The massive targeting of mainly Western countries, and the overwhelming focus on the US, suggest a more targeted nature of the ransomware attacks observed nowadays. This is in sharp contrast to the more classic ransomware attacks. Traditionally, ransomware operators were known to distribute their ransomware to as many victims as possible, as this modus operandi was believed to increase the potential revenues from ransom payments: relatively, the more victims they reached, the higher the chances are that at least some of them will pay the ransom. Security researchers have already highlighted this trend of ransomware attacks becoming more targeted. Back in 2019, the FBI issued a arning of high-impact ransom are attacks that ere threatening US businesses and organi ations. In this advisory, the bureau noted that “Ransomware attacks are becoming more targeted, sophisticated, and costl … Since earl 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks ha e increased signiåfcantl …” 11 . Researchers dubbed this trend “big-game hunting” and these attacks ere focused on high- alue and high-proåfle organi ations that are especially sensitive to downtime, instead of random attacks that also targeted individuals, typical to the more traditional ransomware threats 12 . Furthermore, it was recently revealed that ransomware gangs, and mainly the Clop ransom are, ha e started to prioriti e targeting endpoints of top e ecuti es and high- le el personnel in the ictim organi ation, in hope of obtaining more sensiti e and valuable data that might apply even more pressure on the victim to pay the ransom 13 . While highlighting the countries that were targeted is important, just as interesting (and perhaps even more) are the countries that were not targeted. A close examination of the list of 63 targeted countries abo e, re eals that Former So iet Union (FSU) countries are missing from it. This fact may provide some clues as to the identity and origin of the attackers. Russian threat actors are known to refrain from targeting and infecting victims from FSU countries. Man times, Russian mal are authors speciåfcall conåfgure their malware to check if it is running on a system located in one of these countries and if so – to stop running and terminate itself. In addition, it is not uncommon to see mal are authors on Russian Dark Web hacking forums, ho oâfer their mal are for sale or share it for free, emphasi e and demand that their mal are shall not be used against victims in FSU countries. 3.1 TARGETED RANSOMWARE ATTACKS 3.2 ORIGIN OF RANSOMWARE GROUPS https:// .ic3.go /Media/Y2019/PSA191002 https://arstechnica.com/information-technolog /2019/10/fbi- arns-of-major-ransom are-attacks-as-criminals-go-big-game-hunting/ https:// . dnet.com/article/some-ransom are-gangs-are-going-after-top-e ecs-to-pressure-companies-into-pa ing/ 13. 11. 12. 13 | The Ransomware Landscape