Ransomware in Operational Technology Environments

Defense in Depth strategies - part 7 - Security Architectures

Malware and ransomware attacks against ICS environments have increased significantly in the last five years.

Many ransomware attacks (including big ones) are believed not to be reported because the impacted companies don’t want the market to know they have been compromised due to the impact this can have on the goodwill of the company.

Ransomware groups increasingly target industrial organisations because they know the shortest operational downtime can significantly impact the target’s supply chain and ability to operate and so impact the target’s profitability as well as the output ability of the enterprises dependent on the target’s business performance.

As manufacturers need to operate around the clock, they are likely to pay the ransom in order to restore their operations as quickly as possible. It is one of the reasons why ransomware groups are increasingly focusing on industrial organisations.

In 2022 ransomware become the number one attack vector in the industrial sector with Manufacturing being the most targeted part of the sector with a total of 72% of the attacks.

This was followed by 7% of the attacks launched at the Food & Beverage industry and 5% of attacks aimed at the Pharmaceutical sector.

Within the Manufacturing sector, the most impacted were companies in the Metal Products business (9%) followed by the Automotive industry with 7% and Building Materials and Electronic & Semiconductors with 6% each. These subsectors are consequently at the top of the most impacted Manufacturing business year on year.

The reason for the Manufacturing sector be the most targeted by ransomware groups is the fact that it is the OT subsector with the least level of maturity in their OT security defenses – 86% of the services engagements had a lack of visibility across the OT network.

LOCKBIT

The fastest growing ransomware strain responsible for the most attacks on OT networks is Lockbit with its third-generation technology featuring such solutions as:

  • Anti-detection mechanisms
  • Anti-debugging
  • Disabling of Windows Defender application

The Lockbit malware spreads through active policy group updates to encrypt the victim’s system. It also can stop processes including certain Window and SQL processes as well as malware analysis tools and thus be able to stay “off the radar” on the infected network and devices.

The latest of Lockbit’s victims is the UK’s Royal Mail.

Only last week, on the 12th of January, the Royal Mail computer system responsible for the despatch of overseas deliveries was compromised by Lockbit, a ransomware strain widely thought to have close links to Russia.

As a result, Royal Mail has been unable to send parcels or letters abroad and has disabled offering this service (including on their website) until further notice.

The ransomware group has also threatened to publish the stolen information online.

This attack comes only a few weeks after the Guardian newspaper was hit with a ransomware attack affecting parts of the company’s technology infrastructure on the 20th of December – publicly admitted by the Guardian last week.

The Lockbit malware spreads through active policy group updates to encrypt the victim’s system. It also has the ability to stop processes including certain Window and SQL processes as well as malware analysis tools and thus be able to stay “off the radar” on the infected network and devices.

About this article
This article was prepared based on a webinar offered by Dragos in December 2022  available here.

Add a comment

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *