One in seven ransomware extortion attempts leak key operational tech records

Researchers say that double-extortion ransomware attacks represent a severe risk to operational processes.
Written by Charlie Osborne, Contributing Writer

One in seven ransomware extortion data leaks reveals business-critical operational technology data, researchers say. 

Ransomware has evolved from barebone encryption and basic demands for payment into something potentially far more severe in recent years. 

Once, ransomware was used en masse to infect systems and extort blackmail payments from the general public -- normally in cryptocurrency such as Bitcoin (BTC) -- but now, operators are targeting high-value targets for larger payoffs. 

In what some cybersecurity experts call "big game hunting," ransomware groups go for large enterprise firms, utilities, hospitals, and key supply chain players. 

While it may take longer to perform the reconnaissance required to enter networks owned by large companies, once entry has been obtained, it is possible that one attack can land them millions of dollars. 

Colonial Pipeline is an example of just how debilitating a ransomware attack can be. The fuel supplier's systems were hijacked by ransomware in 2021 by DarkSide, and while a $4.4 million ransom was paid to restore Colonial Pipeline's network, the damage was already done -- the attack prompted panic buying and fuel shortages across the United States. 

However, ransomware attacks against the enterprise now go further. Cisco Secure coined the term "one-two-punch" extortion, in which ransomware operators will steal confidential data before encryption begins and will threaten to leak this information if a victim refuses to pay up.

Also: Hackers hijack smart contracts in cryptocurrency token 'rug pull' exit scams

Many ransomware operators manage leak sites online that publish stolen data dumps, and according to Mandiant Threat Intelligence, over 2021, thousands of victims found themselves subject to these extortion tactics. 

In only a 12-month period, over 1,300 organizations from critical services, infrastructure, and the industrial sector were impacted. 

Mandiant collected samples from victims that leverage operational technologies (OT) for their production. After pouring through the data dumps leaked on the name-and-shame websites, the researchers found everything from network and engineering diagrams to information on partner vendors and operator panels. 

Among the samples examined were stolen employee credentials, asset tags, third-party vendor agreements and legal documents, project files, product diagrams, process documents, spreadsheets, visualizations, and in one case, the proprietary source code of a satellite vehicle tracker's GPS platform.

"Based on our analysis, one out of every seven leaks from industrial organizations posted in ransomware extortion sites is likely to expose sensitive OT documentation," the researchers say. "Access to this type of data can enable threat actors to learn about an industrial environment, identify paths of least resistance, and engineer cyber-physical attacks."

To make matters worse, leaked OT records may also provide cyberattackers -- whether the original group or a copycat team looking to strike the same victim -- a picture of a company's culture, staff, finances, production processes, research, intellectual property, and more. 

"We recommend that organizations in these sectors enforce robust data handling policies for employees and subcontractors to ensure that internal technical documentation is protected," commented Daniel Kapellmann Zafra, Mandiant senior technical analysis manager. "This is particularly important for critical infrastructure such as rail, which provides services to thousands of passengers every day." 

"If you find your data has been exposed on a ransomware extortion site, it's important to assess the value of this leaked data and determine if any additional controls should be put in place to decrease the risk of an adversary using this data in future."

Last month, Trellix (McAfee Enterprise/FireEye) released the results of an analysis of ransomware attacks between July and September 2021. The company said that organizations in the finance and retail sectors, alongside utilities, were the most common targets, making up 58% of reported ransomware incidents. 

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards