Ransomware gangs are taking aim at 'soft target' industrial control systems

Cyber criminals are increasingly targeting industrial control systems that control cyber-physical systems in the hope of big pay days.
Written by Danny Palmer, Senior Writer

Ransomware attacks are targeting legacy industrial control systems (ICS) and more needs to be done to secure networks at industrial facilities against the threat of being disrupted by cyber criminals attempting to make money from extortion. 

A report by cybersecurity researchers at Trend Micro warns that ransomware is "a concerning and rapidly evolving threat to ICS endpoints globally" with a significant rise in activity during the past year. 

The motive behind ransomware attacks is simple – making money. Cyber criminals know that by hitting the industrial control systems used to operate factories and manufacturing environments, which rely on constant uptime, they have a good chance of getting paid.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

These networks, and the ones that support utilities like water and power, need to be fully operational in order to provide services and the longer the network is down, the more disruption there will be, so the victim might make the decision to give in and meet the ransom demand of the cyber criminals. 

"The underground cybercrime economy is big business for ransomware operators and affiliates alike. Industrial Control Systems found in critical national infrastructure, manufacturing and other facilities are seen as soft targets, with many systems still running legacy operating systems and unpatched applications. Any infection on these systems will most likely cause days if not weeks of outage," said Bharat Mistry, technical director at Trend Micro. 

Recent examples of successful ransomware campaigns like the attack against meat processor JBS demonstrate just how lucrative ransomware can be, as cyber criminals using REvil ransomware were able to make off with $11 million in bitcoin

Meanwhile, the Colonial Pipeline ransomware attack showed how a ransomware attack against an industrial target can have very real consequences for people, as gasoline supplies to much of the north-eastern United States were limited because of the attack. 

Cyber criminals using many different forms of ransomware are targeting industrial control systems but four families of ransomware account for over half of these attacks. 

They are Ryuk – which accounts for one in five ransomware attacks affecting ICS by itself – Nefilm, REvil (also known as Sodinokibi) and LockBit.  

According to the report, the US is the country with the most instances of ransomware affecting ICSs, followed by India, Taiwan and Spain. 

SEE: Ransomware: Paying up won't stop you from getting hit again, says cybersecurity chief

To help secure ICS endpoints against ransomware and other cyberattacks, the Trend Micro report offers several recommendations. 

They include patching systems with security updates, something the paper acknowledges as a "tedious" but necessary process. By ensuring networks are patched with the latest security updates, it means cyber criminals can't exploit known vulnerabilities that can be protected against. 

If patching isn't an option, then the network should be segmented in order to restrict vulnerable industrial control systems from internet-connected systems.  

It's also recommended that ICS networks are secured with strong username and passwords combinations that are difficult to crack with brute force attacks. Applying multi-factor authentication across the network can also help secure it against unauthorized intrusions. 


Editorial standards