Researchers with threat intelligence company KELA have recently analyzed 48 active threads on underground (dark web) marketplaces made by threat actors looking to buy access to organizations’ systems, assets and networks, and have found that at least 40% of the postings were by active participants in the ransomware-as-a-service (RaaS) supply chain (operators, or affiliates, or middlemen).
The analyzed threads have provided interesting insights into how these threat actors choose their next victims.
Which ransomware victims are preferred?
Unsurprisingly, companies in developed countries such the US, Canada, Australia and European countries are preferred targets, while organizations based in countries that are (formal or informal) members of the Commonwealth of Independent States (CIS) are generally avoided – most likely because the threat actors are based in some of those countries and wish to avoid local law enforcement focusing on them.
“Other countries mentioned as ‘unwanted’ included South America and third world countries – most likely due to low chances of getting a financial gain,” KELA threat intelligence analyst Victoria Kivilevich pointed out.
Still, that doesn’t mean that well heeled companies based in those countries will never be targeted – the criminals will simply adjust their expectations and (most likely) offer less money for access to them.
“The average minimum revenue wanted by ransomware attackers is 100 million USD, with some of them stating that the desired revenue depends on the location. For example, one of the actors described the following formula: revenue should be more than 5 million USD for US victims, more than 20 million USD for European victims, and more than 40 million USD for ‘the third world’ countries.”
Also, despite ransomware attacks against healthcare organizations often making news, in nearly half (47%) of the postings, the attackers said they don’t want to to buy access to companies from the healthcare sector. The same percentage of access requests noted the need to avoid targets in education, while government companies and non-profits are unwanted targets in 36% and 26% of the postings, respectively.
The likely reasons for avoiding these organizations are various: ethical, expected low returns, or the wish to avoid unwanted attention from law enforcement.
What kind of access are they looking for?
“Ransomware attackers are ready to buy all kinds of network accesses, with RDP and VPN being the most basic requirement. The most common products (enabling network access) mentioned were Citrix, Palo Alto Networks, VMware, Fortinet, and Cisco,” Kivilevich shared.
But not all of the requests for access are made by ransomware gangs. Other cyber criminals – who aim to steal information via malware or injected scripts, perform crypto-jacking, or mount spam and phishing campaings – are looking to buy their way into online shops’ panels, unprotected databases, Microsoft Exchange servers, and so on.
“The similarities between ransomware-related actors’ requirements for victims and access listings and conditions for IABs (initial access brokers) illustrate that RaaS operations act just like corporate enterprises. They form ‘industry standards’ with a blacklist of sectors and countries, define their ‘clients’ revenue and geography, and offer a competitive price for threat actors supplying them the desired “goods,'” Kivilevich concluded, and advised companies to perform regular cybersecurity awareness and training, vulnerability monitoring and patching, and targeted and automated monitoring of key assets.
Despite these findings, it’s good to keep in mind that cyber criminals and ransomware gangs are also finding ways into organizations themselves, and that small- and medium-size businesses are also potential targets.