Skip to content

Illustration by Security Management

Ransomware Attacks on Industrial Companies Increased More Than 500 Percent

In a December report analyzing incidents of ransomware and extortion directed at industrial organizations, Dragos and IBM’s Security X-Force found that such attacks on these businesses have increased more than 500 percent since 2018.

“In addition, analysis of the frequency of ransomware attacks on industrial organizations per month indicates that attacks have been trending slightly upward over time—with an all-time high in May 2020,” the report, Ransomware in ICS Environments, said.

Focusing on attacks on industrial control systems (ICS), the authors—Selena Larson of Dragos and Camille Singleton of IBM—wrote that along with the significant increase in ransomware used against industrial companies, many of the attacks also triggered a disruption to the business’s industrial operations.

“Concerningly, some ransomware types, such as EKANS, have begun to adopt the ability to disrupt industrial equipment,” the report said. Codes making up some strains of ransomware also include mechanisms that can leap to operations—made vulnerable by improper security hygiene—halting activities on some human-machine interfaces, licensing servers, and a growing list of devices. (Materializing in December 2019, EKANS was a ransomware strain that encrypted files and delivered a ransom note, as well as forcibly stopped multiple activities, including ones related to ICS.)

Other aspects indirectly impacted by a ransomware attack can include logistics, fleet management, data storage, sales operations, and more.

Data extortion has also increased in response to companies’ attempts to be more proactive against ransomware attacks—maintaining offline backups of systems, implementing effective security hygiene, and other methods meant to beef up defenses against these incidents. With this type of extortion, the attackers steal the data, encrypt it when possible, and then threaten to publish the information, some of which could be confidential or sensitive, unless the company meets the attackers’ demands.

The authors also noted that the rise in ransomware incidents—a 75 percent increase—coincided with the spread of the coronavirus pandemic, with attackers using the pandemic and the public’s increasing anxiety about health to create “phishing lures.”

In recent years, cyberattacks involving ransomware have largely focused on organizations that offer the attackers a likely high probability of the victim paying the ransom, such as manufacturers, but also hospitals, government agencies, and universities. According to a Europol analysis from April 2020, since the global spread of the coronavirus pandemic, cyberattackers prefer to initiate a ransomware attack as soon as possible. “The period between the initial infection with ransomware and the activation of the ransomware attack is shorter,” Europol found. “The pandemic may multiply the damaging impact of a successful attack against certain institutions, which reinforces the necessity for effective cyber-resilience.” 

The majority of the 194 incidents reviewed occurred in North America (45 percent), then Europe (31 percent), and Asia (18 percent).

Beyond geography, the report also found that manufacturing and utility businesses were the top sectors targeted, making up 36 percent and 10 percent, respectively of all attacks. Incidents in both sectors increased since 2018.

Highlighted in the report was one of the most frequently used malware strains in analyzed ransomware incidents—Sodinokibi. This strain was responsible for more than one in six attacks on industrial networks since 2018.

Looking forward, Dragos and X-Force analysts believe that ransomware attacks “will continue to be a major threat to industrial operations in the future. Despite efforts to improve security hygiene across multiple business sectors, poor security practices including improper segmentation between enterprise and operations networks will enable the infection and propagation of ransomware across business and ICS systems,” the report said. “Ransomware operators will likely continue to incorporate data theft and extortion techniques into their ransomware campaigns—potentially at increasing rates going forward, particularly if current threat actors using this technique find the business model to be successful.”

The analysts also suspect that these types of incidents will likely be used as a cover for state-sponsored attackers in the future.

The report also made several recommendations on how organizations can fortify defenses against ransomware attacks, such as reviewing existing architecture to identify all assets, connections, and communications between IT and operational technology; analyze and limit connections between corporate and ICS networks to only trusted traffic; enforce multifactor authentication wherever possible; utilize effective defense-in-depth security strategies, that provide backup or multilevel protections for attackers; employees trained to spot phishing attempts; and more. For the full report, see here.