Kaspersky predicts ransomware to remain top threat to industrial enterprises in 2024

Kaspersky identified that it does not expect rapid changes in the industrial cyber threat landscape this year in its ICS (industrial control system) and OT (operational technology) threat predictions. Most of the trends have been observed before, many for some years, such as ransomware. However, some of them have reached a critical mass of creeping changes, which could lead to a qualitative shift in the threat landscape as early as next year.

Evgeny Goncharov wrote in a Kaspersky report that ransomware will remain the top scourge of industrial enterprises in 2024. “In 2023, ransomware attacks consolidated their hold on the top of the ranking of information security threats to industrial enterprises. As seen from the official statements of organizations affected by cyber incidents in H1 2023, at least one in six ransomware attacks caused a halt in the production or delivery of products. In some cases, the damage from the attack was estimated in the hundreds of millions of dollars. At present, there appears to be no reason to believe the threat will decrease in the near future,” it added.

Furthermore, ransomware attacks on large organizations, suppliers of unique products, or big logistics and transport companies can have severe economic and social consequences. “Today, according to targeted companies, no less than 18% of ransomware attacks on industrial companies lead to disruptions in production and/or product delivery. Moreover, cybercriminals are aiming ‘upmarket’ in their choice of victims, preferring to target large organizations able to pay substantial ransom,” according to Kaspersky.

The ransomware market is heading for a peak, which may be followed by a decline or stagnation. Potential victims are unlikely to become immune to attacks any time soon. However, they can learn to mitigate the impact more effectively (for example, through better securing the most confidential data, and with proper backup and incident response plans).

Some of the potential avenues of development that Kaspersky identified included attacks on logistics and transport companies that may become targeted not at the IT infrastructure supporting operations, but the vehicles themselves such as cars or ships. The same vector applies equally to owners and operators of various specialized equipment operating at remote hard-to-reach sites, such as in mining or agriculture. The problem of cyber-securing multiple hard-to-reach sites is also relevant for oil and gas companies, public utilities, and, in general, any organization with a highly distributed OT infrastructure.

Lastly, it included unconventional methods of monetizing attacks (for example, through stock market speculation) on economically significant enterprises — major transport and logistics organizations, large mining companies, manufacturers and suppliers of materials (such as metals, alloys, or composites), agricultural and food products, suppliers of unique/in-demand products, shortfalls of which are hard to cover quickly (such as microchips or fertilizers). 

Goncharov said that politically motivated hacktivism along geopolitical fault lines will grow sharper teeth and have more destructive consequences. “We all remember the headline-grabbing hacktivist attacks on railways and gas stations in Iran in 2021 that the pro-Israeli hacktivist group claimed responsibility for. And, we saw many more cases last year: the irrigation systems hit in Israel, the attacks on the Israeli-made Unitronics Vision all-in-one (PLC with integrated HMI) solutions that found their victims in US and Ireland, and one more attack on Iranian gas stations in 2023. Leaving aside the PR effect, the actual scale of the negative consequences was quite modest in all these cases,” it added.

The report added widespread use of ‘offensive cybersecurity’ for gathering cyber threat intelligence will have both positive and negative consequences. “On the one hand, we will see some improvement in corporate security, as offensive cyber threat intelligence will give the user signs of potential compromise not with the telemetry of security solutions, incident research, indirect sources, and the dark web, as traditional cyber threat intelligence does, but also directly from attacker-controlled infrastructure. This will enable victims to restore system security more quickly and efficiently,” it added.

On the other hand, Kaspersky disclosed that by becoming the new norm (albeit not officially legalized, but applied with the tacit consent of governments), the development of offensive cyber intelligence will also produce negative consequences for the border between the gray zone and the shadows might be too thin and the temptation to cross it might be too hard to resist.

Kaspersky expects the ongoing and rapid automation and digitization of logistics and transport will lead to greater intertwining of cyber- and traditional crime, particularly in long-established criminal fields such as theft of cars, maritime piracy, and logistical disruptions powered by cyber-means—as a logical continuation of known attack tactics and technologies, theft of goods using cyber means; and smuggling powered by cyber-means—as the development of tactics used in the notorious ‘Ocean’s Thirteen’ case in the port of Antwerp.

The report also identified an increased likelihood of physical consequences of non-targeted attacks. Already there are known cases of vehicles of various types being infected with malware. If we peer into the near future, due to the adoption of ‘traditional’ operating systems such as Android and Linux in transport, the widespread integration of standard IT components and communication protocols, and the increasing number of use cases involving connections to cloud services, such infections look set to multiply. 

It added that chances are that some may lead to failures of critical monitoring and control systems with hard-to-predict consequences. “Above all, the risk concerns river, sea, truck, and emergency transport — information security in such vehicles is often inferior to that in passenger cars.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.