Instead of going to the trouble of breaching a target network, ransomware operators usually purchase access from third parties (called initial access brokers) on the dark web. New research has shown these groups don’t simply buy up whatever is available, but are only willing to pay for access to specific companies.
Researchers from cybersecurity intelligence company KELA recently visited the dark web and analyzed 48 forum posts from July. They managed to identify a few key criteria that access brokers need to meet if they are to sell to ransomware operators.
First and foremost, ransomware gangs are most interested in companies in the West – they prefer purchasing access to victims in the USA, Canada, Australia or Europe. Then there’s the question of revenue; gangs are looking for companies that generate $100 million a year in revenue, on average.
Most ransomware groups don’t want access to healthcare or education institutions, be it for their own ethical reasons, or because some of these companies simply don’t have the money to pay the ransom. Neither are they too keen on infecting government agencies and non-profits.
Finally, there is a set of “blacklisted” countries, which most operators tend to avoid – Russia, Ukraine, Moldova, Belarus, Kyrgyzstan, Kazakhstan, Armenia, Tajikistan, Turkmenistan and Uzbekistan.
For access to companies that meet these criteria, ransomware operators are willing to pay anywhere between $3,000 and $100,000. Failing to meet these criteria, KELA concludes, doesn’t mean you are safe from ransomware, but the chances are somewhat diminished.