Could You Be a Ransomware Target? Here’s What Attackers Look For

Ransomware is one of the fastest-growing and most destructive cyber threats today.

Cybersecurity researchers largely agree that ransomware growth has been astronomical; the only question is by how much. A recent Positive Technologies report found that 69% of all malware attacks now involve ransomware, and with the sums involved, it’s easy to see why malicious actors would eschew less lucrative cyber attack methods.

Given how high profile ransomware attacks have become, you may be wondering if you, too, could become a target. There are some risk factors that make some companies more likely to be targeted by cyber criminals, and we’ll get to those in a moment, but first, it’s worth noting that ransomware defense is largely within your control.

You still need to do the basics right, like employee cybersecurity training and patching; those two areas alone could greatly reduce risk. Then you want to add extra protection around your most critical data, in the form of zero trust access tools and high-integrity data backups. If you’ve done all that, congratulations – and then consider lining up a ransomware recovery service just in case, because ransomware attacks are every bit the business-damaging nightmare they appear to be.

Attacks over the past two years have affected many businesses across all sizes, locations, and industries. Still, some trends have emerged, revealing what factors ransomware groups look for when deciding on a target – and what attack vectors and vulnerabilities they exploit. Knowing these can help you understand if you are at a higher risk than others, requiring further security measures.

Here are seven things today’s ransomware attackers look for in a target, along with a look at some commonly targeted vulnerabilities.

1. Valuable Data

The most important factor to ransomware attackers is the value of an organization’s data. If threat actors can steal or encrypt highly sensitive information, their victims may be more willing to pay a higher ransom. Even if they don’t receive a ransom, more sensitive data will fetch a higher price from Dark Web buyers.

You can see this preference in the types of organizations ransomware attacks have targeted recently. Professional services, health care, and education were the most popular targets for ransomware in 2020, with attacks against health care rising 75% in October alone according to Kroll. These industries all deal with sensitive data, like financial information or personal identifiers, making them ideal targets.

Some ransomware groups have pledged not to attack health care or educational organizations, but trends tell a different story. In the end, those with the most to lose make the most enticing targets.

2. Lack of Security Infrastructure

Unsurprisingly, ransomware attackers also prefer targets that lack sufficient cybersecurity measures. Small and medium-sized businesses account for half or more of ransomware attacks. These companies are less likely to have as extensive security as larger corporations, making them easier targets.

This trend may grow as ransomware-as-a-service (RaaS) expands its popularity. A growing number of ransomware groups have started franchising their tools, letting virtually anyone perform ransomware attacks for a fee. Growing RaaS use means more novice cybercriminals could engage in these attacks, and these newer attackers will likely prefer easier targets.

Companies in industries that are new to cybersecurity, like manufacturing or logistics, may fall victim to this trend. Ransomware attackers may prefer these organizations, as they’re less likely to have sufficient infrastructure to stop them.

A recent Twitter thread looked at the most common vulnerabilities exploited by ransomware groups – and found that vulnerabilities in 18 products were the most targeted (image below). As many of these are well known vulnerabilities, the issue of patching remains a major concern.

ransomware vulnerabilities
Top Ransomware Vulnerabilities

3. Money for a Ransom

Cybercriminals also typically look for targets that can pay a larger ransom. That’s why the entertainment industry, which frequently deals in multi-million-dollar projects, experienced the second-highest number of cyberattacks in 2019, according to Verizon’s 2019 Data Breach and Investigation Report. A successful ransomware attack on wealthier companies may result in a more substantial payday for the attackers, drawing their attention.

At first, this figure may seem to counter the trend of attackers targeting small and medium businesses. However, even a medium-sized business can offer a significant amount of money to an individual or small group. It’s also important to note that while SMBs are the most common targets, that doesn’t necessarily mean new businesses are.

If your business earns at least a few million dollars in annual revenue, you could be a target. Generally speaking, the more profitable your business is, the more enticing a target you are.

