As ransomware groups turn their attention to bigger game, expect more high-profile targets to fall.

Its been over a week since hackers crippled Garmin with a ransomware attack, and five days since its services started flickering back to life. The company still hasnt fully recovered, as syncing issues and delays continue to haunt corners of the Garmin Connect platform. Two things, though, are clear: It could have been worse for Garmin. And its only a matter of time before ransomwares big game hunters strike again.
By this point, the world has seen a few large-scale meltdowns stem from ransomware-style attacks, where hacker groups encrypt sensitive files and shake down the owners for money. In 2017, WannaCry swept the globe before intrepid hacker Marcus Hutchins found and activated its kill switch. That same year, NotPetya caused billions of dollars of damage at multinational corporations like Maersk and Merck, although the ransomware aspect turned out to be a front for a vicious data-wiper. Time appears to have emboldened some hackers, however, as large companies take their place on the list of popular targets, alongside hospitals and local governments.
“Theres no doubt that its a big change that theyre hitting Fortune 500type companies now.”
Jon DiMaggio, Symantec
Recent victims include not just Garmin but Travelex, an international currency exchange company, which ransomware hackers successfully hit on New Years Eve last year. Cloud service provider Blackbaudrelatively low-profile, but a $3.1 billion market capdisclosed that it paid a ransom to prevent customer data from leaking after an attack in May. And those are just the cases that go public. There are certainly rather large organizations that you are not hearing about who have been impacted, says Kimberly Goody, senior manager of analysis at security firm FireEye. Maybe you dont hear about that because they choose to pay or because it doesnt necessarily impact consumers in a way it would be obvious something is wrong.
Bigger companies make attractive ransomware targets for self-evident reasons. Theyre well-insured and can afford to pay a lot more than your little local grocery store, says Brett Callow, a threat analyst at antivirus company Emsisoft. But ransomware attackers are also opportunistic, and a poorly secured health care system or cityneither of which can tolerate prolonged downtimehas long offered better odds for a payday than corporations that can afford to lock things down.
The gap between big business defenses and ransomware sophistication, though, is narrowing. Over the last two years, weve seen case after case of vulnerable corporate networks, and the rise of malware designed for the intentional infection of business networks, says Adam Kujawa, a director at security firm Malwarebytes Labs. And for hackers, success breeds success; Emsisoft estimates that ransomware attackers collectively took in $25 billion last year. These groups now have huge amounts to invest in their operations in terms of ramping up their sophistication and scale, Callow says.
Even ransomware attacks that start without a specific high-profile target in mindwho knows what a phishing campaign might turn up?have increasingly focused on spotting the whales in the net. One actor associated with Maze ransomware, FireEyes Goody says, specifically sought to hire someone whose sole job would be to scan the networks of compromised targets to determine not only the identity of the organization but its annual revenues.
The Garmin incident proves especially instructive here. The company was reportedly hit by a relatively new strain of ransomware called WastedLocker, which has been tied to Russias Evil Corp malware dynasty. For much of the past decade, the hackers behind Evil Corp allegedly used banking-focused malware to pilfer more than $100 million from financial institutions, as outlined in a Department of Justice indictment last year. In 2017, Evil Corp began incorporating Bitpaymer ransomware into its routine. After the indictment, it apparently retooled and set its sights much higher.
When you see them hitting governments, cities, hospitals, these more common targets that weve seen over the past couple of years, the ransom that theyre asking in those is usually in the hundreds of thousands. With WastedLocker, the amount of ransom that were seeing is definitely on the uptick. Were seeing them ask for millions, says Jon DiMaggio, a senior threat intelligence analyst at Symantec. With Evil Corp, theres no doubt that its a big change that theyre hitting Fortune 500type companies now.