The Ideal Ransomware Victim: What Attackers Are Looking For
Victoria Kivilevich, Threat Intelligence Analyst
In July 2021, KELA observed threat actors creating multiple threads where they claimed they are ready to buy accesses and described their conditions. Some of them appear to use access for deploying info-stealing malware and carrying out other malicious activities. Others aim to plant ransomware and steal data. KELA explored what is valuable for threat actors buying accesses, especially ransomware attackers, and built a profile of an ideal ransomware victim.
Bottom line up front:
- In July 2021, KELA found 48 active threads where actors claimed they are looking to buy different kinds of accesses. 46% of them were created in that month, illustrating the demand for access listings.
- 40% of the actors who were looking to buy accesses were identified as active participants in the ransomware-as-a-service (RaaS) supply chain – operators, or affiliates, or middlemen.
- Ransomware attackers appear to form “industry standards” defining an ideal victim based on its revenue and geography and excluding certain sectors and countries from the targets list. On average, the actors active in July 2021 aimed to buy access to US companies with revenue of more than 100 million USD. Almost half of them refused to buy access to companies from the healthcare and education industries.
- Ransomware attackers are ready to buy all kinds of network accesses, with RDP and VPN being the most basic requirement. The most common products (enabling network access) mentioned were Citrix, Palo Alto Networks, VMware, Fortinet, and Cisco.
- Ransomware attackers are ready to pay for access up to 100,000 USD, with most actors setting the boundaries at half of that price – 56,250 USD.
- The similarities between ransomware-related actors’ requirements for victims and access listings and conditions for IABs illustrate that RaaS operations act just like corporate enterprises.
What Access Are Threat Actors Chasing
In total, KELA found 48 threads dedicated to buying accesses that were created or observed being active in July 2021. Almost half of them were created in July alone, showing an impressive pace and demand for access listings (with active meaning they had one or more updates from their creators in a thread). It begs the question – what access are the actors looking for and what is their ultimate goal?
First of all, it is important to understand that threat actors behind the announcements do not necessarily mean network access when they say “access”. It is a term that is used in a very loose manner to describe multiple different vectors and entry points – from SQL injection and webshells to RDP- and VPN- based access. Analyzing the active threads dedicated to buying accesses, KELA found that in addition to initial network accesses sold by Initial Access Brokers (IABs), they included access to online shops’ panels, unprotected databases, Microsoft Exchange servers, and more. All these types of access are undoubtedly dangerous and can enable threat actors to perform various malicious actions, but they rarely provide access to a corporate network.
Sections dedicated to accesses on XSS and Exploit cybercrime forums
Therefore, researching the actors’ demands and their dark web activity, KELA determined that the actors behind the analyzed threads usually intended to exploit the access for all kinds of malicious activities, including information-stealing (from deploying info-stealing malware to injecting malicious scripts into websites), cryptocurrency mining, spam and phishing campaigns.
A user explaining how to use access via shells for malicious purposes
Threat actors looking for accesses to abuse them to deploy sniffers or send e-mail spam
However, one threat obviously stands out. Almost 40% of the analyzed threads were created by actors related to Raas supply chain – operators, affiliates, or middlemen. As ransomware operations have been growing and maturing, KELA observed multiple ransomware gangs using the IABs’ services. Announcements about buying accesses help them to find each other and cooperate further. Some gangs, like BlackMatter and Avos, even sent an advertisement about them buying accesses in Jabber – apparently to all users registered via XSS/Exploit Jabber services. Others, like Crylock ransomware representative, specifically mentioned they are looking for constant sellers.
BlackMatter ransomware gang is looking for Initial Access Brokers both on forums and via Jabber
Crylock ransomware gang is looking for constant suppliers of access
Such posts are not new, though with the growth and diversification of the ransomware-as-a-service (RaaS) ecosystem they have become much more standardized. Instead of a simple “I’ll buy access”, threat actors now scrupulously list potential victims’ characteristics and types of access, knowing exactly what they want – i.e. to ease the attack and eventually receive a ransom. KELA explored these metrics to find out what companies are in the ransomware attackers’ target list.
Ransomware Attackers’ Requirements to IABs
When describing the pricing model formed by IABs, KELA determined that it mainly depends on the revenue and the size of the affected company, though geography sometimes plays a certain role. The level of privileges in the compromised network also influences the prices (for example, a domain administrator account costs at least 10 times more than access to a machine with user rights). Logically, the same metrics are important to ransomware actors since IABs have always followed the needs of their customers.
