Ransomware gangs now have industrial targets in their sights. That raises the stakes for everyone

Industrial environments make an alluring target for criminals distributing ransomware as attacks have the potential to cause massive disruption - organisations need to act now to secure their networks.

Ransomware: Why industrial networks make an appealing target for cyber extortion

Ransomware attacks are a potential danger for any organisation, with ransomware variants including Conti, Egregor, Maze and many others still successfully compromising victims across all industries – but there are some industries that criminal gangs are targeting more than others.

The ransomware attacks are successful because many organisations can't afford for their network to be out of service for a sustained period of time, so many businesses are still taking what they perceive to be the quickest and easier route to restoring the network by giving into the ransom demands of criminals.

A recent report by cybersecurity company Digital Shadows examined which industries were most targeted by ransomware during 2020. While almost every industry found itself dealing with ransomware gangs over the course of the past 12 months, industrial goods and services was the most targeted, accounting for 29% – or almost one in three – ransomware attacks.

SEE: Security Awareness and Training policy (TechRepublic Premium)

That number of attacks is more than those on the next three most targeted sectors – construction, technology and retail – combined.

Manufacturers and infrastructure can make a tempting targeted for ransomware attacks because the organisations in these sectors need to be in operation around the clock, whether that's running a factory production line or operating a utilities plant. If they can't provide these services, there can be wide-ranging impacts further down the supply chain.

"Industrial organisations will feel more pressure to pay the ransom as periods of inoperability have significant impacts to their customers. This may result in a perception that organizations in this area are more likely to pay a ransom demand compared to organizations in other sectors," says Jamie Hart, cyber-threat intelligence analyst at Digital Shadows.

Also, these systems also tend to be in constant use, which can create another problem because operators may be reluctant to take them offline to apply the steady flow of routine software patches necessary to protect against security vulnerabilities that can give ransomware gangs access in the first place. That's if the machines can receive security updates at all because obsolete, unsupported technology is still common in many industrial environments.

"Organisations in this vertical are heavily reliant on systems that are outdated and thus require significant efforts to maintain vulnerability management. Additionally, these systems are so vital to the day-to-day operations of these organizations taking them offline for patching is a significant undertaking," says Hart.

This reliance on older systems and the need for constant uptime, therefore, makes industrial plants tempting victims for ransomware attacks. For the cyber criminals, it's all about the money and they're targeting factories because they know there's money to be made, potentially against a soft target that will be willing to pay up.

"Ransoming an enterprise, that's one thing. Ransoming an industrial plant that has a 15-million-a-day production line that would be affected by downtime, that's another," says Rob Lee, CEO and co-founder of Dragos, a company specialising in industrial cybersecurity."It will be extremely enticing for ransomware operators."

Most ransomeware will target the PCs and servers on the business network (which is often enough to shut down operations), but some are going further to target the industrial systems too. There are some specialist ransomware operations that are looking to take attacks even further in their quest to make money, such as ransomware variants like EKANS, which are specifically designed to target industrial control systems (ICS).

The prospect of ransomware encrypting ICS systems in factories is a worrying prospect, but there's also the potential these gangs could target critical infrastructure and attempt to hold energy, water and other utilities hostage.

These aren't products that organisations and individuals could go without for a few days – if a cyber criminal has the ability to shut down the power of a city, the impact is going to be felt far and wide.

There have been some examples of likely state-sponsored hackers compromising critical infrastructure suppliers and tampering with the systems, such as Stuxnet – a malware attack that caused substantial damage to Iran's nuclear program by spinning up centrifuges to the extent it tore them apart.

There's also Industroyer – also known as Crashoveride – which caused a power grid blackout across a large area of Ukraine in December 2016.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Inevitably, where state-backed cyber attackers lead, cyber criminals will follow – as demonstrated by the uptake of leaked NSA hacking tool EternalBlue, which not only helped power destructive attacks like North Korea's WannaCry campaign and Russia's NotPetya attack, but was taken up by cyber criminals to distribute ransomware, malware, cryptocurrency miners and other malicious payloads.

And now cyber criminals are increasingly turning towards targeting industrial control systems as they learn how previous attacks work and attempt to mimic techniques and procedures in ransomware campaigns.

"We have rising instances of ransomware actors who are more interested in getting into these spaces to the extent of designing very crude, but very concerning techniques such as terminating processes to extend encryption activity," says Joe Slowik, senior security researcher at DomainTools.

Ekans ransomware was first documented in early 2020 and is designed to target Windows machines in industrial environments – complete with commands and processes associated with a number of industrial control system-specific functionalities, with the intention of stopping them as part of a ransomware attack.

It's a cyber-criminal operation designed purely for financial gain – especially as a utilities provider can't wait for weeks to restore the network, so could be pushed into paying the ransom in the hope that applying the decryption key solves the immediate problems.

But encrypting industrial control systems is different to encrypting the network of enterprise business – these systems can control machines that have a physical presence in the world and disruption of these machines could potentially lead to unforeseen consequences. Shutting down a factory is not quite the same as shutting down a PC.

"A combination of the deliberate intention of trying to hold industrial operations to ransom, as well as the unintentional impact of if you terminate these things in the wrong way, can lead to not just classic ransomware problems but potentially serious implications," says Slowik.

Currently, ransomware that targets industrial control systems is still a rare occurrence – even if wider industrial environments still regularly find themselves on the receiving end of ransomware attacks. But in both cases, there are things the organisations can do to minimise the chances of falling victim to a ransomware attack in the first place.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 

Unpatched security vulnerabilities can allow ransomware and other malware to enter and propagate around the network, so it's highly recommended that critical security updates are applied soon after they're released as they're there to protect against known vulnerabilities. While it might be painful to briefly disrupt parts of the network to make sure the patches are applied, it's going to be less painful than falling victim to a cyberattack.

In addition to this, anything that can't receive security updates for one reason or another should be segmented from the rest of the network – if it even needs to be outwardly facing the internet at all – to help prevent cyber criminals from using more vulnerable systems as a gateway to the rest of the network.

Crucially, industrial organisations should be bolstering their cybersecurity now – not when it's already too late to protect against potentially damaging attacks.

"I don't think we should be freaking out now, I don't think the sky is falling, but I think we're in that five-year event window where this gets really bad. If you want to get ahead of that, you better be starting now," says Lee.

MORE ON CYBERSECURITY