Targets of Opportunity: How Ransomware Groups Find Victims
While Some Sectors Are More Prized Than Others, Profits Trump All ConsiderationsAs ransomware continues to pummel numerous sectors, how does any given organization end up becoming a target or victim?
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
Organizations in some geographies are more likely to fall victim. Cybersecurity firm Group-IB reports that from July 2021 through June 2022, 43% of known ransomware attacks hit U.S. organizations. Next in line were Germany, the U.K., Canada, Italy and France.
Some sectors also appear to fall victim more than others. Last quarter, ransomware incident response firm Coveware reported seeing most victims hail from the public sector, followed by software services, healthcare, professional services and the materials sector.
Comparing the last three months of 2022 to the third quarter, Coveware saw fewer professional services firms - including small law firms and financial services firms - getting hit, which it attributed to ransomware groups prioritizing larger, more lucrative targets (see: Ransomware Profits Dip as Fewer Victims Pay Extortion).
Some industries recorded a rise in attacks. In the second half of last year, in particular, known attacks against the manufacturing sector increased by 30%, reports cybersecurity firm Dragos. This sector counts everything from automotive firms and industrial equipment suppliers to electronics and aerospace.
Cue this chicken-and-egg question: Do ransomware groups amass victims by focusing on preferred sectors, or are certain sectors merely more likely to end up falling victim?
Profit Imperative
The overriding concern of ransomware groups appears to remain simple: profit.
On its data leak site, the LockBit group tells affiliates that it's "only interested in money" - as reinforced by the group's catholic taste in victims, which span every industry, including hospitals and critical infrastructure.
The message to affiliates, who typically keep 70% of every ransom paid, is clear: Hack whoever you want, so long as it maximizes revenue (see: Profit at Any Cost: Why Ransomware Gangs Such as LockBit Lie).
Hence victims appear to first get amassed in a semi-random fashion - based on access a group buys from an initial access broker, organizations that a ransomware group's affiliate may have directly hacked, or systems snared by malware used by a group. At that point, perhaps, groups decide who to focus on first.
"Cybercriminals always analyze the revenue of their victims - initial access brokers indicate their victims' financial figures in their offers," says Vladimir Timofeev, head of Group-IB's underground research and monitoring group. "The logic behind it is simple: If the potential victim has little money, then it is not very likely to pay a ransom. IABs have also started including a short description of the victim company, specifying its location and industry."
Group-IB says that of the 2,348 initial access offers it saw advertised in underground forums from July 2021 through June 2022, the greatest amount - accounting for 6% of all IAB offers - involved manufacturing sector companies.
"Network access to manufacturing sector companies is one of the most sought-after assets for ransomware groups," Timofeev says. Given this demand, IABs can charge more for such "accesses," which means larger groups might be the ones more likely to risk the higher upfront cost for the potential of a big return on their investment.
"Industry and manufacturing companies are always likely to pay more, as downtime affects production heavily and results in multimillion-dollar financial losses," he says. "While other companies may fear the public release of their data, manufacturing companies will always suffer directly from ransomware attacks."
It's probably no coincidence that manufacturing was the industry most often targeted by ransomware operators over the past 18 months, according to research from Kela and Group-IB.
So while the precise mechanics of how a ransomware group ends up selecting potential victims seem variable, if a group thinks there are decent profits to be squeezed out of any given organization for which they've gained remote access, that seems to be an opportunity they'll take.