Criteria being considered by ransomware gangs in attacking companies

September 13, 2021
20210913-Criteria considered ransomware gangs attacking companies dark web marketplace

Many ransomware groups have been buying more access to potential victims’ networks through dark web marketplace and other threat groups. These gangs have been reported to analyze these “want ads” to know more clearly about the companies that ransomware groups target in executing attacks. 

To deploy their ransomware, threat actors should first acquire access to a company’s network when operating on a cyberattack. Since it has been proven that attacks provide threat actors such massive profits, they have considered buying the initial access to targets from initial access brokers or IABs instead of breaching their targets themselves. 

The IABs are also threat groups that breach the victims’ networks through several ways, such as brute-forcing passwords or phishing scams. They will then market their obtained access through the dark web marketplace for interested fellow cybercriminals. Some researchers have compiled criteria for which the threat actors look for in targeting and attacking large enterprises. 

At least 48 forum posts have been analyzed by researchers published last July this year wherein attackers are searching for available to buy access to any network.


As identified through the research, about 40% of these advertisements are published by groups affiliated with ransomware gangs.


The “want ads” list down all of the company requirements that a ransomware gang specifically searches, like its origin country, industry, and more. 

Researchers have come up with the company characteristics or criteria which the threat groups are looking for in purchasing: 

  • Geography. Most ransomware groups look for their targets in Canada, Australia, Europe, and the USA. The attackers prefer the wealthiest corporations, which are most likely located in the most developed countries such as America. 
  • Revenue. The average minimum revenue that threat groups look for would be at least $100 million as per research. This characteristic, however, can vary depending on where the target victim is located. 
  • Blacklist of sectors. Most gangs are not picky in terms of the industry of a target company to attack. Nonetheless, these ransomware gangs have become specific to their target sectors after the Colonial Pipeline, JBS, and Metropolitan Police Department incidents. Being particular can help them evade any unwanted attention from the authorities. 
  • Blacklist of countries. Companies that are positioned in the Commonwealth of Independent States (CIS) are most likely to be avoided by ransomware gangs as well. They believe that the local authorities will not pursue them if they also prevent those countries and territories. These countries include Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, and Uzbekistan. 


Safety, nonetheless, is not assured to those companies that did not meet the criteria set by threat actors from the list above. There will still be chances that any company could experience a cyberattack from these hackers.  

About the author

Leave a Reply