The ransomware landscape is changing. Gone are the days of ad hoc ransomware attacks on seemingly random victims. Today, ransomware groups are more organized and more focused, and they’re conducting careful research on targets ahead of an attack. 

For security leaders, this means that the threat of ransomware might be greater for your company than just a few years ago — especially if you fall into one (or several) of the vulnerable categories that we’ve identified in our report, the State of Ransomware 2024: A Year of Surges and Shuffling.

Read on to learn more about the common geographic, industry, revenue, and other indicators we’ve identified as ransomware risk factors in our report.

Risk Factor 1: You’re Based in the United States

While ransomware attacks are a global phenomenon unconstrained by national borders, our analysis shows that ransomware groups have a clear preference for targeting companies in economically developed nations with prosperous economies. 

Of the nearly 5,000 ransomware attacks reported over 12 months, 47% of victimized companies were located in the United States. The United Kingdom, Canada, Germany, and Italy round out the top five most targeted countries and validate the idea that attackers are looking to maximize profits by targeting nations where the potential return for ransom demands is higher.

Risk Factor 2: Your Industry Has Dense Data and Tight Regulations

When we analyzed reported ransomware attacks by industry, we found two trends: First, ransomware groups primarily targeted industries that would experience significant operational disruption. For example, manufacturing saw 1,016 victims, while the professional, technical, and scientific services sector had 885 victims, and finance had 266 victims. In other words, ransomware groups seem to target knowledge-driven domains and those that are vital to national economies.  

We also noticed a worrying trend around the type of organization that groups target. For years, ransomware groups followed an unwritten code: Do not target organizations that offer critical human services. Unfortunately, this is no longer the case. Healthcare organizations saw a stark rise in attacks, racking up 303 reported attacks. While hospitals are frequently spotlighted as prime targets, doctor’s offices and small clinics also comprise a significant portion of the victims. These smaller practices, often lacking the robust cybersecurity defenses of larger hospitals, present a soft target for ransomware groups.

Risk Factor 3: Your Revenue Is Appealing but Not Intimidating

With profits being the main motive for most ransomware attacks, you might think that ransomware groups would hone in on companies with the biggest bank accounts. However, our analysis shows that this assumption is incorrect. In fact, we found that a significant 31% of ransomware victims were organizations with less than $20 million in annual revenue, while companies exceeding $1 billion in annual revenue only accounted for 8.5% of victims. 

Why? For ransomware groups, it’s a balancing act. This indicates a tactical preference within the ransomware community to target more modestly sized companies with enough liquidity to meet ransom demands but that aren’t prominent enough to consistently trigger aggressive law enforcement pursuits. Plus, these small to midsize businesses often live within the supply chain of larger enterprises, meaning that the threat of supply chain disruption is often enough to help ensure ransom payments. 

Risk Factor 4: You Have Vulnerabilities, Leaked Credentials, Open Access Points, or Other Specific Indicators

Factors such as geographical location, industry, and financial standing offer broad strokes for where ransomware groups are likely to strike. However, our research shows there are also more discrete indicators that elevate your risk of becoming a ransomware target. These include the following:

  • Exploitable Vulnerabilities: Almost half of the victims had a critical vulnerability that was discoverable using OSINT techniques. 
  • Leaked Credentials: More than 3,050 victims had at least one credential leaked in the 90 days prior to the attack. We also observed critical information exposed in Stealer Logs for 907 victims. 
  • Misconfiguration on MX Servers: More than 75% of the victims had a misconfiguration, such as missing SPF or DMARC records, before the ransomware attack was executed.
  • Open Access Points: RDP/SMB ports were left unprotected in 2,299 cases. The data showcases the prevalence of each indicator among past victims.

Discover Your Ransomware Risk with Black Kite’s Ransomware Susceptibility Index® (RSI™)

Ransomware organizations might be getting smarter, but so are security teams and tools. To stay one step ahead, consider your ransomware risk factors when developing your cybersecurity strategy. 

You can also use Black Kite’s Ransomware Susceptibility Index® (RSI™) to discover the likelihood that your organization will experience a ransomware attack. RSI combines OSINT data with machine learning to give you a better understanding of which of your vendors are most prone to ransomware, help you develop an effective course of action for remediation, and proactively avoid attacks. 

Learn more about our RSI tool or get your free RSI rating today.

Get prepared and stay ahead of ransomware criminals. Check out the State of Ransomware Report 2024: A Year of Surges and Shuffling