Ransomware Attacks Shift to Mid-Sized Targets


The latest Coveware research has been posted with some startling trends in ransomware attacks for the third quarter of 2021. There were numerous takeaways collected from the data and many of them paint a dangerous picture of things to come. As the government begins a serious crackdown on attacks against large corporations, the focus of attackers has shifted to smaller and mid-sized targets. The government’s reaction has been attributed to the massive Colonial Pipeline ransomware attack.

The focus towards smaller targets can be seen in the median ransomware payment of $71,674, which is a 52.2% increase since the second quarter of this year. The average ransomware payment of $139,739 is essentially unchanged. This is attributed to a smaller number of larger ransomware payments, but a larger number of small payments. The average recovery time from an attack was 22 days.

The shift can also be seen in the distribution of company sizes based on the number of employees. Companies under 1,000 employees accounted for 83.7% of all ransomware attacks:

  • 1 to 10 employees – 5.4%
  • 11 to 100 employees – 34.7%
  • 101 to 1,000 – 43.6%

Ransomware attacks are primarily attributed to two main factors: phishing and the Remote Desktop Protocol (RDP). RDP vulnerabilities are generally caused by weak passwords on desktop machines and weak firewall rules that allow open ports and brute force attacks to take place. Phishing attacks are the most common for smaller organizations.

The top three categories targeted by ransomware attacks are health care, professional services, and public sector industries. These three industries account for 51.2% of all attacks with the remainder spread amongst 14 different sectors. The largest of these is professional services, with 23.6% of total attacks. Professional services firms makeup only 14% of businesses in the United States but account for nearly one-quarter of all ransomware attacks. Professional services businesses such as legal, financial advice, and insurance agencies are targeted because they typically do not have an IT staff, fail to recognize and understand the threat, and do not invest in security products and services that could help prevent an attack.

Attacks against these types of businesses are motivated by money, not just from the initial ransomware attack, but the threat of releasing sensitive data – especially customer data if additional payments are not made. These payments can even be demanded by third-party attackers, who may have obtained the data from the original attacker. Even though an attacker may say that they have destroyed the data, remember that you’re dealing with a criminal element where honesty and trustworthiness are not their best attributes.

While major media, telecommunication, and utility companies make the headlines when an attack happens, smaller companies typically do not make the news. Ransomware attacks are far more common than most businesses and organizations realize. Failing to acknowledge the threat does not eliminate the problem. As the data shows, the shift towards attacks on smaller businesses is a real threat and must be taken seriously.