According to a new report, the ideal ransomware victim is in a lucrative commercial market in a wealthy country that uses remote desktop protocol or a VPN.
Cybersecurity firm KELA’s report cited activity from July 2021 that indicated ransomware attackers prefer organizations in specific geographies and markets, and prefer very specific products for initial network access.
Specifically, organizations in the U.S. with revenue of ore than $100 million are the most sought-after targets, according to KELA’s report.
Those products most ransomware actors prefer to leverage in an attack, according to KELA’s report, include solutions offered by Citrix, Palo Alto Networks (specifically GlobalProtectVPN), VMware (EXSi), Fortinet and Cisco.
“For suitable victims, ransomware attackers are ready to buy all kinds of network accesses, with RDP and VPN being the most basic requirement,” KELA said in the report.
Most attackers say the level of privileges accessed does not matter, but some did say they prefer domain admin rights.
Ransomware actors have been known to attack nearly every sector, but KELA’s report suggests they try to avoid some due a moral code.
Listen: The Growing Threat of Ransomware
Based on hacking message boards, education, healthcare, government and nonprofit are the most blacklisted sectors for ransomware actors, with 47% refusing to buy access to companies from healthcare and education.
Another 37% prohibited attacking the government sector and 26% said they will not purchase access to non-profit organizations.
“When actors prohibit healthcare or non-profit industries offers, it is more likely due to the moral code of the actors,” the report said. “When the education sector is off the table, the reason is the same or the fact that education victims simply cannot afford to pay much. Finally, when actors refuse to target government companies, it is a precaution measure and an attempt to avoid unwanted attention from law enforcement.”
KELA also found that ransomware actors like to target companies based in the U.S. the most, with 47% of actors mentioning the country. Other top counties are Canada (37%), Australia (37%) and European countries (31%).
Not surprisingly, Russia and other Russian-speaking countries are also blacklisted. Most experts believe most ransomware activity originates from Russia or other post-Soviet countries.
KELA’s report includes three key steps to help protect against ransomware attacks, including:
- Cybersecurity awareness and training for everyone in the organization so everyone can spot suspicious activity, phishing emails or unusual requests.
- Regular vulnerability monitoring and patching to protect the entire network infrastructure and prevent unauthorized access.
- Targeted and automated monitoring of key assets to detect threats.