Further reading on ransomware protection and recovery:

4. Potential for Damage

Financial motivations are not the only driving force behind ransomware attacks. Some cybercriminals seek to cause as much destruction as possible, especially in state-sponsored cyberattacks. Whether it’s to make a statement or for a feeling of power, some ransomware attackers look for targets with the highest potential for damage.

Supply chain companies are some of the most at-risk organizations. Take the SolarWinds attack, for example, which affected scores of customers by targeting a single system, or the Kaseya attack, which put thousands of the company’s clients at risk. If you have information belonging to multiple clients or connect to many other businesses’ software, you may be an ideal target.

Software-as-a-service (SaaS) vendors are thus in some ways ideal. If you offer IT services to multiple other companies, a ransomware attack on you could cause widespread damage. That potential could attract attackers.

And critical infrastructure will remain an enticing attack for those seeking to do damage. Colonial Pipeline showed just how effective such attacks can be.

Further reading: Best Third-Party Risk Management (TPRM) Tools of 2021

5. Remote Workers

Amid the COVID-19 pandemic, many businesses embraced remote work. Data shows that these same companies may be at increased risk of a ransomware attack. The software you use to collaborate with remote employees may have vulnerabilities that ransomware attackers seek to take advantage of.

Cybercriminals leveraged RDP vulnerabilities in 47% of all ransomware attacks in one study

Remote desktop protocol (RDP), which remote workers may use more heavily than others, is a favorite of ransomware groups. Cybercriminals leveraged RDP vulnerabilities in 47% of all ransomware attacks in one study, more than any other category.

Virtual private networks (VPNs) are another common target. While these tools can protect you by encrypting your internet traffic, unpatched vulnerabilities or outdated versions can turn them into entry points for cybercriminals. If your business uses these or similar remote collaboration tools, you could be at risk.

Zero trust is one way to secure home-based and remote workers. And enterprise firewall vendors Fortinet and Palo Alto Networks unveiled secure routers last week aimed at home and small office workers.

6. Sociopolitical Motivations

The vast majority of cyberattacks are financially motivated, but not all. As these attacks have gained more prominence in the news, more groups have started using cybercrime to make a statement. As this trend grows, government agencies, critical infrastructure, and organizations with controversial sociopolitical ties may become more frequent victims.

Security professionals have noted a new wave of hacktivism, or hacking to make a political point, has emerged recently. Any business that finds itself caught up in controversy could also become the victim of a ransomware attack.

While you can’t always predict the public’s reaction to your choices, some industries are more likely to experience these attacks than others. Those with close government ties are the most obvious target, and companies involved heavily in security or the environment may also be at risk.

7. Geographic Location

Interestingly, recent research shows that ransomware attacks are often concentrated in specific geographic areas. In active Dark Web ransomware threads in July 2021, KELA researchers found that more than 40% of threat actors mentioned the U.S. as their desired location of victims. Canada and Australia followed, both around 37%.

This geographic concentration is likely due to the concentration of wealthier or more prominent companies. Political motivations could also play a role. Specific locations like states or cities may follow similar lines, with the largest and wealthiest areas seeing more attacks.

If your company is based in these areas, you may be at higher risk of ransomware than others. This factor is likely less influential than data value and security infrastructure, but it’s worth noting regardless.

Understand Ransomware Attackers’ Motivations

Cybercriminals don’t act randomly. Ransomware attacks follow specific motivations, and when you understand these drivers, you can know what level of risk you face.

Regardless of how at-risk you are, protecting against ransomware is critical. However, if you fall into any of these categories, you may want to consider more extensive anti-ransomware measures.

Devin Partida
Devin Partida
Devin Partida is a technology and cybersecurity writer whose work has been featured on Entrepreneur, AOL, AT&T's cybersecurity blog and Yahoo! Finance. She is also the Editor-in-Chief of the tech website

Top Products

Related articles