Ransomware cybercriminals continue to target manufacturers
If your manufacturing clients are seeing cyber premiums increase, more ransomware incidents could be why.
According to a new report by industrial cybersecurity firm Dragos, out of 905 ransomware incidents Dragos tracked, 638, or 70%, affected the manufacturing sector.
Dragos noted about a 50% increase in ransomware attacks against industrial organizations between 2022 and 2023.
But what could be of more value than the knowledge of increased premium expectations is the reason why this sector is seeing so many ransomware attacks. If manufacturers are not willing to plug the holes in the dike, then they should prepare themselves for attack, as attackers will always pursue the most vulnerable risks.
Exploiting vulnerabilities
Lax defenses and the significant costs incurred by any impact to operations of industrial risks make them vulnerable to digital extortion. In looking at the manufacturing sector, the industry was quick to move into digital transformation and internet connectivity but did not invest in IoT security at the same time. Ransomware attacks not only impact operational efficiency but also lead to financial and reputational costs, and further still have trickle-down effects on downstream businesses and outputs.
As with many sectors, the manufacturing sector still struggles with segmenting networks like those that deal with human resources from operational technology networks that control operations. This gives a hacker broad access to the organization. Water and wastewater utilities moving into digitization are also vulnerable, with a need to secure entry to access points as they move into digital transformation. The more connected and reliant on automation and digital infrastructure companies become without improving security for that operational technology, the more likely disruption will be.
Hacker strategy
Ransomware operators use many methods to gain entry into a system — collaborating with initial access brokers, using phishing techniques, and exploiting publicly accessible network assets such as VPNs and RDP servers. Further, it has been found that operators often have little to no visibility into their systems, and many use shared credentials between information networks and operational technology systems.
LockBit was the most used ransomware variant observed by Dragos last year, hitting 222 industrial organizations and accounting for a fourth of all ransomware incidents the firm tracked. ALPHV and BlackBasta both hit around 80 industrial organizations, based on Dragos tracking, and made up around 9% of total ransomware incidents.
The good news is that on February 20th of this year, the U.S. and U.K. authorities seized the darknet websites run by LockBit. Now, Instead of listing data stolen from ransomware victims who didn’t pay, LockBit’s website now offers free recovery tools, as well as news about arrests and criminal charges involving LockBit affiliates.
Russian nationals were charged as part of an international plot to deploy the malicious software, as announced by the Justice Department. The Federal Bureau of Investigation (FBI) has established a victim reporting questionnaire for U.S. victims and non-U.S. victims who wish to participate in the U.S. LockBit prosecutions (e.g., to submit a victim-impact statement or to claim restitution), and/or are seeking additional information or help with a LockBit attack against their organization.
Emerging threats
Dragos also noted that is has been tracking two new threat groups it calls Chernovite and Bentonite, which both focus on attacking the industrial sector. The groups attacking the industrial sector have been growing each year, with more and more threat actors appearing as new attackers, or as spin-offs of existing groups.
Traditional IT and standard security measures will likely not protect the operations of manufacturers and those in the industrial sector. Given that manufacturing is known as one of the top four critical infrastructures impacted by ransomware (along with energy, healthcare, and transportation), it behooves savvy risk managers to look into what cybersecurity methods are available to address each area of operations, before their company becomes the next attack victim.
See also: