According to research done by IBM’s X-Force cybersecurity unit, many attacks that attacked firms using operational technology (OT) networks in 2021 contained ransomware, and operators of the Ryuk ransomware in particular appear to gravitate towards this type of target.
According to the business, ransomware has been by far the most common threat type against OT organisations in 2021, accounting for 32 percent of all incidents. Many of these attacks have used the Ryuk ransomware, and IBM claims there have been more verified incidents of Ryuk finding up on OT networks than most other ransomware outbreaks.
Camille Singleton, senior strategic cyber threat lead at IBM, will speak about this issue on Wednesday at SecurityWeek’s ICS Cyber Security Conference in a session titled “Ryuk on industrial control system networks.” The online event is currently accepting registrations.
The study, according to Singleton, is based only on attacks that have the ability to damage industrial control systems (ICS) or operational technology (OT), such as insider attacks, remote access trojans, or IoT botnets.
“The two operational technology-related industries X-Force most regularly observes Ryuk actors target are manufacturing and transportation,” Singleton explained. “However, we know Ryuk actors also enjoy energy and utilities, industrial distribution, oil and gas, and healthcare.”
While the Ryuk ransomware makes its way to ICS or other OT systems in many instances, there are also attacks that exclusively target IT systems but nonetheless cause interruption to operational systems.
“Ransomware attacks on IT systems by themselves frequently have operational consequences because operational systems are shut down as a precaution,” Singleton explained. “Our research reveals that ransomware attacks have a 56 percent operational impact, even when the ransomware does not reach onto the OT network.”
Operators of Ryuk ransomware encrypt files on the victim’s network in an attempt to persuade them to pay a ransom, but they may also steal valuable data to boost their chances of being paid. However, IBM found no evidence of data theft in the attacks where Ryuk gained access to OT networks.
If OT businesses wish to limit the likelihood of substantial damage, Singleton recommends focusing on segmentation.
“Poor network segmentation played a factor in every situation we’ve seen where Ryuk got into an OT network,” the expert stated. “Paying close attention to domain controllers, limiting domain administrator accounts, locking them down, and heavily auditing them can reduce the chances of ransomware actors gaining access to domain controllers—which is critical for deploying ransomware—and, in some cases, even reduce opportunities to move to the OT network.”
Industrial enterprises have been warned about the possibility of ransomware by both cybersecurity corporations and government agencies. This form of malware is becoming more common on ICS, particularly in critical infrastructure facilities.