Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Many Ransomware Attacks on OT Organizations Involved Ryuk: IBM

Many attacks that impacted organizations with operational technology (OT) networks in 2021 involved ransomware, and operators of the Ryuk ransomware in particular appear to gravitate towards this type of target, according to research conducted by IBM’s X-Force cybersecurity unit.

Many attacks that impacted organizations with operational technology (OT) networks in 2021 involved ransomware, and operators of the Ryuk ransomware in particular appear to gravitate towards this type of target, according to research conducted by IBM’s X-Force cybersecurity unit.

The company says ransomware has been by far the top attack type launched against OT organizations to date in 2021, accounting for 32% of attacks. The Ryuk ransomware has been involved in many of these attacks and IBM says there has been more documented cases of Ryuk ending up on OT networks compared to most other ransomware strains.

This topic will be discussed on Wednesday at SecurityWeek’s ICS Cyber Security Conference by Camille Singleton, senior strategic cyber threat lead at IBM, in a presentation titled “Ryuk on industrial control system networks.” Registration for the online event is still open.

Singleton told SecurityWeek ahead of the event that the study is based only on attacks that have the potential to affect industrial control systems (ICS) or OT systems, including attacks involving insiders, remote access trojans, or IoT botnets.

“Manufacturing and transportation are the two operational technology-related industries X-Force most commonly observes Ryuk actors target, but we know Ryuk actors also love energy and utilities, industrial distribution, oil and gas, and healthcare,” Singleton explained.

While in many attacks the Ryuk ransomware actually makes it to ICS or other OT systems, there are attacks that only hit IT systems directly but still cause disruption to operational systems.

“Ransomware attacks on IT systems alone often also have operational impact because operational systems are shut down as a precaution,” Singleton said. “Our research shows that ransomware attacks have an operational impact 56% of the time—even when the ransomware does not get onto the OT network.”

Ryuk ransomware operators encrypt files found on the victim’s network in an effort to convince them to pay a ransom, but they sometimes also steal valuable data to increase their chances of getting paid. However, in the attacks where Ryuk got into OT networks, IBM did not observe any data theft.

Advertisement. Scroll to continue reading.

Singleton says OT organizations should focus on segmentation if they want to reduce the risk of significant damage.

“In every instance we have seen where Ryuk got into an OT network, poor network segmentation played a role,” the expert said. “Paying close attention to domain controllers, limiting domain administrator accounts, locking them down and auditing them heavily can decrease the chances ransomware actors can gain access to domain controllers—which is key to deploying ransomware—and in some cases can even decrease opportunities to move over to the OT network.”

Both cybersecurity firms and government agencies have been warning industrial organizations about the threat posed by ransomware. This type of malware has been increasingly detected on ICS, including in critical infrastructure facilities.

Related: Seven Ransomware Families Target Industrial Software

ICS Cybersecurity Conference - Virtual Event

Related: Ransomware Hit SCADA Systems at 3 Water Facilities in U.S.

Related: CISA Warns of Threat Posed by Ransomware to Industrial Systems

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.