Ransomware, ICS incidents rule in 2020, IBM reveals

IBM ICS incidents

Ransomware persisted as the top contender in the threat category in 2020, accounting for 23 percent of security incidents, while security vulnerabilities related to industrial control systems (ICS), detected last year, were 49 percent more than those discovered in 2019, IBM Security X-Force announced Wednesday.

Based on data collected from real attacks in its ‘IBM X-Force Threat Intelligence Index’ report, IBM found that the Sodinokibi (REvil) ransomware harvested a conservative profit of about US$123 million and stole around 21.6 terabytes of data. Ransomware attackers increased the pressure on victims by combining data encryption with threats to leak the stolen information on public sites.

The report offers a practical assessment of the cyber threat landscape and assists organizations in understanding the evolving threats, associated risk, and how to prioritize cybersecurity efforts.

Apart from ransomware leading the attacks in 2020, manufacturing organizations were faced with an onslaught of ransomware and other attacks last year. The manufacturing industry overall was the second most targeted, followed by finance and insurance, having been the eighth most targeted industry in 2019. This may have been driven by the interest that malicious actors have in targeting infrastructure with connections to operational technology (OT).

Similarly, energy jumped from ninth place in 2019 to third place in 2020, further underscoring attackers’ focus on ICS incidents and OT-connected organizations last year.

In December, Dragos and IBM Security X-Force carried out research that revealed an increase in disruptive ransomware attacks on OT environments, with the manufacturing and utilities sectors identified as the most targeted. At the time, the two companies estimated that the threat of attacks to ICS incidents and OT-connected networks is likely to increase, as future attacks build on ransomware such as EKANS, capable of disrupting industrial processes, the two companies said. The trend is also driven by the pressure on companies to publicly report incidents of compromise.

X-Force detected sophisticated attackers using targeted spear phishing campaigns in attacks against manufacturing businesses and NGOs involved in the COVID-19 vaccine supply chain. In mid-2020, X-Force uncovered a global phishing campaign that reached more than 100 high ranking executives in management and procurement roles for a task force acquiring personal protective equipment (PPE) in the battle against the COVID-19 virus.

In 2020, healthcare ranked as the seventh most attacked industry, recording 6.6 percent of all attacks on the top ten industries, up from tenth place and 3 percent of attacks in 2019. This is an appreciable jump, reflecting the heavy targeting that healthcare received during the COVID-19 pandemic, from ransomware attacks to threat actors targeting COVID-related research and treatments. Nearly 28 percent of attacks on healthcare were ransomware.

X-Force analysis of public breach data indicates that ransomware-related data leaks made up 36 percent of public breaches in 2020. Last year, thirty-three percent of the attacks on government organizations were ransomware attacks, with nearly 50 percent of ransomware attacks that X-Force observed on government entities in 2020 from Sodinokibi threat actors.

IBM Security X-Force observed that 31 percent of attacks in 2020 occurred in the European region, up significantly from 21 percent in 2019. Europe bore the brunt of most cyber attacks compared to any other region, with ransomware rising as the top culprit. In addition, Europe saw more insider threat attacks than any other region, seeing twice as many such attacks as North America and Asia combined.

IBM does not hold much hope for the year ahead. The risk surface will continue to grow, with thousands of new vulnerabilities likely to be reported in both old and new applications and devices. In addition, double extortion for ransomware will likely persist through 2021, as attackers publicly leak data on ‘name and shame’ sites increasing their ability to command high prices for ransomware infections.

Threat actors are likely to shift their sights to different attack vectors with targeting of Linux systems, OT, IoT devices and cloud environments expected to continue. As targeting of these systems and devices becomes more advanced, threat actors may rapidly shift efforts, especially following any high-profile incident.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on whatsapp


Join over 5,000 Industrial OT & Cyber professionals

Weekly Newsletter direct to your inbox