It’s time to move the ransomware conversation past big game hunting

When shoppers at Marks and Spencer started having problems checking out at shops across the United Kingdom over the Easter holiday weekend, they couldn’t have known that this would be the first public indicator of a cyberattack that is expected to cost the department store hundreds of millions of pounds and disrupt operations until at least July. Other UK household name retailers – Co-op and Harrods – have also been victims of recent attacks allegedly linked to a group known as Scattered Spider. This group, thought to be a loose affiliation of English-speaking threat actors based in the UK and United States, specialise in using social engineering to gain access to victim networks. They reportedly used DragonForce, a ransomware-as-a-service variant, in their attacks.  

Media coverage often assumes these incidents represent how most ransomware attacks operate: threat actors set out to specifically target specific victims or a certain sector, something known in the cybersecurity community as ‘big game hunting’. Big game hunting is an approach to targeting frequently associated with nation state threat actors and advanced persistent threats, as opposed to cybercriminals. As such, Scattered Spider are an exception to the norm. The perception that ransomware, and indeed the majority of cybercrime, is highly targeted obscures policymakers’, the public’s and potential victims’ understanding of the threat, which is instead largely opportunistic and can victimise anyone. 

Changing approaches to ransomware victimisation 

How cybercriminals target victims underwent a significant shift in the late 2010s. Threat actors pivoted away from using malware to target banking information to steal funds, often from individual consumers, towards ransomware targeting organisations who had the means, and often greater incentives, to pay large cryptocurrency ransoms. 

From 2020, when ransomware became the dominant Russian-speaking cybercriminal business model, and especially from 2021, when there were several impactful attacks against US victims, it became common for cyber threat intelligence and cyber security vendors to refer to ransomware groups conducting big game hunting operations. This was partly a legitimate attempt to describe the tactics of more capable threat actors, but also reflects the tendency of the cyber security industry to overemphasise high-profile incidents and underestimate the impacts on small-to-medium-sized businesses. 

In reality, ransomware victimisation is rarely focused on targeting organisations like Marks and Spencer. Through the commoditisation of initial access and exploitation of victims within the cybercrime ecosystem, there has been a broad increase in the size of organisations targeted in ransomware attacks, but the median victim remains a medium-sized business as opposed to a large organisation. 

Specialists, such as initial access brokers, gain access through opportunistic means, take steps to ensure they keep that access (known as gaining persistence) to the victim network, and then sell the access to threat actors such as ransomware affiliates. The criminals that gain technical access to a victim are often no longer the same as those who ultimately deliver the malware payload. Ransomware threat actors also operate in an unsaturated market; there are plenty of accesses to victims to exploit, and, with falling payment rates, the cadence of operations rather than the size of victims will ultimately determine profit levels for the majority of cybercriminals. 

Initial access brokers determine the price of an access to a victim from basic details, such as the number of endpoints – gleaned via automated processes to compromise victims and gain persistence – and basic open-source research. Accesses are sold, almost always as part of a package of numerous accesses, on cybercrime marketplaces or through platforms such as Telegram. Ransomware affiliates purchase targets based on potential profitability, often informed by further simple open-source research, on the victims’ number of employees and financial turnover, for example. 

In the majority of ransomware attacks, opportunistically identified targets and purchased accesses are triaged by threat actors, with those that are potentially more financially rewarding prioritised and operationalised above others. This ability to triage a range of potential victims means that ‘big game’ targets may sometimes be preferred – particularly by more capable threat actors – but this is not the dominant model of victimisation in the ransomware ecosystem. Most ransomware affiliates hunt herds of smaller prey instead of individual big game trophies. 

Why does this matter? 

This has three key implications. First, if initial access for ransomware is opportunistic, everyone is a potential victim. Not considering yourself ‘desirable’ to a ransomware threat actor or group is of very little to no protection. The cyber security industry and media reporting should move away from language such as big game hunting and do more to message that ransomware is opportunistic and victimises organisations of all shapes and sizes. 

Second, for network defenders, it means that most ransomware attacks will have been enabled through initial access brokers who have exploited common vulnerabilities against internet-facing infrastructure to compromise a network. As recently advocated for by the UK’s National Cyber Security Centre, basic cyber hygiene – for both technical infrastructure and staff – is key for mitigating most initial access tactics.  

Third, for government policymakers, it means that any policies – such as partial ransom payment bans – that are predicated on an assumption that ransomware threat actors take a highly targeted approach to choosing victims may be problematic. It is highly unlikely that ransomware threat actors will change their mostly opportunistic targeting approach to obtain detailed information about victims and then decide not to attack a particular victim because they recognise it sits in a sector, such as critical national infrastructure, that is banned from paying. If governments are determined to implement some form of payment ban, full national bans may be more effective, as this type of simple, all-encompassing policy is more likely to filter into threat actors’ initial access and triaging.

The views expressed are the authors’ own and do not represent the official positions of their current or former employers.