Large US businesses are hackers' ideal ransomware targets
Research into dark web ads finds organizations in English-speaking countries are top targets


If you run a large, US-based non-health-care or -education company with revenue exceeding $100 million, then you will likely find yourself a victim of a ransomware attack.
These organizations are the most likely ransomware victims, according to a new report by cyber security firm Kela.
Kela searched dark web forums for hackers wanting to buy access to organizations. It found 48 active threads where hackers claimed they wanted to buy different kinds of accesses. Of those hackers, 40% were involved in ransomware in some way or another.
Victoria Kivilevich, a threat intelligence analyst at Kela, said ransomware attackers appear to form “industry standards” defining an ideal victim based on its revenue and geography and excluding specific sectors and countries from the targets list.
One of the hackers’ most basic requirements was network access such as RDP and VPN. The most common products mentioned were Citrix, Palo Alto Networks, VMware, Fortinet, and Cisco, according to Kivilevich.
She said that, on average, the actors active in July 2021 wanted to buy access to US companies with revenues exceeding $100 million. Almost half of them refused to buy access to companies in health care and education.
She added that the US was the most popular choice of hackers regarding victim location, as 47% of the actors mentioned it. Other top locations included Canada (37%), Australia (37%), and European countries (31%).
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“Most of the advertisements included a call for multiple countries. The reason behind this geographical focus is that actors choose the wealthiest companies which are expected to be located in the biggest and the most developed countries,” she said.
The research found that the average minimum revenue ransomware attackers wanted was $100 million, but some stated the desired revenue depended on the location.
“For example, one of the actors described the following formula: revenue should be more than $5 million for US victims, more than $20 million for European victims, and more than $40 million for “the third world” countries,” said Kivilevich.
RELATED RESOURCE
Nine traits you need to succeed as a cyber security leader
What characteristics and certifications make a successful cyber security leader?
Almost half of ransomware-related threads included a blacklist of sectors, meaning the actors are not ready to buy access to companies from specific industries. 7% of ransomware attackers refused to buy access to companies from the health care and education industries. 37% prohibited compromising the government sector, and 26% claimed they would not purchase non-profit organizations access.
“When actors prohibit healthcare or non-profit industries offers, it is more likely due to the moral code of the actors. When the education sector is off the table, the reason is the same or the fact that education victims simply cannot afford to pay much,” she said.
“Finally, when actors refuse to target government companies, it is a precaution measure and an attempt to avoid unwanted attention from law enforcement.”
Unsurprisingly, Russian-speaking countries are off-limits for ransomware hackers, the research found.
“The actors based in CIS suppose that if they will not target these countries, local authorities will not hunt them,” she said.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
Nearly half of enterprises aren't prepared for quantum cybersecurity threats
News Most businesses haven't even started transitioning to post-quantum cryptography, research shows
-
What businesses need to know about the General-Purpose AI Code of Practice
News General-purpose AI model providers will face heightened scrutiny
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
News The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making