Part 2: Target selection

In part 1 of this series, we spoke of targeted ransomware attacks and covered what they are.

There are a lot of attacks making headlines as of late, yet there does not seem to be one particular type of victim.

The answer to the question ‘Am I next is simple?’ is quite simple: Maybe. Could be. Why not?

One big misconception amongst the public is that cybercriminals will only target big fish: large organizations with deep pockets who won’t bat an eyelash when being asked for millions in ransom.

In reality, cybercriminals target anything from local small businesses to large corporations, to utilities, medical and government organizations.

How likely am I to be targeted?

In a Q&A published earlier this year, we addressed the following question:
We’re not a financial institution. Why would cybercriminals target us for a ransomware attack? Why would cybercriminals go for the little guy?

There is no “Robin Hood” angle here: cybercriminals play to win. An attack should not be taken personal, as attackers don’t have much interest in who you are.

Cybercriminals will attack if they feel their potential for success is high enough. They have little regard for the impact of their actions. The higher the stakes, the higher probability that organizations will comply with their ransom demands.

As mentioned in part 1, before a payload is deployed, attackers have been in their victims’ system for a considerable amount of time. During this time, they learn everything they can about the organization, identify the valuable data, and assess the security controls used, often disabling endpoint protection tools, and deleting backups.

The ransom amount requested from victims will usually be an amount attackers know the organization is able to pay.

The other component that answers the question “Why us” is found in an organization’s security posture. 

Criminals choose targets based on their apparent weaknesses.

Financial institutions have sizeable resources and a robust security infrastructure, turning SMBs into prized targets for hacker groups, who are now mainly criminal organizations.

If you are playing to win, you would naturally opt for attacks on victims who are unable to defend themselves or whose defenses can be easily bypassed.

Cybercriminals are primarily there to get paid, they are not looking for recognition.

Targets are also chosen by their position on the market/industry

I mean this in the sense that certain organizations being “out of service” is simply “not an option”, therefore they will want the incident to be resolved in as little time as possible. An example of this would be the Colonial Pipeline attack earlier this year. Three days after the attack, President Joe Biden declared a state of emergency on May 9th, 2021 and Colonial Pipeline paid a ransom of 4.4M USD (75 Bitcoin at the time).

The pipeline provides nearly half of the East Coast’s fuel supply, and a prolonged shutdown would have caused price increases and shortages to ripple across the industry.

On May 12th, 6 days after the attack, the pipeline was restarted and by May 15th, all Colonial Pipeline systems and operations had returned to normal.

This did not happen, however, without the national cost of fuel rising to the highest it’s been in over 6 years.

DarkSide, who is suspected of the attack, stated:

“Our goal is to make money, and not creating problems for society”