Security experts recently investigated offers made by ransomware actors to buy network accesses on the darknet, shedding light on the criteria cyber criminals use when selecting target companies to blackmail with their maliciously encrypted data.
Security intelligence company KELA examined a total of 48 forum contributions from July 2021. The “want ads” had been placed by various ransomware actors and were addressed to Initial Access Brokers (IAB), who provide initial network accesses. These IABs are actually hackers who focus all their efforts on penetrating company networks using methods such as brute force password attacks, exploits, and phishing. The access details are then sold to the highest bidding cybercriminals, who use it to smuggle malware onto the company network.
Almost 40 percent of the darknet threads KELA investigated originated from actors identified as active participants in ransomware gangs. In one case, the ransomware gang known as “BlackMatter” was especially looking for access to targets in the USA, Canada, Australia, and the UK with an annual turnover of at least US$100 million and 500 to 15,000 hosts. The ransomware gang was willing to pay between US$3,000 and US$100,000 for each network access.
Europe also a popular target
Based on around 20 requests investigated by KELA, the security experts identified various criteria according to which ransomware blackmailers select their targets. These include:
- Geography: Ransomware attackers prefer victims located in the USA, Canada, Australia and Europe. In the majority of requests, the desired location of targets was explicitly mentioned. The most popular location was the USA (47 percent, followed by Canada and Australia with 37 percent each and European countries (31 percent). In most cases, multiple countries were on the wish list. According to KELA, the reason for this geographic focus is the assumption that victims in the biggest and most developed countries will be wealthier and thus able to pay more.
- Revenue: On average, the ransomware attackers are aiming for companies with an annual revenue of at least US$100 million. In some cases, this figure varied depending on the country the target company is located in. In one concrete case, for instance, the attackers requested US companies with annual revenue of at least US$5 million, European victims with at least US$20 million and companies in “third world countries” with at least US$40 million.
- Blacklist of sectors: Even prior to the attacks on Colonial Pipeline and the meat processing company JBS, most ransomware cybercriminals kept their hands off the healthcare sector. Following those incidents, they also became more careful and selective with some other sectors. In the threads examined by KELA, 47 percent of the attackers expressly excluded the healthcare and education sectors (47 percent in each case), while 37 percent consciously avoided the public sector and 26 percentstated they would not purchase access to non-profit organizations. As far as healthcare and non-profits are concerned, KELA assumes that moral considerations are the primary reason for the attackers’ reluctance. Less so with the education sector, where attackers likely presume the victims would be unable to pay expensive ransom..
- Blacklist of countries: Most ransomware criminals stay away from many countries in the Commonwealth of Independent States (CIS), as they suppose that in return for not targeting these countries, local authorities will tolerate their activities. In addition to Russia, this also applies to Ukraine, Moldova, Belarus, Kyrgyzstan, Kazakhstan, Armenia, Tajikistan, Turkmenistan and Uzbekistan.
The bad news is that even if your company does not meet the average victim criteria, it still doesn’t mean that you are invulnerable. According to KELA, there is whole raft of ransomware gangs – such as Dharma, STOP and Globe – which are considerably less picky. As a company, one should thus avoid falling into any false sense of security and rather take steps to ensure maximum protection from all manner of cyber threats.
When it comes to ransomware, for example, it’s essential to have anti-phishing protection for email accounts, something that is included in Retarus’ modular Secure Email Platform – also to complement cloud office software like Microsoft 365 or Google Workspace. We invite you to use our free Anti-Phishing Guide in five languages to sensitize your users about this tricky topic. Find out more about this topic on our website or directly from your local Retarus representative.
