About the talk
Ransomware attacks on industrial entities are increasing, with strains adopting ICS-aware mechanisms to disrupt OT systems. Ransomware operators are incorporating data theft operations into their attack techniques, posing greater concern and legal issues for victims. This session will discuss risks and consequences associated with these activities impacting ICS, and how to defend against them.
Selena helps produce Dragos' threat intelligence reporting, ICS security and threat intelligence research and whitepapers, and manages WorldView, the only threat intelligence product exclusively focused on ICS. She also writes about infrastructure security on the Dragos blog and is a coauthor of Dragos’ Year in Review reports. She works to combat fear, uncertainty, and doubt surrounding malicious activity targeting ICS environments and helps people better understand complex concepts and behaviors.View the profile
Camille Singleton brings fifteen years of professional experience to cyber security topics, both in the US government and as an analyst at IBM, with a specialization in robust intelligence analysis. She has published multiple articles delving into the cybersecurity threat landscape, ranging from increases in PowerShell-based attacks to how threat actors are circumventing MFA. In addition, she has conducted several in-depth threat landscape research projects including a white paper on destructive malware.View the profile
Thank you so much. Thank you so much for our essay for having us at the 365. Virtual Summit. My name is Selena Larson. I am the senior cyber threat Analyst at Drago's, who's industrial control system, cyber security company. And here with my friend and colleague Camille. Hi and great. I'm Camille Singleton. I am the Strategic cyber threat lead at IBM security expert. And today the two of us are going to be discussing some research that we have recently conducted and published on ransomware and Industrial control system environment. Give you a little bit of an outline of what we're going to
be talking about today. We have compiled, a bunch of research data and ran through history to kind of discuss the impact operations as well as its new Evolution of ICS specific read somewhere. Where is a math problem and impact to Industrial organizations and their industrial operations that we seeing our this operated ransomware and the idea of double extortion someday decide where and what are we seeing on the horizon for ransomware? And then finally we're going to go over some defensive
recommendation. So what can you ask Defender do in your organization? As a bit of an overview, ransomware is a very, very serious and ongoing threat to all businesses. Although we're going to be talking specifically about operations on Industrial control system. Environment. It is not, you need that, you are certainly we seen a lot of issues, impacting Healthcare. I'm State, local government. Small business is really widespread threat, and it does have some very direct and indirect impact on to operational. Technology environment.
We say, o t, that means that the technology just really by my right. So as human machine interface, for instance, you can program it to operate an arm and a leg to sylheti things like that. You'll process. This is very concerning on a dust so kind and evolution of raising where they were going to talk about today. All of this data is based on 220 incidents of rape and we're against IPS and supporting entities. This is compiled from 2018 through 2020 Camilla and I had both are gone further that the internal data sets that we have at Drago's in the forest as well as publicly available
data. I do want to point out here that is very difficult to discern a full picture of a threat environment due to disability issues. Often times companies report. They've been a victim of ransomware attack and it's very difficult to get on but this is the scope and depth, which I say is pretty, pretty cool and interesting of our research. It has existed for decades, right? Rhythm or is not necessarily a new threat at all. But we became aware of a very serious threat disruptive.
It malware can have the businesses and Industrial operation. Not just on the Raiders targeted victims, sort of indiscriminate. We guarantee our sort of higher payout. And when that I'm going to kick it over to me, also talked about Ricci in just a couple of minutes, discussing what we found in our updated data, set, through our analysis. So I think it becomes obvious. Has increased over the past two years. And in fact, we found that they have increased 500% from 2018 through 2020. So, where is it in?
