Thought Leadership
Anyone who believes ransomware groups meticulously select their targets based on industry, location, or strategic importance is usually mistaken.
Sophos X-Ops’ Counter Threat Unit has investigated the criteria cybercriminals actually use when choosing victims. The finding: in the vast majority of cases, attackers simply exploit whatever entry points are available. If you’re vulnerable, you get attacked.
SMBs hit hardest
The fact that many attacks strike smaller businesses comes as little surprise given this reality. Where IT budgets are tight and dedicated security departments are absent, criminals find vulnerabilities more easily. Even when some groups attempt to specifically target high-paying victims, the majority of documented cases still involve companies with limited resources.
Sophos analysts therefore advise organizations to focus less on tracking individual threat actor groups. More important, they say, is building a broad defensive posture: up-to-date patches, phishing-resistant MFA, EDR solutions, and immutable backups all play a role. These measures work when they are actually implemented. And that, unfortunately, is often where things fall short.
Why banks are rarely affected
One revealing detail from the research concerns financial institutions. Although banks generate high revenues and face costly downtime, they barely appear in the CTU’s statistics. The explanation: strict regulation. Where compliance requirements mandate IT security, standards emerge that everyone must meet. This creates a higher level of protection without putting individual market participants at a disadvantage.
Sector focus? Mostly coincidence
When certain sectors are repeatedly hit by the same group, it usually comes down to vulnerabilities in industry-specific software. Companies within the same sector tend to use similar systems. When a group compromises a widely used service, victims in that segment pile up almost automatically.
Truly targeted campaigns remain rare. The Conti group attacked hospitals during the pandemic, presumably banking on a greater willingness to pay. GOLD VICTOR, known through Vice Society and Rhysida, focuses on healthcare and education. However, Rhysida recently accounted for less than one percent of published victims. The bulk of cases continues to be spread across all industries.
The bottom line
The conclusion from Sophos researchers: spend less time analyzing threat actor profiles, and more time getting the basics right. Opportunistic attackers look for the path of least resistance and that’s exactly what needs to be blocked.
(lb/Sophos)
