Mid-sized businesses are now the main target of ransomware gangs, with hackers seeking to avoid the public scrutiny that comes with going after high-profile public services or well-known brands.
The National Cyber Security Centre (NCSC), alongside its US and Australian counterparts, said criminals are no longer engaging in the sort of "big-game hunting" that have resulted in world-wide press coverage in recent years, as outlined in a joint advisory published on Wednesday.
The FBI have observed that attacks on Colonial Pipeline, JBS Foods, and Kaseya in 2021 in particular, led to a noticeable shift in behaviour.
“Big-game” attacks had also been observed in Australia and the UK over the course of the year, with the NCSC describing the top victims of 2021 as “businesses, charities, the legal profession, and public services in the Education, Local Government, and Health Sectors”.
However, hackers are now opting to target mid-sized organisations in an effort to reduce public – and often international – scrutiny, the report found. It comes after a recent Mitre-Harris Poll survey found that almost nine in ten Americans believe that a ransomware attack should be treated as an act of terrorism, which could potentially lead to increased chances of the involvement of law enforcement.
Using cyber criminal services-for-hire has become a popular tactic among hackers, alongside phishing emails and the exploitation of remote desktop protocols (RDP) as well as software vulnerabilities.
The agencies are urging organisations to keep all operating systems and software up to date, to secure and monitor RDPs, and increase their use of multi-factor authentication (MFA) – a protection method which is known to reduce account breaches by 50%.
Staff should also be adequately prepared for potential attacks with the help of user training programmes and phishing exercises, the advisory warned.
RELATED RESOURCE
Vulnerability and patch management
Keep known vulnerabilities out of your IT infrastructure
The shift away from high-profile targets has been predicted by a number of cyber security researchers following the Colonial Pipeline attack. In July 2021, Quest senior director of product management Paul Robichaux told IT Pro that "ransomware gangs that attract too much attention by attacking the wrong targets are going to bring the heat on themselves and get put out of business through law enforcement activity".
Hence, the "smarter" hackers "will pick their targets more carefully, both by industry and by geography".
“The smartest will focus only on territories where there is unlikely to be any meaningful law enforcement or intelligence community response and focus all their activity there," he added.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
