Members of ransomware gangs love Lamborghinis and they need targets generating enough revenue to fund such extravagant purchases.
The ideal ransomware targets are U.S. companies with at least $100 million in annual revenue, research from KELA, released Monday, found.
"Like all criminals, attackers are looking at potential victims in terms of risk versus reward. While companies with revenues of over $100 million are likely to have made more investments in security defenses, they will also have cyber insurance and larger cash reserves," said Jack Chapman, VP of threat intelligence at Egress.
Ransomware groups often target small businesses and organizations because they don't have the resources of enterprises, making recovery unfeasible. But if a ransomware group cannot guarantee a payment — or at least break even on the cost of access — they will lean toward bigger targets.
Even with stronger security, enterprises and their additional cash flow make "any additional work to gain access more worthwhile," said Chapman.
Some ransomware groups pay more than $100,000 to initial access brokers (IABs), though the average price is about $56,250, KELA found. Ransomware groups favor access via RDP, VPN, and technologies made by Citrix, Palo Alto Networks, VMware, Fortinet and Cisco.
Because IABs receive about 10% of a paid ransom, they auction to the highest bidder and group with the best track record. Ultimately, IABs are client-serving; they "deprioritize organizations that will be difficult to infiltrate, as they want to ensure that their clients get the results they've paid for," said Chapman.
However, KELA notes that "network access" is a nuanced term, and encompasses different attack vectors and entry points. IABs also sell access to unprotected databases or Microsoft Exchange servers.
"All these types of access are undoubtedly dangerous and can enable threat actors to perform various malicious actions, but they rarely provide access to a corporate network," the report said.
Data over revenue
It is unlikely IABs will run out of ransomware customers. In Q2 2021, at least 146 ransomware families were detected, a 4.2% increase from Q1, according to research from RiskSense. And IABs will adjust their business model to accommodate their ransomware customers.
Depending on the gang, IABs will provide access to a large number of smaller organizations using "small time investments," said Daniel Spicer, VP and CSO of Ivanti. If an IAB commits to a larger enterprise, they expect the ransomware gang to "take the time to make sure the ransomware malware has a large impact, delete a database and steal data to perform double extortion," he said.
This is partially what makes insurance companies such an integral part of ransomware. On one hand, gangs want to believe insurance companies will pay for a ransom. And on the other hand, if an insurance company becomes a ransomware victim, their client list is just as valuable as the extortion.
In May, CNA Financial reportedly paid a $40 million ransom to protect client information. "The mentality of the 'big game hunters' in ransomware is to find these victims," said Spicer.
Not all ransomware gangs are created equal — their operations and resources vary, just as their ideal targets do. "It can be just as fruitful to carry out a higher volume of attacks targeted at smaller organizations, with correspondingly smaller ransoms involved," said Chapman. This is when ransomware operators pursue organizations with fewer security layers.
Revenue is not the only factor ransomware groups consider. It's the value and volume of data, said Srinivas Mukkamala, SVP, security products at Ivanti. The NCC Group found the now-inactive Avaddon ransomware group to prefer data leaks. Avaddon was responsible for 17% of ransomware-related leaks between April and June 2021.
Each gang has a different M.O. for attack methods and outcomes, but new groups tend to focus on "smaller vulnerability packages for exploitation," the RiskSense report said. The new groups, including Apostle, DarkRadiation, FiveHands and Qlocker, exploit one vulnerability each. An older group like DarkSide, for example, uses four vulnerabilities in its attacks.
The new groups also gravitate to low scores on the Common Vulnerability Scoring System (CVSS). This is why regular vulnerability monitoring is so important for organizations — IABs will act on any opening for their ransomware gang customers.
Scanning for network vulnerabilities is the second most important measure companies can take behind employee awareness and phishing training, according to Chapman. "It's vital that regular pen testing is carried out, and where vulnerabilities are detected they are patched straight away," he said. "Too many cases of ransomware begin with long-standing unpatched network vulnerabilities."