Select Page

Ransomware gangs target companies using these criteria

Ransomware gangs target companies using these criteria


Ransomware gangs increasingly purchase access to a victim’s network on dark web marketplaces and from other threat actors. Analyzing their want ads makes it possible to get an inside look at the types of companies ransomware operations are targeting for attacks.

When conducting a cyberattack, ransomware gangs must first gain access to a corporate network to deploy their ransomware.

With the massive profits being generated in attacks, instead of finding and breaching targets themselves, ransomware gangs are commonly purchasing initial access to high-value targets through initial access brokers (IABs).

IABs are other threat actors who breach a network, whether through brute-forcing passwords, exploits, or phishing campaigns and then sell that access to other cybercriminals.

After examining ransomware gang’s “want ads,” cybersecurity intelligence company KELA has compiled a list of criteria that the larger enterprise-targeting operations look for in a company for their attacks.

Targeting certain companies

KELA analyzed 48 forum posts creates in July where threat actors are looking to purchase access to a network. The researchers state that 40% of these ads are created by people working with ransomware gangs.

These want ads list the company requirements that ransomware actors are looking for, such as the country a company is located, what industry they are in, and how much they are looking to spend.

For example, in a want ad from the BlackMatter ransomware gang, the threat actors are looking for targets specifically in the USA, Canada, Australia, and Great Britain with revenue of $100 million or more. For this access, they are willing to pay $3,000 to $100,000, as shown in the want ad below.

BlackMatter network access want ad
BlackMatter network access want ad

By analyzing the want ads from close to twenty posts created by threat actors related to ransomware gangs, the KELA researchers were able to come up with the following company characteristics that are being targeted:

  • Geography: Ransomware gangs prefer victims located in the USA, Canada, Australia, and Europe.

    “The majority of requests mentioned the desired location of victims, with the US being the most popular choice – 47% of the actors mentioned it. Other top locations included Canada (37%), Australia (37%), and European countries (31%). Most of the advertisements included a call for multiple countries,” said KELA’s report.

    “The reason behind this geographical focus is that actors choose the most wealthy companies which are expected to be located in the biggest and the most developed countries.”

  • Revenue: KELA states that the average minimum revenue desired by ransomware gangs is $100 million. However, this can be different depending on the geographic location of the victim..

    “For example, one of the actors described the following formula: revenue should be more than 5 million USD for US victims, more than 20 million USD for European victims, and more than 40 million USD for “the third world” countries,” explained KELA.

  • Blacklist of sectors: While some gangs said they avoided healthcare, they were less picky about other industries of the companies they encrypt. However, after the Colonial Pipeline, Metropolitan Police Department, and JBS attacks, many ransomware gangs began avoiding specific sectors.

    “47% of ransomware attackers refused to buy access to companies from the healthcare and education industries. 37% prohibited compromising the government sector, while 26% claimed they will not purchase access related to non-profit organizations. “

    “When actors prohibit healthcare or non-profit industries offers, it is more likely due to the moral code of the actors. When the education sector is off the table, the reason is the same or the fact that education victims simply cannot afford to pay much. “

    “Finally, when actors refuse to target government companies, it is a precaution measure and an attempt to avoid unwanted attention from law enforcement.”

  • Blacklist of countries: Most large ransomware operations specifically avoid attacking companies located in the Commonwealth of Independent States (CIS) as they believe if they don’t target those countries, the local authorities will not target them.

    These blacklisted countries include Russia, Ukraine, Moldova, Belarus, Kyrgyzstan, Kazakhstan, Armenia, Tajikistan, Turkmenistan, and Uzbekistan.

Unfortunately, even if a company does not meet the above criteria, it does not mean that they are safe.

Many ransomware gangs, such as Dharma, STOP, Globe, and others, are less picky, and you can wind up being targeted by a ransomware operation.

Furthermore, even though these gangs prefer victims with these characteristics, it does not necessarily mean they won’t breach a network independently.

BleepingComputer has commonly seen ransomware gangs, such as DarkSide, REvil, BlackMatter, and LockBit, target smaller companies and demand much smaller ransoms.