The massive targeting of mainly Western countries, and the overwhelming focus on the US, suggest a more targeted nature of the ransomware attacks observed nowadays. This is in sharp contrast to the more classic ransomware attacks. Traditionally, ransomware operators were known to distribute their ransomware to as many victims as possible, as this modus operandi was believed to increase the potential revenues from ransom payments: relatively, the more victims they reached, the higher the chances are that at least some of them will pay the ransom. Security researchers have already highlighted this trend of ransomware attacks becoming more targeted. Back in 2019, the FBI issued a warning of high-impact ransomware attacks that were threatening US businesses and organizations. In this advisory, the bureau noted that “Ransomware attacks are becoming more targeted, sophisticated, and costly… Since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly…” 11 . Researchers dubbed this trend “big-game hunting” and these attacks were focused on high-value and high-profile organizations that are especially sensitive to downtime, instead of random attacks that also targeted individuals, typical to the more traditional ransomware threats 12 . Furthermore, it was recently revealed that ransomware gangs, and mainly the Clop ransomware, have started to prioritize targeting endpoints of top executives and high- level personnel in the victim organization, in hope of obtaining more sensitive and valuable data that might apply even more pressure on the victim to pay the ransom 13 . While highlighting the countries that were targeted is important, just as interesting (and perhaps even more) are the countries that were not targeted. A close examination of the list of 63 targeted countries above, reveals that Former Soviet Union (FSU) countries are missing from it. This fact may provide some clues as to the identity and origin of the attackers. Russian threat actors are known to refrain from targeting and infecting victims from FSU countries. Many times, Russian malware authors specifically configure their malware to check if it is running on a system located in one of these countries and if so – to stop running and terminate itself. In addition, it is not uncommon to see malware authors on Russian Dark Web hacking forums, who offer their malware for sale or share it for free, emphasize and demand that their malware shall not be used against victims in FSU countries. 3.1 TARGETED RANSOMWARE ATTACKS 3.2 ORIGIN OF RANSOMWARE GROUPS https://www.ic3.gov/Media/Y2019/PSA191002 https://arstechnica.com/information-technology/2019/10/fbi-warns-of-major-ransomware-attacks-as-criminals-go-big-game-hunting/ https://www.zdnet.com/article/some-ransomware-gangs-are-going-after-top-execs-to-pressure-companies-into-paying/ 13. 11. 12. 13 | The Ransomware Landscape