There are three things that industries ravaged by ransomware tend to have in common.

They have data that is sensitive enough to be protected.
The industry lacks mature defenses.
Someone in the victim ecosystem is willing and able to pay.

Where we’ve seen this so far are places like:

Hospitals
Schools
Small businesses
Home users (to a lesser extent)

But if you look at those criteria I think you can predict new places that will be targeted in the future. One I think is ripe for it is:

Law firms

Think about the data they have. Think about how much effort they’re spending on security. And think about how much money they have to pay ransom.

It’s the perfect mixture.

What other industries should we be watching out for and getting ready to protect?

Notes


This also applies to Extortionware, if that ever becomes a thing.
Please do your best not to notice that there is no overlap in this Venn diagram. I blame Google Docs for not having a Venn function. You should too.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

How to Build a Successful Information Security Career
Ideas
My Explanation for the Sudden Rise in Ransomware
An Information Security Metrics Primer
My RSA 2017 Recap