Has more than $100m in revenue. Not in education, healthcare, government or not-profit sectors. Uses VPNs or remote access tools. Is preferably based in the US, but could also easily be in Australia, Canada or Europe.
This is the profile of the perfect ransomware victim, according to one cyber security intelligence firm.
Cybersecurity intelligence firm KELA spent some time watching cyber criminals chat amongst themselves about the kind of “access” – or entry point into a victim network – they wanted to buy from other hackers.
Almost half of them were involved in the ransomware business, with the remainder more interested in information stealing, cryptocurrency mining, and spam and phishing.
All, however, were keen to find someone else who’d already done the hard work of infiltrating an organisation for them.
They were happy to pay up to US$100,000 for access into a victim’s network, preferably through a hole in a VPN or remote access tool from the likes of Citrix, VMware, Cisco, Fortinet or Palo Alto Networks – though the actual cost usually ended up being around half that at US$56,520.
Slightly less common but still notable were requests for unsecured databases, Microsoft Exchange servers and e-commerce portals that could similarly provide a way in.
KELA noted, however, that while still dangerous, these latter methods of exploitation required a little more legwork to gain access to a corporate network and so generally weren’t as popular.
This type of outsourcing/contracting arrangement traditionally seen in legitimate corporate industries has become extremely common in the cybercrime world in recent years thanks to the boom of ransomware-as-a-service.
In this market, wannabe crims buy access to various links in the ransomware chain – whether that be the malware itself or the initial access described above – or may even pay for the entire attack to be undertaken on their behalf.
It allows those with limited time and skills to easily and quickly launch ransomware attacks.
But the industry has evolved further recently on the back of increased demand and pickier buyers who want greater clarity on whether their potential victims will likely meet their ransom demands.
This means ransomware operators are now going so far as to list the characteristics of potential victims, KELA found.
It discovered that revenue, company size, geography and industry sector all played a pivotal role in determining which organisations were most likely to be targeted by cyber criminals in this market.
“The level of privileges in the compromised network also influences the prices (for example, a domain administrator account costs at least 10 times more than access to a machine with user rights),” KELA reported.
The United States is the most popular choice (mentioned in almost half the ransomware product advertisements KELA was watching), followed not too far behind by Australia and Canada. These three locations are more likely to house wealthy companies that could prove to be more lucrative targets.
The rationale is the same for going after firms with more than US$100m in revenue: companies with lower turnover are less likely to pay out a significant ransom.
Similarly, the reticence to target healthcare, education, government, and not-profit organisations: victims in these sectors generally can’t afford to hand over much cash. Sometimes it’s also a desire to avoid unwanted law enforcement attention. Other cyber criminals avoid these sectors as part of a moral code, but unsurprisingly that number is low.
So what does this mean for the average person?
The favoured attack methods for ransomware are well known: remote access platforms, vulnerabilities in web-facing systems, and phishing and social engineering campaigns. These key threats are the basis on which cyber defences should be formed.
But for the majority of us in our everyday lives and jobs, good defence means staying vigilant to any requests for our information or to perform an action (like click on a link or attachment), especially if it’s unexpected.
