Cybersecurity

What Triggers a Rise in Targeted Ransomware Attacks?

By Josh Breaker-Rolfe

Ransomware actors have demonstrated an ability to adapt to our evolving defenses. In recent years, they have become increasingly persistent, sophisticated, and, most importantly, opportunistic. Like any effective predator, they select targets with the most favorable risk-to-reward ratio. But what factors do cybercriminals consider when identifying potential prey? What triggers a rise in targeted ransomware attacks? And what can different sectors and organizations do to protect themselves?

Cybersecurity Posture

An organization’s cybersecurity posture is the most apparent factor ransomware actors consider when identifying a potential target. Many ransomware gangs – particularly the most sophisticated – conduct thorough analysis and reconnaissance before launching an attack. Criminals are humans, too, and they seek the easiest way in.

Suppose cybercriminals find that an organization has, for example, legacy technologies without modern security features, unpatched known vulnerabilities, or an inadequately trained staff. In that case, they are far more likely to target them. Security awareness training is essential for improving cybersecurity posture: The 2024 Verizon Data Breach Report found that 68% of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error. The same report also found that ransomware was involved in about one-third of all data exfiltration incidents.

Financial Capacity and Willingness to Pay

It may sound obvious, but the greater an organization’s financial capacity, the higher the ransom it will be able to pay. High-budget organizations are typically more difficult to attack, but a successful breach could pay off big for attackers. For example, the medical firm Change Healthcare admitted that they paid $22 million ransom to the criminals that breached them in February 2024.

However, just because an organization has the means to pay a ransom, that doesn’t necessarily mean they will. There have been several instances in which high-profile ransomware victims refused to pay their attackers a ransom, often due to an ideological unwillingness to pay ransoms or because they leveraged their economic heft to restore encrypted systems through other methods, such as by sourcing universal decryptors, hiring cybersecurity professionals, or even appealing to government bodies to act on their behalf.

As such, ransomware groups tend to choose victims based on their financial capacity and willingness to pay. If an organization has paid a ransom in the past, for example, it may be likely to pay again. An entire sector may even experience an increase in ransomware attacks after an organization pays a ransom.

Operational Downtime Impact

Operational downtime may also impact an organization or sector’s willingness to pay a ransom. Critical infrastructure organizations, for example, typically cannot tolerate significant operational downtime due to its impact on a country’s ability to function. Similarly, encrypted healthcare systems could result in a loss of life, meaning healthcare organizations are often more likely to pay ransoms and minimize the risk of this occurring.

Industry-Specific Vulnerabilities

Sticking with the theme of sector-wide targeting, some industries have specific vulnerabilities that ransomware actors know they can exploit and, as such, will target these industries more often. Industry-specific vulnerabilities include but are not limited to healthcare organizations (particularly state-funded ones with limited budgets) frequently using outdated systems and lacking comprehensive cybersecurity measures, critical infrastructures entities with industrial control systems not designed with cybersecurity in mind, or schools and universities with limited cybersecurity budgets.

Data Sensitivity and Volume

Ransomware actors also typically choose targets that handle large amounts of sensitive data. For example, personal health information (PHI), banking and investment records, or personally identifiable information is often sold on the dark web for considerable sums of money.

Another alarming – although currently hypothetical – example would be the theft of highly classified data. Suppose a ransomware group wanted to extort a large sum of money from a government agency. In that case, they may steal and threaten to leak classified information about, for example, the whereabouts of espionage professionals or their families. As this information would endanger human lives, it’s possible that the government agency would be more willing to pay the ransom.

Regulatory Environment

Somewhat counterproductively, high-pressure regulatory environments may contribute to cybercriminals targeting specific organizations or sectors. Regulations like HIPAA, PCI DSS, and GDPR require relevant organizations to resolve security incidents quickly or suffer heavy fines. If the cost of a ransomware payment is lower than the cost of a fine, organizations may choose to pay the ransom.

Conclusion

Hopefully, this information will help you or your organization avoid a ransomware attack. However, if you take one thing away from this article, let it be this: paying a ransom should always be your last resort. By paying ransoms, victims merely fund ransomware groups, increasing the likelihood of being targeted again and putting their entire sector at risk. Be proactive, implement adequate cybersecurity measures, and address vulnerabilities promptly, and you should be safe.

 

 

 

Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He’s written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.

Josh_Breaker_Rolfe

Comments
To Top

Pin It on Pinterest

Share This