Research carried out by Dragos and IBM Security X-Force revealed that disruptive ransomware attacks on operational technology (OT) are on the upswing, with the manufacturing and utilities sectors identified as the most targeted.
Dragos and X-Force have estimated that the threat of attacks to ICS and OT-connected networks is likely to increase, as future attacks build on the new efforts of ransomware such as EKANS, capable of disrupting industrial processes, the two companies said. This trend is also driven by the pressure on companies to publicly report incidents of compromise.
Ransomware will continue to be a major threat to industrial operations in the future. Despite efforts to improve security across multiple business sectors, poor security practices and improper segmentation between enterprise and operations networks still enable the infection and propagation of ransomware across business and ICS systems. Attacker behavior is adapting to corporate security efforts and expanding to include data theft and extortion.
Dragos and X-Force also anticipate that ransomware attacks in the future will be used as a cover for state-sponsored operations.
The two vendors analyzed 194 confirmed attacks against ICS and supporting entities, and summarized the findings to reveal that ransomware attacks on industrial entities increased more than 500 percent since 2018. The analysis of the frequency of ransomware attacks on industrial organizations per month indicates that attacks have been trending slightly upward over time, registering an all-time high in May this year.
The findings shared in this report are based on publicly available information, apart from data from incidents identified and responded to by X-Force and Dragos’ Services team. Entities who experience disruptive ransomware events frequently do not report them unless compelled by regulators.
Headquartered in Hanover, Maryland, Dragos is an ICS and IIoT cybersecurity company that monitors cyber events impacting ICS entities. IBM Security X-Force provides incident response and intelligence services to organizations across a range of verticals, including those with ICS and OT networks as part of their infrastructure.
Dragos and X-Force have observed a real appreciable rise in the number of both non-public and public ransomware events affecting ICS environments and operations. Through joint collaboration, intelligence analysts mapped publicly known and internal client incidents of attacks on industrial entities from 2018 through October 2020.
Researchers found ransomware against ICS entities and supporting organizations increased 75 percent in this timeframe, with activity peaking in May 2020. Of the attacks in which the scope of impact is known, 56 percent of ransomware attacks affected operations functionality at victim organizations, resulting in weeks-long downtime in some cases.
Sodinokibi, Ryuk and Maze were the most commonly observed ransomware strains compromising industrial organizations from 2018-2020. Specifically, Sodinokibi accounted for 17 percent of the ransomware attacks against industrial organizations where the strain was known, while Ryuk made up 14 percent and Maze 13 percent.
Most ransomware attacks occurred in North America, followed by Europe and Asia. In fact, North America saw nearly 45 percent of attacks on ICS-connected networks since 2018, followed by Europe at 31 percent and Asia at 18 percent of total attacks tracked.
The largest increase in targeting was observed in the manufacturing sector, with the number of incidents in that sector tripling from 2018 to 2020. Manufacturing was also the hardest hit, experiencing 36 percent of all ransomware attacks on ICS-related networks for the period from 2018 to 2020. Utility companies came in second, at 10 percent of attacks—a percentage that has risen dramatically since 2018.
Dragos and X-Force data also revealed that the most common initial access vectors are phishing, remote services compromise such as Remote Desktop Protocol (RDP), and exploiting software vulnerabilities like virtual private network (VPN) concentrators and enterprise network equipment.