Who is a target for ransomware attacks?

The short answer to the question posed in the headline is 'everyone': Every small business, midsized company, enterprise, and organization is fair game, especially in light of the recent WannaCry and Petya attacks (though the latter was an atypical ransomware example).

The long answer is more complicated. Your vulnerability to a ransomware attack can depend upon how attractive your data is to criminal hackers, how critical it is that you respond quickly to a ransom demand, how vulnerable your security is, and how vigorously you keep employees trained about phishing emails, among other factors.

“There are a wide variety of ransomware types, but one thing is certain,” says Morey Haber, vice president of technology for BeyondTrust, which offers a privileged access management platform. “No vertical, government, or organization is immune to its effects. Unfortunately, some are more susceptible to successful attacks, based on the type of technologies they deploy, their age, cost for replacement, identity governance and privilege maturity, and overall cyber security hygiene implementations regulated by government or third-party compliance initiatives.”

With some security experts decrying ransomware as “the epidemic of our time,” it’s never been more important to protect your organization. Here’s a look at who the usual ransomware targets are today and are likely to be in the near future, why they’re targets, and best practices for protecting your data.

Who are today’s top ransomware targets?


Academic organizations, especially colleges and universities, have been among the top ransomware targets. In fact, a fall 2016 ransomware study from BitSight Insights placed educational institutions as the no. 1 target, with at least one in 10 experiencing a ransomware attack.

Smaller IT teams, budgetary constraints, and a high rate of network file sharing are among the reasons educational organizations are so vulnerable, according to the BitSight Insights report. Plus, “with access to social security numbers, medical records, intellectual property, research, and financial data of faculty, staff, and students, these institutions are a prime target for cyberattacks,” the report noted.

University College London is a recent example. In June 2017, a “major” ransomware attack brought down its shared drives and student management system, The Guardian reported.


Government agencies are another prime target, ranking no. 2 on BitSight Insights’ list. The occurrence of ransomware in this sector more than tripled from fall 2015 to fall 2016, according to BitSight Insights.

A recent example occurred in September 2016, when a new ransomware threat, Marsjoke, targeted state and local government agencies, according to Kaspersky Lab’s Threat Post blog.

Some government agencies may be targeted because the services they offer, such as police protection, are time-sensitive and crucial, notes Alexander Volynkin, senior research scientist, CERT Division, for Carnegie Mellon University’s Software Engineering Institute. Because such agencies often need to respond quickly, they have a greater sense of urgency in recovering their data and thus may be more willing to pay the ransom under duress.

In the past year, there have been numerous examples of police department ransomware attacks. One such case involved a Texas police department, where a ransomware attack caused the department to lose eight years of data—including body camera video and some in-house surveillance video.

Healthcare, energy/utilities, retail, finance

Healthcare organizations ranked no. 3 on BitSight Insight’s top list of ransomware targets. “Hospitals, in particular, may pay the ransom because their patient data is critical in life-or-death situations,” the report noted. One such example was the Hollywood Presbyterian Medical Center, which paid a $17,000 ransom in 2016 to hackers who had locked some of the hospital’s critical data.

The sectors rounding out the BitSight Insights list include, in descending order, energy and utilities (no. 4); retail (no. 5); and finance (no. 6).

HR departments

We’re also seeing more ransomware attacks targeting enterprise human resource departments, Volynkin adds. Criminal hackers pose as job applicants, hoping that HR professionals will open emails and attachments from unknown senders—which will then spread the ransomware.

Mobile devices and Macs

Ransomware isn’t just a PC threat. A Kaspersky Lab Malware Report released in May 2017 found that 218,625 mobile ransomware files were detected in the first quarter of 2017 vs. 61,832 in the previous quarter, as Newsweek reported.

Ransomware doesn’t exclusively target Windows computers, either. Security firm Fortinet recently discovered a ransomware-as-a-service targeting Macs.

Emerging ransomware targets and threats

At a high level, any organization that has critical data, and where team members need to make quick decisions, will remain prime ransomware targets, Volynkin says.

The sensitivity of an enterprise’s data will also be a factor. For example, along with the sectors cited in the BitSight Insights report, you can expect to see law firms among targeted businesses in the near future, Volynkin adds. Legal firms “have client data that’s highly sensitive,” he notes, and typically have the resources to pay a ransom.

The next phase of ransomware, Volynkin notes, will not be just about holding data hostage; it will be about threating to publish data online if the enterprise that owns it doesn’t pay the ransom, he explains. In that scenario, law firms—and many other types of organizations—are attractive targets.

“If someone breaks into a law firm’s system, steals their sensitive client data and threatens to post it online, that law firm will have hard decisions to make,” Volynkin says.

Criminal hackers might block your ability to access your data, then put the data up for sale online to the highest bidder, adds Shaun Murphy, founder of message and file security firm Sndr. Celebrities could be subject to such tactics, as well as organizations with sensitive data and lots of competitors—some of which might be willing to pay to get access to your data.

How to minimize the ransomware threat

As much as possible, keep current database backups stored on air-gapped storage, where the backed-up data resides on a device with no network connection, Volynkin recommends.

Phishing emails continue to be one of the most common ransomware “attack vectors,” Volynkin notes. As a result, it’s important to keep email filtering rules updated at all times and to provide ongoing employee education. Teach team members how to identify suspicious email and links.

Be cautious about admin credentials, too. “Eventually someone will click on a link in a phishing email and (the malware) will make it into your system,” Volynkin says. “If the person (clicking the link) has wide open access to your network, like admin credentials, the ransomware will have an easier time accessing important files.”

As always, use layered security with regular security software patches, vulnerability management, system hardening, and always-updated endpoint protection suites, adds Avivah Litan, a VP Distinguished Analyst at Gartner focused on cyber security.

Be clear on the security measures and technologies in place at any cloud services your organization uses, suggests Murphy. “Every day we hear about some massive security breach, and there are many more you don’t hear about,” he says. “If you or your business puts everything in the cloud, you might feel safe from a local attack like ransomware. But think again. What’s protecting your company’s data on these services? Is it a user name and password or something more? What about the employees at these cloud companies, since they have physical access to the servers? What could they do to your data?”

In the event of a ransomware attack, having strong security and well-protected backups can help you avoid the worst-case scenarios—paying the ransom, which only encourages more ransomware attacks, or losing big chunks of data.

This story, "Who is a target for ransomware attacks?" was originally published by CSO.