Euro Security Watch with Mathew J. Schwartz

Cybercrime , Cybercrime as-a-service , Endpoint Detection & Response (EDR)

Criminals' Wish List: Who's Their Ideal Ransomware Victim?

Revenue, Size, Geography and Level of Access Help Determine Sale Price for Access
Criminals' Wish List: Who's Their Ideal Ransomware Victim?
Sections on the XSS and Exploit cybercrime forums that are dedicated to accesses (Source: Kela)

The most sought-after type of victim for ransomware-wielding attackers is a large, U.S.-based business with at least $100 million in revenue, not operating in the healthcare or education sector, for which remote access is available via remote desktop protocol or VPN credentials.

See Also: Webinar | Transforming Cybersecurity with Collaborative MDR Solution

So says Israeli threat intelligence firm Kela in a new report, rounding up dozens of active discussion threads it tracked on cybercrime forums during July that were devoted to buying initial access to networks. About half of the threads it found had been created the same month, suggesting that the market for supplying such access continues to thrive, it says.

On cybercrime forums and markets, initial access brokers continue to sell what gets referred to as "accesses." For buyers, the upside of buying access is that it saves them from having to breach potential victims themselves. Instead, they can choose from a menu of options, which allows them to spend more time infecting more victims with ransomware and other malware, stealing data, or otherwise monetizing such efforts (see: Access Brokers: Just 10 Vendors List 46% of All Offers).

When dealing with initial access brokers, the access being sold may include network access, but most often refers to the ability to buy working RDP or VPN credentials, writes Victoria Kivilevich, a threat intelligence analyst at Kela who authored the new report. Based on the forum posts Kela reviewed, she says other most-desired products for facilitating access include:

The average minimum price a buyer will pay for access is $1,600 and the average maximum is $56,250, Kela reports, although in some cases, initial access brokers will instead accept a cut of any ransom a victim pays, with the going rate for a broker typically being about 10% of any ransom payment.

Advertisement on the Exploit cybercrime forum by the BlackMatter ransomware-as-a-service operation, seeking initial access broker partners, in exchange for payment or a percentage of any ransom that gets paid (Source: Recorded Future)

Which Victims Command the Highest Prices?

For ransomware-wielding attackers who want to buy access, which types of victims are hot and which ones are not?

Geographically, 47% of all buyers said they wanted U.S. victims; 37% said they wanted Canadian or Australian victims; and 32% sought victims in Europe, Kivilevich says, noting that "most of the advertisements included a call for multiple countries."

From a revenue standpoint, the average desired annual revenue for a victim was $100 million, although sometimes this demand was based on location, Kivilevich says. "For example, one of the actors described the following formula: Revenue should be more than $5 million for U.S. victims, more than $20 million for European victims and more than $40 million for 'the third world' countries," she says.

A buyer lists desired types of access, with rates tied to the victim's annual revenue. (Source: Kela)

In general, more ransomware operations have been targeting larger organizations in search of bigger ransoms, per what's known as big game hunting.

As a representative of the LockBit 2.0 operation who goes by LockBitSupp said in a recent interview, the focus on the U.S. and EU is simply because "the largest number of the world's wealthiest companies is concentrated there," and because those regions also have "more developed" cyber insurance practices, which can help them pay larger ransoms (see: 9 Takeaways: LockBit 2.0 Ransomware Rep 'Tells All').

Frequent Blacklists: Russia, Healthcare

Perhaps predictably, Russia and other Commonwealth of Independent States countries - Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan, Ukraine - tend to be on buyers' blacklists, Kela reports.

Also on buyers' blacklists: organizations in the healthcare and education sectors, for 47% of all buyers; government agencies for 37% of buyers; and nonprofit organizations for 26% of buyers, Kela says. Avoiding healthcare appears to be due to an attacker's moral code, it says, whereas government entities are avoided to try and escape unwanted police attention, while education and nonprofits are perceived to pay too little to be worth the effort, it says.

Not All Access Sales Are Public

Such research carries caveats. For starters, not all accesses for sale get listed on forums where they can be publicly tracked. In some cases, initial access brokers will have exclusive arrangements with a particular ransomware-as-a-service operation, or might at least give it a right of first refusal on all new accesses.

A CryLock ransomware gang advertises for regular access suppliers. (Source: Kela)

In addition, some brokers list general accesses for sale, but will only message prospective clients directly - for example, via Telegraph or Jabber messaging tools - to share a full list of what's for sale as well as to negotiate prices.

Defensive Takeaways

What should network defenders do with the above information? Clearly, keeping RDP and VPN access locked down should be a top priority, as should enabling two-factor authentication wherever possible, but especially for admin-level access to Active Directory and other key systems attackers regularly target (see: Why Are We So Stupid About RDP Passwords?).

Maintaining complete lists of all internal assets, and ensuring that they're being properly defended, as well as kept updated with all security patches installed, also remains essential. While this might sound obvious, cybersecurity agencies in the U.S. and U.K. continue to warn that too many organizations have been failing to patch their devices - especially Citrix, Fortinet, Pulse Secure and Palo Alto VPN appliances, and Microsoft Exchange Servers - to eliminate known vulnerabilities, and that attackers continue to keep exploiting them en masse to gain access.

Finally, while the above study looked at ransomware-wielding attackers' access proclivities, of course, they're not the only type of attacker shopping for access. As Kela's Kivilevich says: "It is crucial to remember that access to a company in the wrong hands may be exploited not only for deploying ransomware and stealing data but also for other malicious campaigns."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.