Defence Online

FireEye releases report examining the ransomware threat to industrial production

Land February 28, 2020

A new report from FireEye examines the ransomware threat being faced by industrial production IT and OT.

The scale of ransomware threat is examined in a new report from FireEye: Ransomware’s Threat over Critical Infrastructure and Industrial Production, particularly IT and OT vulnerabilities. Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organisations.

Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE, have cost victims across a variety of industry verticals many millions of dollars in ransom and collateral costs. These incidents have also resulted in significant disruptions and delays to the physical processes that enable organisations to produce and deliver goods and services.

In 2017, FireEye also observed campaigns such as NotPetya and BadRabbit, where wiper malware with worm-like capabilities was released to disrupt organisations while masquerading as ransomware. While these types of campaigns pose a threat to industrial production, the adoption of post-compromise deployment presents three major twists in the plot.

• As threat actors tailor their attacks to target specific industries or organizations, companies with high-availability requirements (e.g., public utilities, hospitals, and industrial manufacturing) and perceived abilities to pay ransoms (e.g., higher revenue companies) become prime targets. This represents an expansion of financial crime actors’ targeting of industries that process directly marketable information (such as credit card numbers or customer data) to include the monetisation of production environments.
• As threat actors perform internal reconnaissance and move laterally across target networks before deploying ransomware, they are now better positioned to cast wide nets that impact the target’s most critical assets and negotiate from a privileged position.
• Most importantly, many of the tactics, techniques, and procedures (TTPs) often used by financial actors in the past, resemble those employed by high-skilled actors across the initial and middle stages of the attack lifecycle of past OT security incidents. Therefore, financial crime actors are likely capable of pivoting to and deploying ransomware in OT intermediary systems to further disrupt operations.

An actor’s capability to obtain financial benefits from post-compromise ransomware deployment depends on many factors, one of which is the ability to disrupt systems that are the most relevant to the core mission of the victim organisations. As a result, Ransomware expects mature actors to gradually broaden their selection from only IT and business processes, to also OT assets monitoring and controlling physical processes.

If you would like to join our community and read more articles like this then please click here.

Business cyber security cyber threats hack industry IT ransomware

Post written by: Vicky Maggiani

Vicky has worked in media for over 20 years and has a wealth of experience in editing and creating copy for a variety of sectors.