This is the perfect ransomware victim, according to cybercriminals

Researchers have explored what the perfect victim looks like to today’s ransomware groups.

On Monday, KELA published a report on listings made by ransomware operators in the underground, including access requests — the way to gain an initial foothold into a target system — revealing that many want to buy a way into US companies with a minimum revenue of over $100 million.

Initial access is now big business. Ransomware groups such as Blackmatter and Lockbit may cut out some of the legwork involved in a cyberattack by purchasing access, including working credentials or the knowledge of a vulnerability in a corporate system. 

When you consider a successful ransomware campaign can result in payments worth millions of dollars, this cost becomes inconsequential — and can mean that cybercriminals can free up time to strike more targets. 

The cybersecurity company’s findings, based on observations in dark web forums during July 2021, suggest that threat actors are seeking large US firms, but Canadian, Australian, and European targets are also considered. 

Russian targets are usually rejected immediately, and others are considered “unwanted” — including those located in developing countries — likely because potential payouts are low. 

Roughly half of ransomware operators will, however, reject offers for access into organizations in the healthcare and education sector, no matter the country. In some cases, government entities and non-profits are also off the table.

In addition, there are preferred methods of access. Remote Desktop Protocol (RDP), Virtual Private Network (VPN)-based access prove popular. Specifically, access to products developed by companies including Citrix, Palo Alto Networks, VMWare, Cisco, and Fortinet.  

“As for the level of privileges, some attackers stated they prefer domain admin rights, though it does not seem to be critical,” the report states.



KELA also found offerings for e-commerce panels, unsecured databases, and…