Who’s Their Ideal Ransomware Victim?

Cybercrime as-a-service
Endpoint Detection & Response (EDR)

Revenue, Size, Geography and Level of Access Help Determine Sale Price for Access

September 6, 2021    

Criminals' Wish List: Who's Their Ideal Ransomware Victim?
Sections on the XSS and Exploit cybercrime forums that are dedicated to accesses (Source: Kela)

The most sought-after type of victim for ransomware-wielding attackers is a large, U.S.-based business with at least $100 million in revenue, not operating in the healthcare or education sector, for which remote access is available via remote desktop protocol or VPN credentials.

See Also: Cyberwarfare Requires Speed, Adaptability and Visibility to Win: Enterprises Must Close the IT Operations and Security Gap

So says Israeli threat intelligence firm Kela in a new report, rounding up dozens of active discussion threads it tracked on cybercrime forums during July that were devoted to buying initial access to networks. About half of the threads it found had been created the same month, suggesting that the market for supplying such access continues to thrive, it says.

“We buy VPN, RDP, Citrix accesses, with domain admin rights.” 

On cybercrime forums and markets, initial access brokers continue to sell what gets referred to as “accesses.” For buyers, the upside of buying access is that it saves them from having to breach potential victims themselves. Instead, they can choose from a menu of options, which allows them to spend more time infecting more victims with ransomware and other malware, stealing data, or otherwise monetizing such efforts (see: Access Brokers: Just 10 Vendors List 46% of All Offers).

When dealing with initial access brokers, the access being sold may include network access, but most often refers to the ability to buy working RDP or VPN credentials, writes Victoria Kivilevich, a threat intelligence analyst at Kela who authored the new report. Based on the forum posts Kela reviewed, she says other most-desired products for facilitating access include:

The average minimum and maximum price a buyer will pay for access is respectively $1,600 and $56,250, Kela reports, although in some cases, initial access brokers will instead accept a cut of any ransom a victim pays, with the going rate for a broker typically being about 10% of any ransom payment.

Advertisement on the Exploit cybercrime forum by the BlackMatter ransomware-as-a-service operation, seeking initial access broker partners, in exchange for payment or a percentage of any ransom that gets paid (Source: Recorded Future)

Which Victims Command the Highest Prices?

For ransomware-wielding attackers who want to buy access, which types of victims are hot and which ones are not?

Geographically, 47% of all buyers said they wanted U.S. victims; 37% said they wanted Canadian or Australian victims; and 32% sought victims in Europe, Kivilevich says, noting that “most of the advertisements included a call for multiple countries.”

From a revenue standpoint, the average desired annual revenue for a victim was $100 million, although sometimes this demand was based on location, Kivilevich says. “For example, one of the actors described the following formula: revenue should be more than $5 million for U.S. victims, more than $20 million for European victims and more than $40 million for ‘the third world’ countries,” she says.

A buyer lists desired types of access, with rates tied to the victim’s annual revenue (Source: Kela)

In general, more ransomware operations have been targeting larger organizations in search of bigger ransoms, per what’s known as big-game hunting.

As a representative of the LockBit 2.0 operation who goes by LockBitSupp said in a recent interview, the focus on the U.S. and EU is simply because “the largest number of the world’s wealthiest companies is concentrated there,” and because those regions also have “more developed” cyber insurance practices, which can help them pay larger ransoms (see: 9 Takeaways: LockBit 2.0 Ransomware Rep ‘Tells All’).

Frequent Blacklists: Russia, Healthcare

Perhaps predictably, Russia and other Commonwealth of Independent States countries – Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan, Ukraine – tend to be on buyers’ blacklists, Kela reports.

Also on buyers’ blacklists: organizations in the healthcare and education sectors, for 47% of all buyers; government agencies for 37% of buyers; and non-profit organizations for 26% of buyers, Kela says. Avoiding healthcare appears to be due to an attacker’s moral code, it says, whereas government entities will be avoided to try and escape unwanted police attention, while education and non-profits are perceived to pay too little to be worth the effort, it says.

Not All Access Sales are Public

Such research carries caveats. For starters, not all accesses for sale get listed on forums where they can be publicly tracked. In some cases, initial access brokers will have exclusive arrangements with a particular ransomware-as-a-service operation, or might at least give it a right of first refusal on all new accesses.

Crylock ransomware gang advertises for regular access suppliers (Source: Kela)

In addition, some brokers list general accesses for sale, but will only message prospective clients directly – for example, via Telegraph or Jabber messaging tools – to share a full list of what’s for sale as well as to negotiate prices.

Defensive Takeaways

What should network defenders do with the above information? Clearly, keeping RDP and VPN access locked down should be a top priority, as should be enabling two-factor authentication wherever possible, but especially for admin-level access to Active Directory and other key systems attackers regularly target (see: Why Are We So Stupid About RDP Passwords?).

Maintaining complete lists of all internal assets, and ensuring that they’re being properly defended, as well as kept updated and all security patches installed, also remains essential. While this might sound obvious, cybersecurity agencies in the U.S. and U.K. continue to warn that too many organizations have been failing to patch their devices – especially including Citrix, Fortinet, Pulse Secure and Palo Alto VPN appliances, and Microsoft Exchange Servers – to eliminate known vulnerabilities, and that attackers continue to keep exploiting them en masse to gain access.

Finally, while the above study looked at ransomware-wielding attackers’ access proclivities, of course, they’re not the only type of attacker shopping for access. As Kela’s Kivilevich says: “It is crucial to remember that access to a company in the wrong hands may be exploited not only for deploying ransomware and stealing data but also for other malicious campaigns.”

Similar Posts