Most ransomware attacks are opportunistic, not targeted at a specific sector or region Counter Threat Unit™ (CTU) researchers are frequently asked about ransomware groups posing a threat to organizations in specific verticals or geographic locations. These questions usually follow the publication of third-party reports that highlight how a particular ransomware group is “targeting” a specific sector. CTU™ researchers understand the concerns but maintain that focusing on defending against specific groups is not the best way to avoid becoming a victim of ransomware. As the majority of ransomware attacks are opportunistic, organizations should instead consider how they can best prepare for any ransomware or data theft attack, regardless of the perpetrators. How threat actors choose their victims and deploy ransomware depends on their motivations. Cybercriminals want to make money, so all organizations are potential victims of these groups. In contrast, state-sponsored actors use ransomware for destructive purposes, to obscure espionage activity, to generate revenue, or to achieve a combination of these outcomes. Each of these groups therefore has a separate threat profile, and the organizations at risk can vary greatly. Cybercrime Financially motivated attacks are by far the most prevalent ransomware operations. As threat actors victimize any organization that they can access, organizations in all verticals and locations are at risk. Although some groups might choose to exploit available access at higher-revenue companies in the belief it will secure a larger payout, Sophos customer telemetry reveals that most attempts to deploy ransomware occur at small organizations. These companies are likely more susceptible to compromise due to limited cybersecurity budgets and lack of dedicated in-house cybersecurity resources. Opportunistic access for financial gain Financially motivated ransomware operations are almost entirely opportunistic and based on available access. This access may have been obtained via malware delivered in phishing campaigns, credentials captured by infostealers, or the exploitation of vulnerabilities in internet-facing services. Whatever the method, the approach is random and untargeted. CTU researchers therefore try to avoid using the word “targeting” when talking about attacks, instead using “victimization” to describe the victim selection process. Any triage likely involves an assessment of which potential victims not to attack rather than which ones to attack. For example, most Russian and Eastern European ransomware groups deliberately avoid compromising organizations in Russia or other Commonwealth of Independent States (CIS) member nations , and increasingly members of the BRICS economic bloc, to avoid Russian or Russia-aligned law enforcement scrutiny. Some groups may also endeavor to avoid attacking organizations in the healthcare or critical infrastructure sectors, likely to avoid international pressure on local law enforcement to take action, although groups often make such claims on grandiose and spurious ethical or moral grounds. The banking sector is a good example of the opportunistic nature of cybercriminal ransomware attacks. Banks are high-revenue organizations, and a disruption to their operations caused by ransomware would be a powerful motivation for them to pay ransoms. Theoretically, these factors would make them prime targets for such attacks. However, CTU researchers see very few banks targeted by ransomware. This is likely because it is a heavily regulated sector with mandatory cybersecurity standards that eliminate competitive penalties. As a result, investments are made, control frameworks are specified, perimeters are well-defended, and networks are designed to limit opportunities for compromise. Organizations operating in unregulated sectors are more susceptible to opportunistic attacks because employing robust cybersecurity practices is not incentivized in the same way. For example, enhancing security measures in the manufacturing sector increases a company’s cost base and makes a competitor’s products comparatively cheaper. When organizations in a particular sector are victimized by a specific group, it is likely a result of that group exploiting a vulnerability in a service that is widely adopted across that sector. Organizations in the same sector tend to have similar security frameworks. There are exceptions, however. Some groups may victimize organizations in sectors that they think would be more likely to pay a ransom. For example, Conti affiliates deliberately attacked hospitals during the COVID-19 pandemic in the belief that it would increase the chance of a payout. GOLD VICTOR , which launched the Vice Society and Rhysida ransomware operations, has a clear predilection for victimizing healthcare and education organizations, likely for the same reason (see Figure 1). However, in the six months prior to December 31, 2025, Rhysida accounted for less than 1% of the total number of victims listed on all leak sites. Ransomware victimization continues to remain overwhelmingly randomized. Figure 1: Sectors victimized across all ransomware groups from May 1, 2021 through December 31, 2025, compared to the breakdown for Vice Society and Rhysida Victim triage likely varies greatly among groups, based on maturity, expertise, and appetite for risk. The affiliate model in ransomware-as-a-service (RaaS) schemes has certainly made this process much less predictable. While affiliates of a particular scheme might share a playbook, they also move between schemes to secure the best deal, making attribution and anticipating intrusion activity challenging. When advertising for affiliates, some groups stipulate conditions such as prohibitions on attacking certain sectors and geographies, and requirements that victims’ revenue must be over a certain amount to ensure that time spent on the attack results in a profitable payout. However, it is almost certainly the case that some inexperienced affiliates do not engage in a triage process at all and are likely not fully aware of whom they have victimized until after they have stolen data and deployed ransomware. If an attacker does not properly assess the potential impact, then ransomware deployment can be devastating by accident. For example, it is highly unlikely that the Qilin affiliate that deployed ransomware at Synnovis in June 2024 knew it would result in such significant damage to National Health Service (NHS) operations in London. Supply chain compromise Some threat actors focus on compromising the supply chain, which can make ransomware or data theft operations appear targeted when they are not. For example, the GOLD TAHOE threat group that operates Clop ransomware deliberately creates exploits for zero-day vulnerabilities in managed file transfer (MFT) services to steal data and hold it for ransom. The group is not deliberately targeting and extorting any particular organization; the victims just happen to use the exploited service and get caught up in the attack. Given that the exploitation and data theft occur at scale and through automation, any triage that occurs takes place after the group has collected the data and identified victims. It is possible that GOLD TAHOE prioritizes extortion against certain companies, possibly based on revenue or sector, but the ransom demands appear generic and unfocused. Nevertheless, this technically adept activity is atypical for a cybercriminal group. Acclaim Another motivation in cybercriminal ransomware operations that can change the dynamic of victim selection is kudos from peers. For example, it is not clear how Scattered Spider, a disparate collective of young individuals that CTU researchers track as GOLD HARVEST , chooses which organizations to victimize. However, the group members’ core motivation for their attacks is not necessarily financial gain. Like previous groups such as GOLD RAINFOREST (also known as Lapsus$) and Lulzsec, attacks appear to be undertaken for bragging rights and praise rather than moneymaking, so they regularly impact high-profile organizations. GOLD HARVEST has demonstrated significant aptitude in their operations. In compromising credentials for the Okta identity service solution, for example, the threat actors were able to subsequently target companies that relied on Okta for authentication. Some of the group’s tradecraft involves target selection that does not rely on opportunistic access like other cybercriminal or ransomware groups. Members of the collective, who are predominantly native English-speakers, attempt to gain access to chosen organizations via social engineering: calling help desk staff to reset passwords or enroll multi-factor authentication (MFA) devices. They might not always succeed, but it nevertheless represents a different threat from conventional cybercriminal or ransomware groups. That said, it is possible that the group does also use available access opportunities to exploit victims. Although CTU researchers have no special insight into the attacks, it has been rumored that third-party IT supplier Tata Consulting Services (TCS) had a role in both the Marks & Spencer ( M&S ) and Co-op attacks in 2025. TCS has denied its systems or users were compromised. Brand building RaaS operators might be motivated to build their brand to attract affiliates. The operators might encourage affiliates to target any organization, regardless of the likelihood of a payout, to boost victim numbers and make the scheme appear more impactful. This approach creates a dilemma for RaaS operators – how can they have enough impact to make a scheme attractive to affiliates but not cause so much damage that it brings unwanted attention from law enforcement? Most groups simply want to make money, so targeting organizations that represent a risk to their operations is ill-advised. Their triage process therefore likely involves avoiding victimizing high-profi