Close this search box.

Australian companies be warned – What an “ideal” ransomware victim might look like


Has more than $100m in revenue. Not in education, healthcare, government or not-profit sectors. Uses VPNs or remote access tools. Is preferably based in the US, but could also easily be in Australia, Canada or Europe. 

This is the profile of the perfect ransomware victim, according to one cyber security intelligence firm. 

Cybersecurity intelligence firm KELA spent some time watching cyber criminals chat amongst themselves about the kind of “access” – or entry point into a victim network – they wanted to buy from other hackers. 

Almost half of them were involved in the ransomware business, with the remainder more interested in information stealing, cryptocurrency mining, and spam and phishing.

All, however, were keen to find someone else who’d already done the hard work of infiltrating an organisation for them.  

They were happy to pay up to US$100,000 for access into a victim’s network, preferably through a hole in a VPN or remote access tool from the likes of Citrix, VMware, Cisco, Fortinet or Palo Alto Networks – though the actual cost usually ended up being around half that at US$56,520. 

Slightly less common but still notable were requests for unsecured databases, Microsoft Exchange servers and e-commerce portals that could similarly provide a way in.

KELA noted, however, that while still dangerous, these latter methods of exploitation required a little more legwork to gain access to a corporate network and so generally weren’t as popular. 

This type of outsourcing/contracting arrangement traditionally seen in legitimate corporate industries has become extremely common in the cybercrime world in recent years thanks to the boom of ransomware-as-a-service. 

In this market, wannabe crims buy access to various links in the ransomware chain – whether that be the malware itself or the initial access described above – or may even pay for the entire attack to be undertaken on their behalf. 

It allows those with limited time and skills to easily and quickly launch ransomware attacks. 

But the industry has evolved further recently on the back of increased demand and pickier buyers who want greater clarity on whether their potential victims will likely meet their ransom demands. 

This means ransomware operators are now going so far as to list the characteristics of potential victims, KELA found. 

It discovered that revenue, company size, geography and industry sector all played a pivotal role in determining which organisations were most likely to be targeted by cyber criminals in this market. 

“The level of privileges in the compromised network also influences the prices (for example, a domain administrator account costs at least 10 times more than access to a machine with user rights),” KELA reported. 

The United States is the most popular choice (mentioned in almost half the ransomware product advertisements KELA was watching), followed not too far behind by Australia and Canada. These three locations are more likely to house wealthy companies that could prove to be more lucrative targets. 

The rationale is the same for going after firms with more than US$100m in revenue: companies with lower turnover are less likely to pay out a significant ransom. 

Similarly, the reticence to target healthcare, education, government, and not-profit organisations: victims in these sectors generally can’t afford to hand over much cash. Sometimes it’s also a desire to avoid unwanted law enforcement attention. Other cyber criminals avoid these sectors as part of a moral code, but unsurprisingly that number is low.

So what does this mean for the average person? 

The favoured attack methods for ransomware are well known: remote access platforms, vulnerabilities in web-facing systems, and phishing and social engineering campaigns. These key threats are the basis on which cyber defences should be formed.  

But for the majority of us in our everyday lives and jobs, good defence means staying vigilant to any requests for our information or to perform an action (like click on a link or attachment), especially if it’s unexpected. 

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →