Ransomware: Industrial services top the hit list - but cyber criminals are diversifying

Ransomware gangs are heavily targeting industry with attacks - but increased competition means cyber criminals are expanding their targets.
Written by Danny Palmer, Senior Writer

Businesses in industrial goods and services are still the most popular target for ransomware attacks, but cyber criminals are increasingly diversifying which organisations they're extorting. 

Ransomware has become a major cybersecurity issue, as cyber criminals infiltrate networks and encrypt servers and files before demanding a ransom payment – often amounting to millions of dollars in cryptocurrencies – in exchange for the decryption key. 

In a significant number of cases, the victim will give in to the demands and pay the ransom. This might be because they don't have back-ups, because the criminals threaten to leak stolen data if they're not paid, or simply because the victim perceives paying to the ransom be the quickest means of restoring the network. Yet in reality, even with the correct decryption key, services can remain disrupted for a long time after the event. 

In an analysis of hundreds of reported ransomware attacks between July and September this year, cybersecurity researchers at Digital Shadows found that industrial goods and services was the most commonly reported sector, accounting for almost double the number of incidents that affected the second most affected industry – technology. 

One of the most significant ransomware attacks this year affected an industrial environment, when Colonial Pipeline fell victim to DarkSide ransomware.  The cyber attack led to a shortage of gas for much of the United States east coast and people rushed to stockpile gas. The company ended up paying a ransom of millions of dollars to restore the network. 

SEE: A winning strategy for cybersecurity (ZDNet special report)   

Industrial environments are a popular target for ransomware cyber criminals because if a product or service can't be produced or delivered, it affects customers – and the bottom line. As such, many companies opt to pay to get services up and running again quickly.

"Companies within the industrial goods and services sector are commonly targeted due to their sensitivity to prolonged outages; manufacturers often need to be working 24/7," Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows told ZDNet. 

"Even the slightest outage can significantly impact the target's supply chain. Many companies within this sector—and other sectors like construction and agriculture—rely on technology to provide automation. Without this technology, productivity grinds to a halt."

In addition, industrial environments are often running on technology that make them easy pickings for ransomware gangs. This can range from relying on old, out-of-date software that doesn't receive security updates, to using much newer, Internet of Things connected devices and sensors that can be exploited by cyber criminals to access a network. 

While it won't do away with the threat entirely, businesses can take steps to avoid falling victim to cyber attacks, such as applying security updates in a timely manner and applying multi-factor authentication.

Diversifying targets

While industrial environments remain the top target for ransomware attacks, there was a reduction in the number of attacks against them during the last quarter as cyber criminals diversified their targets.

The research by Digital Shadows found that the technology industry was the second most targeted during the reporting period. The most significant attack on this sector in recent months was against Kaseya, an IT solutions provider, which was targeted in a supply chain attack that affected thousands of companies around the world.  

SEE: This company was hit by ransomware. Here's what they did next, and why they didn't pay up 

Other common ransomware targets include construction, financial services and legal services, as well as food and drink companies, all of which possess vital systems or data that criminals can leverage to coerce victims into paying the ransom. 

Researchers warn that the expansion in sectors being targeted could be due to the emergence of new ransomware groups and increased competition amongst gangs. "The diversification of targets likely comes naturally as a result of the ransomware market becoming more saturated," said Morgan. 

"Digital Shadows currently tracks 35 data-leak sites operated by distinct ransomware groups, and while this number fluctuates regularly, it is highly likely to increase in 2022. With more groups needing more victims to target, new sectors will come into the firing line of this type of activity."


Editorial standards