Ransomware extending to the industrial sector, including Conti and LockBit

Ransomware increased the number of such attacks in the industrial sector, making this malware number one threat

Ransomware extending to the industrial sector and operational technology environments

Research shows an increased number of threat groups targeting OT systems. This type of incident became one of the most common threat attacks in the industrial sector when LockBit ransomware and Conti virus gangs became more active.^[1] Creators of these threats target systems of organizations with the Industrial Control System/ Operations Technolgy environment. Ransomware is one of the most dangerous threats that involve compromising the machine and demanding money. Recently it is more commonly found attacking manufacturing sectors where more damage can be made.^[2]

It seems that the manufacturing sector is often chosen for attacks because it is often “the least mature” in the OT security defenses. This industrial sector became more attractive for the financially motivated criminals and hackers that are state-sponsored. Research shows^[3] increased numbers of such targets, and it is known that at least 35 compromises of companies were successful in the food and beverages business, 27 infections aimed at the Transportation sector.

Unfortunately, threat actors manage to move from the IT network into the OT segment and release ransomware or breach systems easily:

While ransomware mainly targets enterprise IT systems, there are a number of instances when it does impact OT directly and in integrated IT and OT environments

More damage equals larger ransom sum demands

Gaining access to the network or organization allows threat actors to deploy any malware, execute codes and do whatever is the goal of criminals. If the ransomware is deployed, attackers can ask for money from the victim once the system is encrypted and files locked. These sums can be exceptionally large when the OT systems are attacked. More damage can also be caused to the network.

According to reports, Conti ransomware and LockBit 2.0 ransomware^[4] are the groups that have been very active in such attacks over the last year. These threats specifically started targeting manufacturing mainly. In the last year, 65% of all ransomware attacks were aimed at manufacturing. These two threat families take up 51% of all the incidents in the industrial infrastructure.

Ransomware attacks do not stop despite security efforts

Law enforcement tries to bring the ransomware-as-a-service^[5] operations and the related hackers to bed. However, it seems that cryptocurrency extortion-based threats will keep disrupting various sectors and environments in the later years too.

Actors related to these threads integrate IT kill processes into threat payloads. Operators can shut down environments to prevent ransomware attacks while threats spread from the IT network to OT systems though. Poor security perimeters due to improper network segmentation create issues with these attacks. So the number of routers, switches should be lowered to avoid threats like this.

These malicious actors do not stop and even use different tools, techniques to achieve the needed goals. The mentioned Conti ransomware group recently started to manage the TrickBot malware.^[6] The virus was many times attempted to take down, but the healthy multi-functional trojan remains active.

This virus can steal information, passwords, infiltrate Windows domains, deliver malware like ransomware. So adoption is very profitable for such active threat groups like Conti ransomware infrastructure. Such steps of improvement show that the gang is not going to stop operating any time soon.