If you run a large, US-based non-health-care or -education company with revenue exceeding $100 million, then you will likely find yourself a victim of a ransomware attack.
These organizations are the most likely ransomware victims, according to a new report by cyber security firm Kela.
Kela searched dark web forums for hackers wanting to buy access to organizations. It found 48 active threads where hackers claimed they wanted to buy different kinds of accesses. Of those hackers, 40% were involved in ransomware in some way or another.
Victoria Kivilevich, a threat intelligence analyst at Kela, said ransomware attackers appear to form “industry standards” defining an ideal victim based on its revenue and geography and excluding specific sectors and countries from the targets list.
One of the hackers’ most basic requirements was network access such as RDP and VPN. The most common products mentioned were Citrix, Palo Alto Networks, VMware, Fortinet, and Cisco, according to Kivilevich.
She said that, on average, the actors active in July 2021 wanted to buy access to US companies with revenues exceeding $100 million. Almost half of them refused to buy access to companies in health care and education.
She added that the US was the most popular choice of hackers regarding victim location, as 47% of the actors mentioned it. Other top locations included Canada (37%), Australia (37%), and European countries (31%).
“Most of the advertisements included a call for multiple countries. The reason behind this geographical focus is that actors choose the wealthiest companies which are expected to be located in the biggest and the most developed countries,” she said.
The research found that the average minimum revenue ransomware attackers wanted was $100 million, but some stated the desired revenue depended on the location.
“For example, one of the actors described the following formula: revenue should be more than $5 million for US victims, more than $20 million for European victims, and more than $40 million for “the third world” countries,” said Kivilevich.
RELATED RESOURCE
Nine traits you need to succeed as a cyber security leader
What characteristics and certifications make a successful cyber security leader?
Almost half of ransomware-related threads included a blacklist of sectors, meaning the actors are not ready to buy access to companies from specific industries. 7% of ransomware attackers refused to buy access to companies from the health care and education industries. 37% prohibited compromising the government sector, and 26% claimed they would not purchase non-profit organizations access.
“When actors prohibit healthcare or non-profit industries offers, it is more likely due to the moral code of the actors. When the education sector is off the table, the reason is the same or the fact that education victims simply cannot afford to pay much,” she said.
“Finally, when actors refuse to target government companies, it is a precaution measure and an attempt to avoid unwanted attention from law enforcement.”
Unsurprisingly, Russian-speaking countries are off-limits for ransomware hackers, the research found.
“The actors based in CIS suppose that if they will not target these countries, local authorities will not hunt them,” she said.
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
