The Ideal Ransomware Victim: What Attackers Are Looking For

Victoria Kivilevich, Threat Intelligence Analyst

In July 2021, KELA observed threat actors creating multiple threads where they claimed they are ready to buy accesses and described their conditions. Some of them appear to use access for deploying info-stealing malware and carrying out other malicious activities. Others aim to plant ransomware and steal data. KELA explored what is valuable for threat actors buying accesses, especially ransomware attackers, and built a profile of an ideal ransomware victim.

Bottom line up front:

  • In July 2021, KELA found 48 active threads where actors claimed they are looking to buy different kinds of accesses. 46% of them were created in that month, illustrating the demand for access listings.
  • 40% of the actors who were looking to buy accesses were identified as active participants in the ransomware-as-a-service (RaaS) supply chain – operators, or affiliates, or middlemen.
  • Ransomware attackers appear to form “industry standards” defining an ideal victim based on its revenue and geography and excluding certain sectors and countries from the targets list. On average, the actors active in July 2021 aimed to buy access to US companies with revenue of more than 100 million USD. Almost half of them refused to buy access to companies from the healthcare and education industries.
  • Ransomware attackers are ready to buy all kinds of network accesses, with RDP and VPN being the most basic requirement. The most common products (enabling network access) mentioned were Citrix, Palo Alto Networks, VMware, Fortinet, and Cisco.
  • Ransomware attackers are ready to pay for access up to 100,000 USD, with most actors setting the boundaries at half of that price – 56,250 USD.
  • The similarities between ransomware-related actors’ requirements for victims and access listings and conditions for IABs illustrate that RaaS operations act just like corporate enterprises.