaCry attacks are up by 53% since the start of 2021, with the new samples using the exact same EternalBlue exploit as before. 

71% of security IT professionals admit that they find patching too complex and time-consuming. 

Companies that wait to patch vulnerabilities are playing a dangerous game. Ransomware groups follow security news, such as the recent discovery of the Log4Shell vulnerability, to ensure that they don’t miss any opportunities to infect and blackmail organisations. 

Remarking on just how beneficial white-hat research can be to ransomware groups’ operations, cybercriminal Aleks, in the DarkReading interview mentioned earlier, stated, “As soon as a CVE is published, we take advantage of it because it takes a long time for people to patch.” In a separate interview, LockBitSupp agrees, noting that we can soon expect more attacks like the one on Kaseya. “Such attacks for sure will be carried out in the future since there is no flawless software. Vulnerabilities are endless and everywhere,” he said. 

They Value Confidentiality

Ransomware no longer just allows threat actors to encrypt data but also to steal it. New techniques like double and triple extortion give criminals numerous avenues to blackmail their victims. In a highly publicised case, a hacker attempted to extort tens of thousands of Finnish psychotherapy patients after the private psychotherapy clinic they hacked failed to pay a ransom — ultimately collapsing the business

Double and triple extortion techniques give criminals numerous avenues to blackmail their victims. 

For any organisation that wants to avoid publicity, the cybercriminal path to profit becomes even more direct. As a BlackMatter operator said, if a company wants to maintain confidentiality and there’s a risk of sensitive data being published, then they will more than likely pay the ransom demanded from them. 

Of course, there is no guarantee that the stolen data won’t be published on a leak site anyway. A 2021/2022 report by Group-IB found a 935% spike in the number of companies that had their stolen data made public. Groups like Sodinokibi, Netwalker, Maze, Conti, and Mespinoza have all either published stolen data after payment was made or demanded a second ransom to keep it off the web.

However, just because cybercriminals are increasingly looking to make away with data rather than just encrypt it, backups are still important. LockBitSupp notes that “the victims who are paying are the ones who do not make backups and poorly protect sensitive information, regardless of the industry.” 

They Have Been Hit Before 

Lightning may not strike twice, but ransomware most definitely does. 

A recent study by Cybereason found that a whopping 80% of organisations that have previously paid a ransom also experienced a second attack. Of these, almost half believe that the subsequent attack was carried out by the same group that hacked them initially.

80% of organisations that have previously paid a ransom experienced a second attack. 

One of the reasons some organisations get attacked repeatedly is because they fail to secure their systems after falling victim in the first place. Cybercriminals often create backdoors that give them unfettered access to a company’s network long after the incident. Since these backdoors are frequently owned by affiliates, they tend to change hands when affiliates move onto different groups. In one instance, an IT security company reported a case where two separate ransomware groups attacked the same organisation almost simultaneously. 

The Ideal Ransomware Victim Is the One That Pays 

Even if you have read through this ebook and determined that your organisation is not an ideal candidate for a targeted ransomware attack, you may still be in someone’s crosshairs.  

While some traits do make potential victims stand out, when it comes to ransomware attacks, there isn’t always a clear logic that determines who is and isn’t targeted. For example, although cybercriminals undoubtedly prefer to go after large companies, between 50% and 75% of victims are small to medium companies. Because ransomware itself is a business (with a fast-growing network of developers and affiliates), any organisation whose risk to reward effort looks worthwhile to a threat actor is on the firing line — regardless of where they’re based, what industry they’re in, or what their security controls look like. 

This means that against highly motivated ransomware attackers and developers, cybersecurity professionals need to be proactive in securing their networks, endpoints, and critical servers. Faced with a threat designed to shut down their entire organisation and with multiple ways to cause damage, no potential threat vector can be left unsecured.

Removing the need for multiple disparate tools and automating threat detection and analysis, SenseOn’s cyber defence platform gives cybersecurity teams back the capacity they need to combat ransomware. Giving organisations best in class visibility into their entire IT estate, SenseOn is designed to help you spot and stop ransomware attacks before they do any damage. Even if you are an ideal ransomware victim, SenseOn will make you indigestible to threat actors. 

Sign up to our newsletter

Join thousands of like-minded professionals who are already 
receiving our blog updates and best practice guides.