How ransomware groups find their targets

Over the past few years, online businesses, public infrastructure, and ordinary people alike have faced a spate of ransomware attacks that show no signs of letting up. Ransomware involves malicious hackers infecting an organization’s computer systems with a type of malware that steals sensitive data and locks out employees until they agree to pay a ransom. The threat actors claim they will publish the data online if they don’t pay up.

And it’s not an empty threat. When payment hasn’t been received, threat actors frequently publish the data somewhere on the Dark Web. Last summer, one ransomware group kicked things up a notch when it published leaked data on the public Internet. According to KrebsOnSecurity, in June 2022, ransomware group ALPHV/BlackCat created individual victim websites, complete with easily searchable data for users. Not good.

So, how exactly do these criminals find and decide who to victimize? 

Attributes of an ideal victim

There is no decisive answer, but research tends to show that victims’ profit margins and their likelihood to pay the ransom play a key role. The latter point has become more important than ever because fewer victims have been paying ransoms recently. 

Research from Coveware found the percentage of victims willing to pay a potential ransom dropped from 85% in Q1 of 2019 to 37% in Q4 of 2022. There are several reasons for this such as an increase in awareness surrounding these kinds of attacks for companies and law enforcement alike, as well as the operating costs of such attacks increasing for ransomware groups each time a victim doesn’t pay up. 

That’s why ransomware groups have started scrutinizing the types of organizations more likely to pay out. They have begun demanding higher payments from industries with higher turnover. This is likely why Coveware noted a shift away from the professional services sector, which includes small law firms and small financial service firms, which you used to account for a large proportion of ransomware attacks. Instead, they found organizations more likely to pay out a higher ransom, such as healthcare, and the private sector faced a higher percentage of attacks. 

The shift to manufacturing

When it comes to industrial ransomware attacks, research from Dragos found a marked increase in attacks on the manufacturing sector at the end of 2022. In the 4th quarter of 2022, 76% of ransomware attacks affected the manufacturing sector, which was a 38 percent increase over the 3rd quarter. The most impacted subsector was automotive, with industrial equipment coming second and electronics in third. 

This also seems to reflect what’s happening in ransomware forums. According to BankInfoSecurity, 6% of all initial access broker offers from July 2021 through June 2022 involved manufacturing sector companies. Vladimir Timofeev, head of Group-IB’s underground research and monitoring group, told BankInfoSecurity: 

“Industry and manufacturing companies are always likely to pay more, as downtime affects production heavily and results in multimillion-dollar financial losses. While other companies may fear the public release of their data, manufacturing companies will always suffer directly from ransomware attacks.”

Conclusion

Even if you’re not a high-income manufacturing firm, it still pays to take precautions against potential harm from malicious actors. Check out our piece on protection against ransomware for more guidance.

Share on Twitter, Facebook, Google+