Ransomware attacks against OT networks are on the rise and have increased during the COVID-19 pandemic, according to Allan Liska, a threat intelligence analyst at Recorded Future. Apart from disrupting operations, the threat of ransomware is leading to financial losses and reputational damage.
“Not only do we see them increasing incidentally, but we do also see that there are some ransomware actors that are actually very focused on operational technology networks,” said Liska at the ManuSec Europe 2021 virtual event. “When we talk about operational technology, we are separating that out from traditionally what we consider IoT.”
With a delegation of over 150 manufacturing and cybersecurity executives from across Europe, the ManuSec Europe 2021 event explored strategies and best practices to deliver cybersecurity to critical manufacturers. It aims to protect industrial networks, promote organizational alignment as support for IT/OT convergence, and establish a roadmap for cybersecurity of safety-critical systems to define the practical steps needed to protect their key assets from cyber threats.
Operational technology used inside corporate networks is much more critical to the functioning of the organization, so a disruption in operational technology from a ransomware attack can cost a company millions, if not hundreds of millions of dollars, he said. “That’s why ransomware actors are targeting operational technology because they can make money from it. Ransomware actors are very much profit-driven,” Liska added.
“Starting roughly at the end of December, there is a huge jump in the number of attacks, as ransomware actors focused on this,” Liska pointed out in his presentation. “There is a lot of activity in OT networks when it comes to ransomware, and obviously there is a lot of concern around these kinds of attacks.”
In addition to EKANS and CLOP malware, security firm FireEye has identified the presence of at least five other ransomware actors using the same process kill list as EKANS. These include DoppelPaymer, LockerGoga, Maze, MegaCortex and Nefilim. “This means that there are multiple actors sharing a list and it means that these attacks against OT networks are becoming more commoditized. So you don’t have to be the most advanced actor to be able to go after them now, because somebody has already done the legwork for you, and they are sharing that information.”
This makes every ransomware actor more dangerous, he added.
The interest in OT networks is increased by the fact that ransomware actors are financially motivated. “They make money when they can shut down OT operations,” Liska said. “If you disrupt a manufacturing company, or if you disrupt a network that links multiple systems together, then you have effectively shut that organization down, and you are much more likely to get paid and command a higher ransom payout. So that becomes important.”
This was recently played out when DarkSide ransomware hit operations at Colonial Pipeline leading to a compromise of the fuel pipeline company’s IT networks and affected its operations for several days. The company is reported to have paid close to nearly US$5 million as a ransom to the DarkSide ransomware attackers, after its operations were hit on May 7.
In addition, there is a lot of juicy data on the OT networks. “Extortion has become a critical part of the ransomware operations, no longer enough just to encrypt files, you have to steal data and publish that data,” Liska said. “And so, if you can gain access to the OT networks, there are a lot of files, a lot of very sensitive data there that you can probably exfiltrate and publish to your site. So even if the target organization doesn’t pay the initial ransom, they may be willing to pay extortion to make sure their files aren’t released for the world to see.”
“For ransomware, the median amount lost was $11,150, and the range of losses in 95% of the cases fell between $70 and $1.2 million,” according to data released by Verizon 2021 Data Breach Investigations Report.
OT networks are often exposed, with less rigorous security and a slower patching cycle. As they are often managed by the vendor, OT networks are not patched quite as often and there is an assumption that because they are isolated, these networks are believed to be more secure because nobody can gain access to them or because they are so obscure.
“A lot of organizations think that nobody knows how to operate this, it’s really obscure technology, so I don’t really have to worry about it,” Liska said. “But again that’s not true. With the number of organizations that have been hit by ransomware, you have again expertise that’s developed in the ransomware community for many of these types of OT networks.”
Ransomware hackers are much more sophisticated than they used to be. “Many ransomware actors have now been in dozens of corporate networks, if not hundreds, and they learn from each of the sessions,” Liska said. “So as they learn and gain access to different parts of the network, they take notes, they share information with each other, and they do that to improve their ability to operate. That means, when they go after the next target, they will be so much better.”
“The novel fact is that 10% of all breaches now involve ransomware. This is because actors have adopted the new tactic of stealing the data and publishing it instead of just encrypting it,” the Verizon report said. “These attacks have some variety in terms of how the ransomware gets on the system, with Actors having strong preferences that can be broken into several vectors. The first vector is through the Use of stolen credentials or Brute force. We’ve seen 60% of the ransomware cases involving direct install or installation through desktop sharing apps.”
IBM Security X-Force revealed in its February report that ransomware persisted as the top contender in the threat category in 2020, accounting for 23 percent of security incidents, while security vulnerabilities related to industrial control systems (ICS), detected last year, were 49 percent more than those discovered in 2019.