2018? It was coming to see only one or two such ransomware attacks a month in the press or among our clients. The average in 2020 is about 12 per month. So this is pretty significant growth and suggest that ransomware attackers are increasingly, finding ICS targets to be attractive and profitable. For both our business. We do acknowledge that message hackers, are publicly announcing ransomware attacks and leaking data. This is probably increasing the number of ransomware attacks that we become aware of as researchers, but we're seeing increases in ransomware attacks
against even are internal only data, which gives us confidence that there really has been an overall increase in attacks against ICS over the past 2. So on the next side it Bears mentioning that this increased coincided with the coronavirus pandemic that began in late 2019 and accelerated in the spring of 2020. We wouldn't say this correlation indicates causation, but it does mean that we have observed the coronavirus pandemic and increasing ransomware attacks against ICS interacts in unique ways. So for example,
we observe several Fred actors, capitalize on covid-19 themed, fishing lures, for initial access, the network, a tactic that was particularly popular in March and April of 2020. Its audiences worldwide, developed a strong appetite for covid-19 related information more recently as vaccines were nearing completion and preparing for distribution operations. We observed ransomware adversaries. Target cold storage facilities. And pharmaceutical manufacturers in facts are dataset revealed that the number of ransomware attacks against
pharmaceutical companies in just the last two months of 2020 was the same as all ransomware attacks against Pharmaceuticals from early. 2018 up to that point and IBM. Security, Experts has observed additional actors. Even Beyond ransomware actors, are getting the covid-19 cold chain as well. And all of these cyber activities have the potential to disrupt the distribution of these. Vital vaccines will Healthcare facilities and hospitals are not in scope for the definition of ICS. We do recognize the significant harm from
ransomware attacks over the past year. So, I'm the next slide in addition to a general upward Trends in ransomware attacks against ICS connected organization. Are genus that revealed, but North America is the most targeted out of all geographies and experience, 45% of the ransomware attacks on ICS, from 2018 to 2020 Europe, Cayman seconds. And 32% of attacks, with Asia's third at 16%, interest for this study, ourselves speak English, as their primary language with some European language capabilities. So that may have affected these outcomes.
But the geographic dispersion also makes a lot of sense. As many ransomware attackers, have shifted to big game hunting going after large corporations with high yearly. Revenue were high, Ransom demand might be met and many of these corporations are in North America, Europe and Asia were 89% of the world's GDP resides. So, in addition, to geographies on the next slide, we looked at Industries, targeted and far-and-away Manufacturing emerged as the most targeted industry from 2018, to 2020,
and up on the receiving end, more than one-third of all ransomware attacks, on ICS during that time. For many manufacturing companies. Just one hour of downtime can translate into millions of dollars in losses, which ransomware attackers, pure to have found. Freeze the situation where many manufacturing companies find themselves under intense pressure to pay the ransom in an attempt to quickly resolve. The issue after manufacturing. Utility companies came in second at 9% of attacks. And in
2018, utility companies made up only 5% of attacks on ICS Industries. See, how does percentage has grown over time again? Ransomware attackers. Probably can get them more frequently and from here. I'm going to hand it back over to Selena to discuss how these ransomware attacks effects of operations at ICS organization. Thank you so much for the work that I've done on the cold chain research. I know that there's a lot of attention paid right now to work there and all of the
impact is known, that is we know what the attacks were supposed to. I see an option as well as the OT function up. 50% of ransomware attacks effective. In some cases, weeks, long down. Time. I went down with more tax employee layoffs, which is really interesting to me, because we often forget about the human impact or had, it's not just busy. People lose their jobs. People are unable to get paid. People have two families or have to wait until operations are back up. Again in order to get back to work order processing. And another one
on that is very intricately linked to the entire operating process responsible for monitoring communicating and controlling industrial processes. The talking about I see a specific ransomware. This is something that we need to distract the doctor like, right equipment, but we're seeing is ransomware that begins to have with you. But we have others that have also begun to sort of have these ICS specific capabilities to forcibly disrupt. So one of the things I wanted to talk about with a case that he's just kind of see the ranch
on March 4th 2020, at the manufacturer ever has impacted North American operations, including email shipping product certification internet availability and resulted in shut down to the steel and pipe division in out here. Is that we got a lot of information to the impacts of human impact impact of the steel. Pipe tradition check out as well as the layoffs that were incurred and trying to And I had razor work either. I'm headed back. I will hand it back to Camille to discuss this idea of human operated. Francis choir. Thank you so much, Selena
