CHAPTER 3
Ransomware Attack Patterns and Trends
In recent years, ransomware groups have refined their tactics to maximize efficiency, evade law enforcement, and increase their chances of securing ransoms.
This shift in both tactics and target criteria has made ransomware attacks more frequent, unpredictable, and strategically devastating, creating new challenges for industries, especially healthcare.
Shift from Negotiation to One-Time Demands
As newer ransomware groups with limited resources emerge, ransom demands have evolved from prolonged negotiation processes to more direct, one-time ransom mandates. Negotiations allowed victims some leeway to reduce the ransom amount or buy time to assess the situation. Now, this has become less common as a harsher, more transactional model of ransomware has emerged, where victims are given little time to respond and few options for reducing their financial burden.
From Code of Conduct to Open Season
BEFORE
Established ransomware groups once operated with a twisted “code of conduct,” sparing certain industries from attacks, including healthcare since its services are critical and any disruption could risk lives. If an affiliate inadvertently attacked a healthcare organization, the core ransomware group would often step in, apologizing to the victim and even deploying the decryptor for free.
TODAY
Today’s ransomware groups target sectors based on ease of access and ransom potential, often disregarding traditional ethical considerations. As a result, sectors like healthcare, education, and local government have become prime targets. These industries often have critical operational continuity needs, limited cybersecurity resources, and a high urgency to restore services, which can compel victims to pay quickly.
How Ransomware Groups Select Targets
While there may appear to be randomness in ransomware attacks, the reality is that most larger attacks are highly targeted. Ransomware groups use a calculated approach to identify targets:
Technical Vulnerability
Scanning for weak points, such as unpatched systems.
Industry Profile
Focusing on sectors with high-stakes, vulnerable data.
Likelihood to Pay
Targeting organizations with a history of paying ransoms or with urgent operational needs.
How Gangs Pick Their Targets
Other factors include geographic area, industry, and revenue profile.
For example, the United States is the #1 geographic target. Large enterprises (with revenue over $100 million) and small to mid-sized businesses (with revenues below $20 million) are both common targets, indicating a preference for organizations that can pay substantial ransoms without necessarily drawing intense law enforcement attention.
Number of Ransomware Victims
2024
Annual Revenue Distribution of Ransomware Victims
