Ransomware Gangs’ Pick – 3 Criteria When Choosing The Perfect Target

by | December 23, 2021 | Cybersecurity

Researchers painted the portrait of the perfect ransomware victim according to hackers. Keep reading to find out if your company is a match.

Recently, KELA researchers explored what the perfect target looks like to ransomware groups.

Initial Access Is Big Business

The cybersecurity firm published a report on listings made by threat actors in the underground, such as initial access requests. The findings revealed that many want to buy their way into the networks of US companies with a minimum revenue of $100 million.

Even big cybercriminal groups, such as Blackmatter and Lockbit, may purchase access – in the form of valid login credentials or knowledge of a flaw in an organization’s network. Cybercrooks are ready to pay up to $100,000 to get access to the desired company’s systems.

The preferred methods of access are Remote Desktop Protocol (RDP) and Virtual Private-Network (VPN)-based access.

“For suitable victims, ransomware attackers are ready to buy all kinds of network accesses, with RDP and VPN being the most basic requirement. Among wanted products (enabling network access) they listed Citrix, Palo Alto Networks (specifically GlobalProtect VPN), VMware (specifically ESXi), Fortinet, and Cisco. As for the level of privileges, some attackers stated they prefer domain admin rights, though it does not seem to be critical,” the report said.

An actor associated with the Nefilim ransomware operation looks for various types of access. Credit: KELA

Ransomware Gangs Prefer US-Based Companies

KELA’s discoveries are based on observations of underground forums during July and point out that malicious actors’ first choice is major US organizations, followed by Canadian, Australian, and European targets. These are the geographical regions considered wealthy, so the payout is expected to be significant.

“The majority of requests mentioned the desired location of victims, with the US being the most popular choice – 47% of the actors mentioned it. Other top locations included Canada (37%), Australia (37%), and European countries (31%). Most of the advertisements included a call for multiple countries. The reason behind this geographical focus is that actors choose the most wealthy companies which are expected to be located in the biggest and the most developed countries,” the report wrote.

“As for the level of privileges, some attackers stated they prefer domain admin rights, though it does not seem to be critical.”

Ransomware gangs' first option is US-based companies.
Credit: KELA

Interestingly, Russian targets are rejected almost every time, while others are considered ‘unwanted,’ especially those in developing countries.

Ransomware Operators Avoiding Healthcare And Education

Around 50% of threat groups will deny offers for access into institutions in the healthcare and education sectors, no matter the geographical location. Sometimes, government organizations and ONG’s are off-limits.

BlackMatter ransomware gang is looking for Initial Access Brokers both on forums and via Jabber. Credit: KELA

KELA’s research team also discovered offerings for e-commerce panels, unsecured databases, and Microsoft Exchange servers.

How Can You Protect Your Business?

The cybersecurity firm also offered valuable advice on how to avoid falling victim to a ransomware attack, with security awareness training making it to the top of the list.

  1. Security awareness training for all key stakeholders and employees to ensure that key individuals know how to safely use their credentials and personal information online. This cyber training should include specifying how to identify suspicious activities, such as possible scam emails, or unusual requests from unauthorized individuals or email addresses.
  2. Regular vulnerability monitoring and patching to continually protect their entire network infrastructure and prevent any unauthorized access by Initial Access Brokers or other network intruders.
  3. Targeted and automated monitoring of key assets to immediately detect threats emerging from the cybercrime underground ecosystem. Constant automated and scalable monitoring of an organization’s assets could significantly improve maintaining a reduced attack surface, ultimately helping organizations thwart possible attempts of cyberattacks against them.

Most ransomware attacks have one thing in common: their infectious vector – phishing emails.

ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irreparable damage.

Put your employees to the test with our free security awareness training trial and find out where you stand against a phishing attack!


KELA The Ideal Ransomware Victim: What Attackers Are Looking For


Photo by Ricardo Arce on Unsplash

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.