Ransomware Snapshot in OT and ICS: February 2022 Edition
Ransomware attacks on company IT systems tied to operational technology (OT) can cause severe disruptions even when industrial control systems aren’t directly targeted. In 2022, it is anticipated that ransomware will be the primary attack vector for the industrial sector. Research indicates that the manufacturing sector accounted for 52 percent of 56 ICS-related dedicated leak sites’ (DLS) postings in 2021. Conti, Lockbit, and Sodinokibi/Revil contribute to 60 percent of ransomware attacks. Lockbit 2.0 published data about companies across eight different nations around the globe.
Conti was built off code from the “Hermes” ransomware variant that was sold in August 2017 via a popular criminal marketplace Exploit. The industries that are most heavily affected by the Conti ransomware are construction, manufacturing, and retail. Attacks have been reported against organizations in the US, the UK, Spain, France, Germany, and Canada. Conti uses a large number of independent threads to perform encryption - enabling up to 32 simultaneous encryption efforts - and runs 160 individual commands. The ability to target specific machines on a network could allow Conti to invade server components even without internet capability.
LockBit’s activity is relatively minor in comparison, but its operators have been linked to the Maze group, which has been highly active. Security researchers have yet to identify any implementation flaws that could permit victims to bypass the ransom demand and decrypt their files for free. LockBit focuses attacks on government entities and enterprises in a variety of sectors such as healthcare, financial services, and industrial goods and services. Initial attack vectors include phishing, spear phishing, and business email compromise (BEC).
Sodinokibi (aka REvil, Sodin) is a ransomware variant first detected in April 2019. Since then, the variant has been actively used in ransomware attacks targeting organizations worldwide. Operators of this variant have adopted the increasingly popular tactic of also threatening to release data stolen from their victims (aka double extortion) on their “Happy Blog” leak site. The ransomware overlaps with the “GandCrab” malware families developed by the Pinchy Spider threat group.
Conti, Lockbit, and Sodinokibi automatically vet their targets and use phishing and remote desktop protocol (RDP) compromise as their primary attack vector. They all have one thing in common: they get access to the infrastructure by exploiting known flaws. After gaining initial access, adversaries can move laterally and execute various malware strains to compromise enterprise IT and OT systems. The chart below shows attack vectors used by Conti, Lockbit, and Sodinokibi ransomware.
The security function of an enterprise is dependent on many critical functions such as IT, Operation Technologies, Access Control, and Auditing. Any failure in one or more of these dependencies can lead to cascading failures which can be fatal for the system’s operation. Localized attacks on spatial networks could spark a chain reaction of failures and a complete meltdown often ensues. Even minor changes to any of the described functions may have the security impact on the system.
Lateral threat movement is usually the primary cause of rapid Ransomware expansion in industrial environments. The adversaries target and compromise one endpoint and then rapidly expand inside the organization. Industry analysts and security experts recommend granular network segmentation to prevent Ransomware propagation. It’s not wonder that, Zero Trust architecture is now quickly becoming the preferred security strategy for both businesses and governments. Many security leaders are cautiously embarking on the journey, some of them a bit intimidated by the required changes in the strategy and the leadership mindset. Everyone is looking for an easy button. We believe it’s possible.
Airgap Networks is the industry’s first Zero Trust agentless segmentation solution that works at the intersection of IT and OT to ensure your organization stays secure from external and internal threats. Based on Zero Trust principles, Airgap prevents lateral threat movement, only allows authorized and authenticated access to high value assets, and ensure rapid incident response via its patented Ransomware Kill Switch solution. Airgap is easy to deploy and compliments current infrastructure- that means there are no forklift upgrades or infrastructure changes. Customers often start seeing the results within a few minutes of deployment.
We would love to hear your thoughts on recent ransomware attacks, prevention techniques, and recommended tools. Please