top. Rated R and somewhere in 2017. We saw several warmable ransomware stream, such as want to try and catch up and can spread automatically to compromise Network. It also appears that these ransomware strains may have accidentally, infected hundreds of organizations and then effects that may not have been intentional. So, the good news is that the vast majority of the ransom where we see is human operated, where humans are behind the keyboard intentionally, choosing their targets Union, access escalating, privileges, moving laterally and coin ransomware. The bad news is
that these human operated attackers are pretty good at what? And they're intentionally targeting often leads to wet for them are successful operations, on a wide scale. So on the next slide, we have a chart that provides a breakdown of the ransomware types. We have observed against ICS, connected Network since 2018. And is, you can see where my gold ran somewhere such as Ransom Wanna Cry is still on the west at 6% and this is a strain. We still see you today, especially insensitive OT environments with Legacy infrastructure. That is difficult
to update the void. Eternal blue exploit. However, the vast majority of ransomware strains. We see our human operated to include soda, make Evie, Maes. Netwalker, and others. And some of these such as seconds, are specially designed to impact, ICS environment. And now I'm going to hand it back over to Salon. How do you say human operated ransomware strains tend to gain access and spread through Network actors are fishing, right? Email spearfishing remains a very, very active and effective method of initial access. We're also seeing promote Services compromised to call
as well as exploitation of software vulnerabilities, like virtual private Network, VPN concentrator is an Enterprise Network equipment. It seems to me. I feel like throughout summer fall a time frame that was like one who critical vulnerability a week, and he sort of Enterprise Network equipment. That was very, very quickly escalated on, whether it was adversaries, as well. As a number of other side. Were adversaries, were very quick to jump on the exploitation of vulnerable to these once proof-of-concept were made down.
We are seeing a lot of the living off the land. When you're talkin about, is compromised our theories. Once they're in the environment that he's built in functionality of a Windows computer, some sort of move about and spread through an environment. But what's interesting as well as some more strength including Walker gogoanimes, a few others also encrypt system as a controller. And what might be an interesting is that often times are not necessarily. Sometimes you still have the same DC that is controlling ipnozi. Functionalities. And so there is
a risk there. When a doctor doctor is compromised and a group policy object or substance abuse disorders, which has a ransomware I'm so one of the things I find very interesting is the sort of huge kind of extortion. Right? So as companies and organizations are getting increasingly defensive and resilient against ransomware, that is having a fly back up, you know, it entering second machine and then we'll start the publicity online either on at Akron, website, or hacking for him. And if a ransom demand has not paid, Ransom wear with other
criminal activity, is very interesting Packers vs Raph ransomware as a service operations, like so no key in that Locker or collaborating on these sort of extortion, cartels, right? So I missed part of a gang of affiliation like the maze game with other operators. This is very concerning for a number of reasons. And there are a number of risks and consequences that are involved with this sort of double extortion, date of that technique are unable to confirm whether data is actually destroyed. Historically would just kind
of traditional encryption race. And where you pay the ransom, you get the encryption key, got your stuff back. The transaction is ended. Unfortunately. Now with the victims, have no idea what's happening and there's no confirmation or ability has actually destroyed. If the ransom is paid, this data, could be information on the target company or customers that are working with that the target company and they could actually eat and future attack planning
for additional adversaries that are interested in collecting osint data. On this particular Target company. We had certain here in the United States are number of countries around the world that have a data breach legislation. And regulation that says You must tell people when their pii is stolen. And so, you know, they're at their companies might find themselves more pressure to reveal these types of a breeches datalinks provide additional incentive for victims to pay a ransom yet. When paid Ravens validate cybercriminals
business model and encourage additional attack activity for cartels again right now to pay the ransom right. Historically, you know, that is certainly something that that companies do with the data leak. Obviously it, it seems to be working cuz Reds were adversaries. Continue to do so. And it does just sort of car is this ongoing activity, victims have no control over or visibility into what attackers do with it. I kind of goes back to the first pipe, right? There's no visibility. I'm at, I could use it for other nefarious purposes, only sell it to other, or
