Ransomware strikes rise sharply, fueled by profit potential

ransomware strikes

Cybercrime, including ransomware strikes, has continued to rise sharply, fueled by its potential for profit, as workforces are overwhelmed and vulnerable from the challenges of remote operations. 

Nozomi Networks said on Thursday that there had been a surge in ransomware, new vulnerability disclosures and the security risks of IoT security cameras. The company provided insights for re-evaluating risk models and security programs, along with actionable recommendations for securing operational systems.

Ransomware strikes on industrial organizations have risen 500 percent between 2018 and 2020, according to Nozomi. The high rate of growth continues upwards this year, with another 116 percent increase just between January and May this year.

Modern ransomware strikes are increasingly executed by criminal groups using the Ransomware as a Service (RaaS) model, Nozomi said. These groups run much like a cartel, motivated by profit and involving multiple unrelated parties acting together in an ecosystem. 

Apart from ransomware, the Nozomi report, titled, “OT/IoT Security Report: What You Need to Know to Fight Ransomware and IoT Vulnerabilities,” also identified that at the same time, vulnerability disclosures for industrial control systems (ICS) grew 44 percent in the first half of this year, compared to the second half of last year. The critical manufacturing sector was the most affected, with a whopping 148 percent increase in vulnerability disclosures solely affecting that industry.

IoT security threats, such as those for IoT security cameras, were also a heightened area of risk. Nozomi Networks Labs team disclosed vulnerabilities for Realtek and ThroughTek, while the Verkada breach showed that attackers could use security cameras as an entry point for lateral movement across victims’ networks. 

Many of today’s ransomware strikes involve shadowy organizations that communicate on darknet forums, but they are anything but lightweight in terms of how they conduct their operations. “While some ransomware groups are large enough to work independently and carry out every step of an attack themselves, this approach is waning,” Nozomi said in its report. 

Increasingly, the RaaS model involving many players is gaining popularity. The coordinated action of different parties working together, each playing to their strengths, makes ransomware groups powerful adversaries. With multi-step, always evolving malware available for purchase, the criminals driving ransomware strikes do not need technical skills themselves.

An example of a RaaS is the Darkside ransomware group that attacked Colonial Pipeline, a company that transports 45 percent of the U.S. East Coast fuel supply, in May. The attack affected some of the company’s IT systems and in response, Colonial Pipeline took certain systems offline to contain the threat, temporarily halting all pipeline operations. While the OT network was not directly breached, it led to a six-day period of gas shortages.

The attack coordinated an effort that prepared and deployed malware that uses a combination of attack techniques. Often, this leads to the successful extortion of its victims. The success of the entire attack showed the effectiveness of the RaaS model, with a division of labor.

Nozomi Networks Labs studied the internals of the DarkSide executable and revealed the malware’s techniques in three areas, including selecting victims and files, ensuring anonymity and anti-detection, and preventing data restoration. 

DarkSide was not the only ransomware attacker to thrive in the initial six months of this year. Another RaaS operator, REvil, also known as Sodinokibi, flourished by carrying out high-profile attacks on meat processing company JBS Foods, Acer, and Quanta, amongst others. This group is setting new records with ransom demands of US$50 million or more, and having tremendous impacts on business, further highlighting the high-risk organizations face from this type of threat.

“While neither of these attacks was executed against operational systems, each resulted in disruptions to those systems. The outages, and the media attention they generated, elevated cybersecurity discussions in board rooms around the world,” Nozomi wrote in its report. “It’s critical that all organizations with OT systems understand how modern ransomware attacks are conducted and how to defend against them,” it added.

In addition to the multiplicity of players involved in executing ransomware strikes, the malware itself is often made of multiple components. A prime example is the kill chain used by the Ryuk ransomware group. Ryuk also stands out for the speed of its attacks. Depending on the targeted network, the length of time from infection to ransomware execution can be as little as a couple of hours. 

The Ryuk group has particularly targeted healthcare facilities, which are already under pressure dealing with the COVID-19 pandemic. Ryuk is estimated to have collected over $150 million in ransom, with an average ransom of $750,000 from each victim. Their largest confirmed payment came to 2,200 bitcoin, or approximately $34 million.

Nozomi Networks Labs also analyzed new vulnerabilities published by ICS-CERT, a program run by the Cybersecurity and Infrastructure Security Agency (CISA), a U.S. government body. As vulnerabilities increased 44 percent in the first half of 2021, as compared to the second half of 2020, the number of vendors affected rose by 5 percent, and the number of products rose 19 percent. 

Vulnerabilities solely affecting the critical manufacturing sector rose by 148 percent, posing an additional challenge to an industry where many segments are struggling to regain momentum from pandemic-driven shutdowns, Nozomi said. Analyzing new vulnerabilities helps organizations understand which ICS devices or software have recently come under public scrutiny and is input into determining security priorities.

IoT security cameras are used extensively by industrial and critical infrastructure sectors. According to research firm Markets and Markets, the global video surveillance market size is expected to grow from $45.5 billion in 2020 to $74.6 billion by 2025. The infrastructure sector, including transportation, city surveillance, public places, and utilities, is expected to have the highest growth rate during that period. Given the prevalence and growing use of IoT cameras, it is important to understand their security risks. 

Over the last six months, Nozomi Networks has discovered and disclosed three surveillance camera vulnerabilities for companies that use Peer-to-Peer (P2P) functionality to provide access to audio/ video streams. 

“Additionally, we’ve reported on an IoT security camera cyberattack that resulted in unauthorized access to the live video feeds of 150,000 surveillance cameras and their full archive. To protect organizations from security camera risk and contribute to the security community at large, we’re sharing the insights we gained through researching surveillance system vulnerabilities. We also provide guidance on vendor considerations and how to mitigate risks,” Nozomi added.

Nozomi said that understanding risks and thinking through the consequences of the organization being attacked or exposed by them should help reevaluate the cybersecurity posture.

“As ransomware and vulnerabilities proliferate, make sure your defenders have the tools they need. This includes real-time visibility of IT, OT and IoT assets and actionable threat and vulnerability information. The right technology and threat information can greatly assist by providing integrated information that eliminates blind spots,” it added.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on whatsapp


Join over 5,000 Industrial OT & Cyber professionals

Weekly Newsletter direct to your inbox