A typical ransomware actors’ advertisement includes the following characteristics of the victim:
The majority of requests mentioned the desired location of victims, with the US being the most popular choice – 47% of the actors mentioned it. Other top locations included Canada (37%), Australia (37%), and European countries (31%). Most of the advertisements included a call for multiple countries. The reason behind this geographical focus is that actors choose the most wealthy companies which are expected to be located in the biggest and the most developed countries. For example, the LockBit 2.0 ransomware representative said in his recent interview: “The bigger the company’s capitalization is – the better. <..> It does not matter where the target is situated, we attack everyone.”
Typically, the actors stated only the minimum desired revenue in attempts to cut off victims that are unlikely to pay a significant ransom. The average minimum revenue wanted by ransomware attackers is 100 million USD, with some of them stating that the desired revenue depends on the location. For example, one of the actors described the following formula: revenue should be more than 5 million USD for US victims, more than 20 million USD for European victims, and more than 40 million USD for “the third world” countries.
A threat actor sets prices for accesses depending on the revenue of potential victims
- Blacklist of sectors
A significant difference can be spotted between the advertisement of threat actors buying access for ransomware attacks and cybercriminals with other specializations. Almost a half of ransomware-related threads included a blacklist of sectors, meaning that the actors are not ready to buy access to companies from specific industries.
47% of ransomware attackers refused to buy access to companies from the healthcare and education industries. 37% prohibited compromising the government sector, while 26% claimed they will not purchase access related to non-profit organizations. When actors prohibit healthcare or non-profit industries offers, it is more likely due to the moral code of the actors. When the education sector is off the table, the reason is the same or the fact that education victims simply cannot afford to pay much. Finally, when actors refuse to target government companies, it is a precaution measure and an attempt to avoid unwanted attention from law enforcement.
- Blacklist of countries
Finally, some countries are out of ransomware attackers’ interests. Not surprisingly, it’s CIS, according to the old Russian-speaking hackers’ rule “do not work in Ru” [in Russian speaking countries – KELA]. The actors based in CIS suppose that if they will not target these countries, local authorities will not hunt them. Other countries mentioned as “unwanted” included South America and third world countries – most likely due to low chances of getting a financial gain.
Ransomware Attackers Budget for Accesses
For suitable victims, ransomware attackers are ready to buy all kinds of network accesses, with RDP and VPN being the most basic requirement. Among wanted products (enabling network access) they listed Citrix, Palo Alto Networks (specifically GlobalProtect VPN), VMware (specifically ESXi), Fortinet, and Cisco. As for the level of privileges, some attackers stated they prefer domain admin rights, though it does not seem to be critical.
An actor associated with the Nefilim ransomware operation looks for various types of access
How much are ransomware attackers ready to pay for such access to defined companies? The range really varies, starting from 100 and ending with 100,000 USD. The average minimum and maximum prices for access are 1600 – 56,250 USD. In addition, 32% of ransomware attackers are ready to pay a share of a ransom. As KELA determined earlier, IABs can get around 10% of a ransom.
The similarities between ransomware-related actors’ requirements for victims and access listings and conditions for IABs illustrate that RaaS operations act just like corporate enterprises. They form “ industry standards” with a blacklist of sectors and countries, define their “clients” revenue and geography, and offer a competitive price for threat actors supplying them the desired “goods.” Confronting such organized cybercrime requires more effort and visibility into the sources where ransomware-related actors look for outsourcing services and recruit partners and employees.
Mitigation measures for enterprise defenders
Demand for access listings on cybercrime forums is growing, with more actors advertising they are ready to buy entry points to networks, sites, storage, and more. This is another proof of continuing servitization of cybercrime, especially ransomware-as-a-service (RaaS) operations that rely on different specialists to perform their attacks. However, it is crucial to remember that access to a company in the wrong hands may be exploited not only for deploying ransomware and stealing data but also for other malicious campaigns.
Confronting various threats require enterprise defenders to invest in:
- Cybersecurity awareness and training for all key stakeholders and employees to ensure that key individuals know how to safely use their credentials and personal information online. This cyber training should include specifying how to identify suspicious activities, such as possible scam emails, or unusual requests from unauthorized individuals or email addresses.
- Regular vulnerability monitoring and patching to continually protect their entire network infrastructure and prevent any unauthorized access by Initial Access Brokers or other network intruders.
- Targeted and automated monitoring of key assets to immediately detect threats emerging from the cybercrime underground ecosystem. Constant automated and scalable monitoring of an organization’s assets could significantly improve maintaining a reduced attack surface, ultimately helping organizations thwart possible attempts of cyberattacks against them.
Visit lumint.kelacyber.com to stay up to date with more insights on recent ransomware attacks as well as compromised network accesses listed for sale and leaked databases and data dumps.