Who Are the Main Targets of Ransomware Attacks?

August 10, 2021 | 4 minute read

In our ransomware report, titled Ransomware: The True Cost to Business, 81% of respondents indicated that they are highly or very concerned about the risk of ransomware attacks. That’s not a surprise given the growing ransomware threat.

A new attack now occurs every 11 seconds, with ransomware’s projected losses expected to reach $20 billion by the end of 2021—an increase of 225% from the year prior, according to the FBI’s Internet Crime Complaint Center (IC3).

Different Shades of Ransomware

Ransomware is a threat category, meaning that not all attacks are created the same. Not every ransomware incident involves encryption, for instance. Some variants use locking techniques to prevent victims from accessing a device until they pay a ransom. Others leverage encryption to render victims’ files inaccessible unless they pay for a decryption key.

There are also the differences that divide opportunistic and targeted ransomware attacks. There are enough do-it-yourself ransomware kits on the dark web for script kiddies to distribute ransomware using “spray and pray” tactics. The idea here is to send out as many enticements to malicious crypto-malware payloads as possible so that these opportunistic attackers can make a profit.

These actors are not customizing their attacks for any specific target. They’re playing the numbers and banking on the hope that at least some organizations are negligent in their backup and recovery hygiene and that their threat detection strategy consists only of traditional anti-virus solutions that struggle to defend against ransomware attacks effectively

It’s a different story with targeted ransomware attacks, or RansomOps attacks as we refer to them, however. These campaigns aren’t carried out by technically low-skilled individuals. These attackers have the technical acumen to conduct more sophisticated operations that include a good deal of reconnaissance on the target so they can customize their attack sequences, resulting in more effective and potentially devastating outcomes.

A broad pool of potential victims isn’t the aim of targeted RansomOps attacks. The goal is to choose a specific target - usually one that is in a sensitive industry like critical infrastructure providers, as well as selecting targets based on their ability to pay an incredibly large ransom demand. The attackers use more advanced tactics like privilege escalation and lateral movement on the network - much like an APT group would - to get what they want from their victim.

Industries Most Commonly Targeted by RansomOps

In recent years, targeted RansomOps attacks have focused on some industries over others. Take the education sector as an example. As reported by CBS News, schools are now one of the most popular targets of ransomware attacks. That’s because many educational organizations’ faculty, staff, and students lack training on spotting phishing emails, malicious URLs and other common digital threats. Many of these organizations rely on public funding that varies from year to year, a reality which makes investment in good security measures difficult to maintain from year to year.

There’s also the industrial sector. In a report covered by ZDNet, for example, security researchers found that almost every industry dealt with ransomware attacks over the course of 2020. Even so, the industrial goods and services sector suffered the greatest proportion of crypto-malware incidents, accounting for nearly a third (29%) of ransomware attacks that year.

This finding reflects the extent to which industrial organizations are dependent on the continuous availability of their physical processes. A disruption of these entities’ production processes could undermine national security and/or threaten public safety. Ransomware attackers understand this point, and they interpret it as an obligation among industrial victims to pay any ransomware demand as soon as possible so that they can restore normal operations.

The same could be said about healthcare. Organizations in this sector need access to patient data so that they can deliver life-saving treatments as well as other medical attention. Thus, they are under greater pressure to pay a ransom demand. Some ransomware groups have capitalized on this position of healthcare organizations in the past, but as noted by TechRepublic, other ransomware gangs have pledged to not attack healthcare targets.

Ransomware’s Variable Effect on Targeted Industries

What’s interesting is that ransomware attacks tend to affect these and other industries differently. When asked in our survey whether organizations had experienced revenue loss following a ransomware attack, 64% of healthcare organizations answered in the affirmative. That’s in contrast to about half of organizations reporting the revenue loss in other sectors like legal and manufacturing.

Then there’s the proportion of ransomware victims reporting job losses. Half of legal organizations noted that they had suffered those consequences, while the same was true for just 29% of manufacturing and 24% of healthcare entities.

Defending Against Ransomware Attacks

One thing’s for certain across all those industries, however: organizations need to focus on defending themselves against a ransomware attack. One of the ways they can do that is by investing in a multi-layer anti-ransomware solution that uses behavioral-based detection to visualize and disrupt the RansomOps attack chain.

The Cybereason Operation-Centric approach means no data filtering and the ability to detect attacks earlier based on rare or advantageous chains of (otherwise normal) behaviors. Cybereason is undefeated in the battle against ransomware thanks to our multi-layered prevention, detection and response, which includes:

  • Anti-Ransomware Prevention and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.
  • Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
  • NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.
  • Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.
  • Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
  • Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team