Ransomware attacks are growing significantly in number, sophistication and in the size of the ransoms demanded.
In its latest OT/IoT security review, San Francisco-based Nozomi Networks reports that ransomware attacks are estimated to have grown 116% between January and May of this year.
Moreover, increasingly they are executed by criminal groups run much like a cartel involving multiple unrelated parties acting together using a ‘ransomware as a service’ model.
The most high profile example of the year so far was the attack on Colonial Pipeline in the US with a $4.4 million ransom payment made. Although the OT network was not directly breached, pipelines were taken offline leading to gas shortages along the US East Coast and significant downtime company losses.
Nozomi Networks reports that a study of the internals of the DarkSide operation, the group that attacked Colonial Pipeline, reveals a combination of attack techniques. The first, the selection of victims, is done by the ransomware group based on their ability to pay a significant ransom.
Potential affiliates include botmasters and account resellers who provide initial access to victim networks, ransomware developers, analysts who look for blackmail material and the negotiators and launderers of the ransom.
“The success of the entire attack shows the effectiveness of the ransomware as a service model, with a division of labour that plays to the strengths of each party,” says the report.
The ransom split is estimated approximately 20-40% to the ransomware group and 60-80% to the affiliates.
Nozomi Networks notes that another ransomware as a service operator, REvil, which has attacked JB Foods and Acer among others, has set new records for ransom demands of $50 million or more.
The company also notes in its review that industrial control system vulnerabilities increased by 44% in the first half of 2021 compared with the same period in 2020.
The energy sector remains the third most affected sector, after critical manufacturing and the ‘multiple industries’ group.
Nozomi Networks recommends the first area to focus on for ransomware prevention is reducing opportunities for initial access to the company networks. This includes having spear-phishing protection in place, implementing security awareness training and requiring multi-factor authentication wherever possible.
Strengthening defence in depth measures is also important.
A post-breach mindset also should be adopted. For example, have a detailed plan for a failure in IT that could impact OT, complete with operational continuity and disaster recovery components.
And of note, paying the ransom doesn’t always pay off, according to Nozomi Networks: 80% of organisations that pay experience another attack and just 8% fully recover their data.