Know- What Criteria Ransomware Group utilizes to Target Organizations?

Ransomware group highly purchase access to a victim’s network on a dark web marketplaces and from various threat actors. Examining their want announcement to make it possible to get an inside look at the distinct types of organizations are targeting for adversaries.

When running a Cyberattack, ransomware groups must initial achieve access to a corporate network to setup their ransomware. With the enormous profits being created in attacks, instead of researching targets themselves, ransomware group are commonly purchasing initial access to high-value targets through initial access brokers (IABs).

IABs are other threat actors who hijack a network, whether through brute-forcing credentials, exploits, or phishing operations and then sell that access to other cybercriminals. After analyzing ransomware gang’s “want ads,” cybersecurity intelligence company KELA has compiled a list of criteria that the larger enterprise-targeting operations look for in a company for their attacks.

Addressing some organization

KELA examined 48 forums posts created in July where the threat actors are seeking to purchase access to a network. The investigators state that 40% of these ads are created by people working with ransomware groups. These want ads list the company needs that the ransomware actors are seeking for, such as the country a company is located, what industry they are in, and how much they are seeking to spend.

Such as, in a want ad from the BackMatter ransomware group, the attackers are looking for targets especially in the USA, Australia, Canada, and Great Britain with the revenue of around $100 million or more. For this access, they are willing to pay $3,000 to $100,000, as shown in the want ad below.

Know-What-Criteria-Ransomware-Group-utilizes-to-Target-Organizations-image1

By examine the want ads from close to twenty posts created by threat actors related to ransomware gangs.

What are the Characteristics that are being Targeted?

  • Geography: Ransomware gangs prefer victims located in the USA, Canada, Australia, and Europe.
  • “The majority of requests mentioned the desired location of victims, with the US being the most popular choice – 47% of the actors mentioned it. Other top locations included Canada (37%), Australia (37%), and European countries (31%). Most of the advertisements included a call for multiple countries,” said KELA’s report.
  • “The reason behind this geographical focus is that actors choose the wealthiest companies which are expected to be located in the biggest and the most developed countries.”
  • Revenue: KELA states that the average minimum revenue desired by ransomware gangs is $100 million. However, this can be different depending on the geographic location of the victim..
  • “For example, one of the actors described the following formula: revenue should be more than 5 million USD for US victims, more than 20 million USD for European victims, and more than 40 million USD for “the third world” countries,” explained KELA.
  • Blacklist of sectors: While some gangs said they avoided healthcare, they were less picky about other industries of the companies they encrypt. However, after the Colonial Pipeline, Metropolitan Police Department, and JBS attacks, many ransomware gangs began avoiding specific sectors.
  • “47% of ransomware attackers refused to buy access to companies from the healthcare and education industries. 37% prohibited compromising the government sector, while 26% claimed they will not purchase access related to non-profit organizations. “
  • “When actors prohibit healthcare or non-profit industries offers, it is more likely due to the moral code of the actors. When the education sector is off the table, the reason is the same or the fact that education victims simply cannot afford to pay much. ” Finally, when actors refuse to target government companies, it is a precaution measure and an attempt to avoid unwanted attention from law enforcement.
  • Blacklist of countries: Most large ransomware operations specifically avoid attacking companies located in the Commonwealth of Independent States (CIS) as they believe if they don’t target those countries; the local authorities will not target them. These blacklisted countries include Russia, Ukraine, Moldova, Belarus, Kyrgyzstan, Kazakhstan, Armenia, Tajikistan, Turkmenistan, and Uzbekistan.

Unfortunately, even if a company does not meet the above criteria, it does not mean that they are safe. Many ransomware gangs, such as Dharma, STOP, Globe, and others, are less picky, and you can wind up being targeted by a ransomware operation. Furthermore, even though these gangs prefer victims with these characteristics, it does not necessarily mean they won’t breach a network independently.

Our experts has commonly seen ransomware gangs, such as DarkSide, REvil, BlackMatter, and LockBit, target smaller companies and demand much smaller ransoms.

Leave a Reply