criminal organizations Etc. Could be interested. Central competitors. To other adversaries that are largely at focus on SB, Nyjah, Nike stuff activities. There's just a lot of potential consequences with the operations. So in one event, we actually identified some a company that had been compromised by a ransomware organization. I only got services company. We did identified multiple items of interest in the publicly available data leak. So there was a list of companies that use the firm Services employee information. Both of which could be used to facilitate spear fishing
activities, natural gas flow data information related to a Canadian government energy. Regulator geospatial data, that could be potentially related to the company's current operations. When something like this happens, really, what is the impact? So, there are opportunities for third party and supply chain. Compromised, understanding the target for fishing activity and potentially using it again. As a, as a way to take advantage of the trucks built between the company and its customers sensitive Financial operations, and potentially Original
documentation has been published, that could be used to compromise and potentially attacks. It was that all had to back to Camille. Thank you for all of this research and findings. We have several predictions for the future of ransomware attacks against ICS environments. Going forward. We predict the ransomware will continue to be a major threat to Industrial operations. These attacks are highly profitable for cybercriminals are usually the most profitable cybercriminal activity today. And this is
extortion and ransomware attacks. The Selena was just talkin about, are likely to continue as this technique, which significantly increased in popularity, in 2020, has proven to Be an Effective business model for ransomware. Attackers third. We anticipate, the future ransomware strains will build on new efforts such as Ekans and be specially tailored to Yes, environment, particularly given how lucrative ransomware attacks, find some ICS related Industries,
such as manufacturing to be and last week and leak of information. Stolen during ransomware attacks, will continue to provide a better understanding of the breadth and impacts of ransomware attacks. So that's super helpful. I'll be at unfortunate side effects of these attacks. And now we're going to discuss some defensive measures organizations can take against these attacks and I'll turn it over to Selena to discuss our first light on this topic. So what you want to do is conduct architecture of
communication between my piano teacher, that works at the connections between corporate and ICS networks to only known and required traffic having visibility into your network having disability. What is communicating with what is it? Just one way or two-way communication? What courts are open? What type of traffic is allowed within the environment as well as sort of conducting privilege privilege assessments as well. Is our only the people who are allowed to access certain information or have admin credentials having it
or is it kind of rod in a crossword medication, especially effective preventive, detective and corrective controls in place is critical for Define syntax, right? Having a response plans, having a plans and protocols in place to respond to. And if I don't know where ever possible Focus, critically on connections to integrators maintenance personnel and equipment and we seen an event where they're already be compromised. That's exposed to the internet with. No, multi-factor. Authentication
implemented. MFA could have potentially been enough to prevent exploitation. Great. Thanks so much Selena. And in addition, we definitely recommend having backups to both Enterprise and operations, networks, that are maintained Jay-Z and tested from our experience. More companies are doing this successfully, which is very sexy. And which enables them to recover quickly from a ransomware attack without having to pay for a decryption key. This does not necessarily solve the problem of suicide in the data, but it does help in getting back up and
running quickly and that is critical. And we have also found the companies that have been able to successfully establish an alternate location for business, critical functions or able to recover faster experience, less Fallout from a ransomware attack and position themselves. Well for recovering and avoiding having to pay the ransom So on our last Light here, just to conclude some of the main points from our presentation today. Our research revealed a 500% increase in ransomware attacks from 2018
to 2020, with 56% of those attacks affecting operations functionality. We found that manufacturing was the hardest-hit ICS industry by far. And that North America is bearing the brunt of these ICS ransomware attack. Attackers are increasingly stealing, and then leaking diva in a ransom, which is changing victims calculus on, whether or not to pay. And we predict that these ransomware attacks will continue to be a major threat to industrial organization. And if you'd like to read more, we
have links here on this light a white paper that Celine and I wrote on this topic and then on our very last slide. We just like to say that we are happy to have a discussion about these topic here on the RNC platform, and we're also sharing here are contact information. Should you have any follow-up questions? Thank you. Thank you so much.
Buy this talk
Buy this video
Our other topics
With ConferenceCast.tv, you get access to our library of the world's best conference talks.