Issue 8: 500% rise in ransomware attacks on industrial entities

by Smart Grid Forums on April 2, 2021

Cyberweekly No.8

Ransomware attacks are now the fastest growing form of cyberattack on IT and OT infrastructures. 2020 saw a 62% rise in ransomware attacks across all sectors as compared with 2019, and a 500% rise on OT infrastructure as compared with 2018. With cybercriminals shifting their attention away from low value ‘spray and pray’ targeting methods to higher value ‘big game hunting’ approaches aimed at government entities and private enterprises, power grid cybersecurity and engineering teams must prepare now to fight a more ferocious and frequent cyber battle in the year ahead.

Almost as old as the Internet itself, ransomware attacks were originally distributed via malware on floppy disks and USB sticks. But with Internet ubiquity the nature of these attacks has been changing and morphing almost on a weekly basis, making them extremely hard for cybersecurity and engineering teams to get ahead of. In the past year, the combination of more advanced encryption technologies available on the market, the rise in the value of cryptocurrency, the explosion of Ransomware-as-a-Service offerings on the dark web, and the sudden expansion of the victim pool through WFH and BYOD trends, has made ransomware attacks the go-to exploit for semi-skilled cybercriminals looking to maximise their ROI.

So, what exactly is a ransomware attack and how can it be prevented in your organisation? Ransomware attacks target vulnerabilities at endpoints in organisations that are not entirely up to date with their security hygiene in terms of patches, antivirus, logging of critical data, and social engineering awareness. It utilises infection vectors such as emails with malicious links and attachments, old browsers visiting compromised websites, and brute-force password cracking of Remote Desktop Protocol (RDP). Once the attacker is in, they move laterally until they can access an admin account, take over the entire system, deliver their exploit by encrypting critical files, and extorting cryptocurrency.

Ransomware attacks have a particularly high success rate when they target organisations that deliver time-critical services through mission-critical assets with high-uptime expectations. These organisations may have sensitivities around protecting their reputations, and will certainly have access to large sums of money either directly or through cyber insurance. Ironically, in the past year the total cost of recovery from a ransomware attack was estimated to be on average in the region of $1.4m for organisations that paid out versus $700k for organisations that did not.

Yet while the data supports non-payment, and common sense suggests that pay outs will only embolden cybercriminals and fuel development of next generation malware, creating a vicious self-fulfilling cycle of cybercrime, busy organisations with time-critical services to deliver believe that until ‘attribution’ moves from concept to practical reality, cyber insurance and on-demand pay outs are the only guaranteed route to timely recovery of systems and services, and in many cases, protection of human lives.

So, what can power grid cybersecurity and engineering teams do to get ahead of the ransomware threat? 1) Get on top of basic cyber hygiene both in the IT and OT environments, 2) Create reliable data backups to ensure business continuity without the need for pay out, 3) Develop a robust incident response procedure in support of the evolving attribution process, 4) Refuse to pay the ransom, 5) Align your reputation with ‘fighting’ rather than ‘siding’ with cybercriminals.

Please enjoy this week’s selection of news, views and resources below, and feel free to share this newsletter with colleagues in other departments, and peers in other organisations.

Kind Regards,

13491583329318294

Mandana White
CEO | Smart Grid Forums

News, Views & Resources

MARKET REPORT: Sonicwall. 2021 Cyber Threat Report.
Almost all organizations in high-stakes environments, whether it be power plants, government agencies, law enforcement or another group depended on to fulfil a vital need, have a philosophy of resiliency. It may be known as a contingency plan, a fallback, or even by a code name, but the idea is the same: This is how we maintain operations when things don’t go as expected. And 2020, a year in which very little went as expected, highlighted the danger of approaching cyber-resiliency as merely a best practice. It is vital that we expand our thinking from just “How are we going to prevent an attack?” to also include “What will we do when (not if) we get attacked?”
To read the report, click here!

MARKET REPORT: Dragos. Ransomware in ICS Environments.
Although many ransomware strains impacting industrial control systems (ICS) and related entities are IT-focused, such ransomware can have disruptive impacts on operations. Ransomware can directly impact the operational technology (OT) environment if it is able to bridge the gap between enterprise and operations due to improper security hygiene. Ransomware can also have indirect access on operations by impacting resources such as logistics, fleet management, sales operations and fulfilment, or loss of view to enterprise resource management tools. Attackers are becoming increasingly hostile in terms of attack behaviour, including stealing data before deploying ransomware and threatening companies with its release if ransomware is not paid.
To read the report, click here!

WHITE PAPER: Splunk. Ransomware 101. Key Ways to Combat Ransomware.
Ransomware is a growing problem for organizations of every size with the numbers of attacks and the money spent to clean up the damage on the rise. Ransomware now regularly steals the headlines and gone are the days when it is just a minor corporate issue. So, what exactly is ransomware? It is a type of malware that holds network data “hostage.” Although security hygiene can be time-consuming and difficult to maintain, it’s these fundamentals that are the most important focus areas for enterprise organizations.
To read the white paper, click here!

EXECUTIVE REPORT: Trend Micro. Ransomware as a Service.
Cybercrime as a service (CaaS) is an important trend in Deep Web forums because it puts cybercriminal tools and services in the hands of a wider range of threat actors—even the nontechnical, such that anyone can become a cybercriminal with minimal investment. At the same time, cybercriminals are now seeing the advantages of expanding their targets from home users to larger enterprise networks. This is a matter that IT administrators need to be ready for.
To read the report, click here!

VIDEO: Waterfall. Top 10 Targeted Ransomware Attacks of 2020. Industrial Security Institute
The year 2020 saw significant growth and evolution of ICS cyber-attacks with the precarious move to more remote operations due to the COVID-19 pandemic. Here are the top 10 most notable cyber-attacks on industrial systems for 2020. All these attacks were reported in the press, public incidents. These are all the credible cyber-attacks that had physical consequences in 2020. All these attacks were targeted ransomware. Downtime estimates are conservative, public reports generally do not contain exact downtime figures, but estimates such as “at least X plants for at least N days”. Conservative estimate of average incident cost: 63 plant-days downtime. Almost all attacks impacted multiple plants simultaneously (not surprising) the bad guys look to maximize their profits by overwhelming our incident response teams. Many of these attacks impacted sites that had deployed significant levels of software-based defensive, monitoring, detection and response capabilities
To watch the video, click here!

 

CyberAware Webinar Series

Screen Shot 2021-03-02 at 13.49.00

 

 
 
 
 

Topics: CyberAware