Ransomware groups are increasingly adopting techniques that could be used to hurt the operations of manufacturing companies, such as incorporating code that looks for and exploits industrial control systems (ICSes) and can spread from IT networks to OT networks, according to ICS security firm Dragos.
In a report released today, the company points to multiple codebases — including EKANS, Megacortex, and Clop — that now include code for stopping processes in ICSes, and pointed to multiple public ransomware incidents that shut down manufacturing firms. In March 2020, for example, a strain of the Ryuk ransomware hit steel maker EVRAZ, shutting down production and leading to the temporary furloughing of more than 1,000 workers for at least four days, Dragos stated, citing media reports.
While other types of attacks have targeted manufacturers, ransomware poses the most risk in 2020, especially for many critical subsectors of the industry, says Selena Larson, senior cyberthreat analyst at Dragos.
“Manufacturing is incredibly important and crucial as a supplier to many other industries,” he says. “Pharmaceutical makers are hugely important, especially when it comes to the coronavirus pandemic. And take the defense industrial base — that supports government and military infrastructure.”
The focus on manufacturing companies is not surprising given ransomware’s evolution. Healthcare, local government, and school districts have all been highly visible targets of ransomware groups because they all have an operational component. Taking down those organizations’ capabilities has a direct impact on services and operations, often leading to the disclosure of the breach and making the payment of the ransom the best business decision.
In 2019, Dragos’ incident response team found two-thirds of incidents involved attackers accessing an ICS directly from the Internet, while all attacks were able to connect out from their operational environments, allowing adversaries to exfiltrate data.