Who is a target for ransomware?

It seems almost everyone.

01 intro

Target on you

According to the Institute for Critical Infrastructure Technology, ransomware campaigns only care about the payout rather than the individual target. Ransomware, whether purchased or developed, is relatively cheap and delivery is virtually free.

A small team can easily infect and ransom millions of systems. The attackers only need a few users per million of targets to pay the ransom for the campaign to be successful. The targets of ransomware change according to victim awareness and willingness to pay. Some adversaries may even widen their delivery vector to encompass multiple demographics to account for market shifts. Here’s a look at their targets.

02 average

The average user

In cybersecurity, people are considered the weakest link. They are also both the most abundant resource and the most susceptible target. Users who are easily pressured or who are not fluent in technical solutions to ransomware are the most viable targets.

Individual users are targeted because in the digital era, much of our knowledge, work, and personally valuable objects (photos, music, etc.) are stored on whatever Internet-enabled device we rely on.

03 business


Businesses large and small rely on their systems and the information contained within to conduct their day-to-day operations. Very small businesses might be able to process transactions without access to their POS system, but Starbucks certainly cannot. Businesses are the prime targets of ransomware because their systems are the most likely to house valuable databases, containing sensitive data, important documents, and other information; meanwhile, their systems are the least likely to be adequately secured. For many organizations, system downtime equates to loss of income and reputation. They are the most likely to pay the ransom in order to resume operations.

04 law

Law enforcement and government agencies

Law enforcement and federal agencies are often targeted with malware attacks in response to their efforts to investigate and apprehend cyber criminals. While large organizations such as the FBI, DHS, and other federal agencies have resources which increase their resiliency, smaller organizations, such as police stations and state/local government offices, have been the victims of ransomware attacks in recent years.

Typically, such as the February 2016 ransomware attacks against the city of Durham, N.C. police, the authorities ignored the demand, and reverted their system to a recent backup. On Feb. 25, 2016 the systems belonging to the Melrose Police Department of Massachusetts were infected with ransomware from a malicious email. The malware encrypted a software tool called TriTech, which police officers use for computer aided dispatch and as a record management system during patrol. The program also enables law enforcement officers to log incident reports. The department paid the 1 Bitcoin ransom.

05 emt

Emergency services

DHS and the Multi-State Information Sharing and Analysis Center warn that cyberattacks against law enforcement, fire departments, and other emergency services are increasing. Targets such as these, for whom lost access to systems could cost lives, are juicy targets for ransomware threat actors.

06 hospital

Healthcare organizations

Around Feb. 5, 2016, systems belonging to the Hollywood Presbyterian Hospital Medical Center was infected with the Locky ransomware. After 10 days, the administration paid attackers 40 Bitcoins ($17,000) to release the systems. Later that week, five computers belonging to the Los Angeles County health department were infected with a ransomware variant. The health department refuses to pay the ransom and will restore its systems from backups. Similarly, two hospitals in Germany were infected with ransomware at roughly the same time as Hollywood Presbyterian Medical Center.

07 education

Educational Institutions

Ransomware threat actors may target administrative systems at lower and higher education institutions. General education systems are more likely to be disrupted by a ransomware attack; though, colleges and universities are more likely to have funds sufficient to pay a sizable ransom.

In February 2016, at least two primary school districts were targeted with crypto ransomware. Horry County school district in South Carolina paid $8,500 to decrypt their 25 servers after an FBI investigation yielded no alternative action.

08 religious

Religious organizations

Religious organizations’ networks are often infected with malware because their personnel are not trained to ignore phishing emails and they are unaware of cyberthreats. In late February 2016, two churches were targeted with ransomware attacks: the Community of Christ Church in Hillsboro Oregon and St.Paul’s Lutheran Church in Sioux City, Iowa. The former was infected with the Locky variant of crypto ransomware. The Community of Christ Church paid $570 to free their system.

Information about the latter incident is more scarce, except that the church declined to pay the ransom.

09 financial

Financial institutions

The banking and finance sector is the frequent target of botnet schemes such as the Dyre, Dridex, and Ramnit botnets. The Locky ransomware is believed to have been developed or deployed by the Dridex group.

On Feb. 17, 2016, attackers behind the TeslaCrypt ransomware issued spam emails masquerading as Visa Total Rewards emails. A malicious attachment, claiming to be a white paper containing more information about rewards and benefits, was used to deploy a JavaScript downloader that delivered the TeslaCrypt malware onto victim hosts. Ransoms of 1.2 Bitcoins within 160 hours were demanded of victims.

Copyright © 2016 IDG Communications, Inc.