Ransomware groups are causing havoc on the industrial sector, particularly manufacturing companies, with tremendous spikes in cyberattack activities against United States organizations observed in the third quarter.
New ransomware groups are emerging on the scene, threatening to increase the frequency of cyberattacks even further. According to an analysis of ransomware attacks on industrial organizations, North America accounted for 36% of all recorded cases globally, marking a 10% increase from the previous quarter. However, the analysis discovered that the global attacks rate remained flat from quarter to quarter, with 128 incidents in Q3 compared to 125 in Q2. Most of the observed incidents (68%) were directed at the manufacturing sector. 88 confirmed attacks (those publicly reported, seen in the companies’ telemetry, or confirmed on the Dark Web) were against that segment, particularly companies that produced metal products (12 attacks).
Companies in the manufacturing sector are moving to the cloud, digitizing manufacturing, inventory tracking, operations, and maintenance to increase agility and efficiency, with less production downtime and greater nimbleness. However, it can also create new attack surfaces. Manufacturers are investing in intellectual property and new technologies, including digital twins, to stay competitive. Manufacturers are changing the way they manufacture and deliver goods, moving toward industrial automation and flexible factories. The Industry 4.0 transformation puts a strain on mobile devices and cloud solutions. Nonetheless, numerous manufacturers’ security solutions remain on-premises.
When tasked with protecting productivity solutions that have moved to the cloud, creating efficacy and scalability challenges. Security needs to be migrated to the cloud to adequately safeguard manufacturing operations. In terms of other industrial segments, the food and beverage sector received 9% of attacks, followed by oil and natural gas (6%), and the energy and pharmaceuticals sectors (10 % of attacks). There was only one attack in the chemical, mining, engineering, and water and wastewater systems segments.
When it comes to threat actors on the industrial stage, the LockBit group was responsible for more than a third of all global incidents (35%), while other well-known names focused on the energy sector (notably Ragnar Locker and BlackCat). However, the quarter saw an increase in emerging threat actors, including Sparta Blog, BianLian, Onyx, and the slow-burning Yanluowang. Various groups appeared to target specific industries:
- Ragnar Locker has primarily targeted energy
- Cl0p Leaks has only targeted water and wastewater
- In Q3, Karakurt focused solely on manufacturing, whereas in Q2 it focused solely on transportation entities
- LockBit 3.0 only targeted chemicals, drilling, industrial supplies, and interior design
- Stormous only targeted Vietnam
- Lorenz only targeted the United States
- Sparta Blog only targeted Spain
- Black Basta and Hive primarily targeted the transportation sector
Specific ransomware strains targeting specific industries should encourage intelligence sharing. Additionally, it should encourage increased industry-level coordination to fight against threats between companies that would compete in the marketplace. Instead of each organization erecting its own defenses, industry-wide responses are needed. Coordination is critical, especially tht more new ransomware groups will emerge in the next quarter, either as new or reformed ones, because of changes in ransomware groups and the LockBit 3.0 builder leak, which all can lead to increased attack volumes. Ransomware will continue to disrupt industrial operations, whether through (Operational Technology) OT kill process integration into ransomware strains, flattened networks allowing ransomware to spread into OT environments, or through precautionary OT environments shutdowns by operators preventing ransomware from spreading to OT systems.
Increased ransomware attacks are most likely being driven by two engines, including the Russia-Ukraine war. The increase in ransomware attacks against industrial companies that rely on OT systems is likely from threat actors who consider those companies as easier targets because OT systems and devices are significantly more vulnerable than traditional IT systems. Even though there may be an increase in targeting industrial companies resulting from the invasion of Ukraine, the companies have been targeted for a long time by several foreign adversaries, meaning the increase is due to the combination of industrial OT systems being exploited easier and increased activity due to Ukraine.
With companies in the industrial sector being targeted more frequently by ransomware groups, it’s important for companies to always remain vigilant of the current threat landscape and regularly upgrade their IT systems. At SpearTip, our certified engineers are working continuously at our 24/7/365 Security Operations Center monitoring companies’ data networks for potential ransomware threats, and ready to respond to events at a moment’s notice. Our engineers discover blind spots in companies that can lead to compromises by comparing technology and internal personnel. Our ShadowSpear Platform, an integrable and fully managed detection and response tool, utilizes comprehensive insights using unparalleled data normalization and visualization to detect sophisticated and advanced ransomware threats.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.