Researchers have created a profile of the perfect victim for today’s ransomware groups.
KELA research group has analyzed listings made by ransomware operators on underground forums. According to the company’s report, many ransomware operators are trying to get into networks of US companies with a minimum annual revenue of over $100 million.
When it comes to the cost of a successful attack, many actors are willing to pay up to $100,000 for initial access. Considering that a successful ransomware campaign can bring millions of dollars, this cost is trivial compared to the time it would take for a gang to penetrate targets themselves. Among such groups are Blackmatter and Lockbit, researchers said.
Attackers are usually seeking out large US firms, but Canadian, Australian, and European targets are also considered.
According to researchers, the criminals are targeting various industries such as financial services and healthcare. However, most ransomware operators will not try to hit organizations in education, healthcare, and other critical sectors. They will also forgo victims in Russia, as well as those in developing countries.
To get access to the networks of these companies, attackers use various ways. Some of the more popular include the remote desktop protocol (RDP) and virtual private network (VPN). And they prefer products developed by such companies, as Citrix, Palo Alto Networks, VMWare, Cisco, and Fortinet.
Some attackers prefer domain admin rights, while others said they would prefer to have access to e-commerce panels or databases. These are typically more appealing to criminals who are looking to implant spyware and cryptocurrency miners.
According to researchers, about 40% of listings were created by Ransomware-as-a-Service (RaaS) operators.
According to KELA, the demand for negotiators has increased in the ransomware space. This is because operators are trying to improve the negotiation process by securing team members who can effectively speak English.