This study addresses the challenge of threat prioritization in ransomware defense by proposing an organization-level attack risk quantification framework grounded in historical victim data. Methodologically, it introduces SKRAM—the first ransomware-group profiling framework encompassing Skills, Knowledge, Resources, Access privileges, and Motivation—integrated with TTP (Tactics, Techniques, and Procedures) analysis, large language model–driven chain-of-thought few-shot prompting, and synthetic victim-profile heuristic generation. A machine learning–based risk-ranking model is then developed to enable fine-grained prediction of the likelihood that a given organization will be targeted by each ransomware group. The key contribution lies in the first unified modeling of adversary behavior and organizational vulnerability, significantly improving high-risk threat identification accuracy and incident response decision efficiency. The framework delivers interpretable, operationally actionable risk assessments to support customized, proactive defense strategies.

We present an approach to identifying which ransomware adversaries are most likely to target specific entities, thereby assisting these entities in formulating better protection strategies. Ransomware poses a formidable cybersecurity threat characterized by profit-driven motives, a complex underlying economy supporting criminal syndicates, and the overt nature of its attacks. This type of malware has consistently ranked among the most prevalent, with a rapid escalation in activity observed. Recent estimates indicate that approximately two-thirds of organizations experienced ransomware attacks in 2023 cite{Sophos2023Ransomware}. A central tactic in ransomware campaigns is publicizing attacks to coerce victims into paying ransoms. Our study utilizes public disclosures from ransomware victims to predict the likelihood of an entity being targeted by a specific ransomware variant. We employ a Large Language Model (LLM) architecture that uses a unique chain-of-thought, multi-shot prompt methodology to define adversary SKRAM (Skills, Knowledge, Resources, Authorities, and Motivation) profiles from ransomware bulletins, threat reports, and news items. This analysis is enriched with publicly available victim data and is further enhanced by a heuristic for generating synthetic data that reflects victim profiles. Our work culminates in the development of a machine learning model that assists organizations in prioritizing ransomware threats and formulating defenses based on the tactics, techniques, and procedures (TTP) of the most likely attackers.