Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Many Ransomware Attacks on OT Organizations Involved Ryuk: IBM

Many attacks that impacted organizations with operational technology (OT) networks in 2021 involved ransomware, and operators of the Ryuk ransomware in particular appear to gravitate towards this type of target, according to research conducted by IBM’s X-Force cybersecurity unit.

Many attacks that impacted organizations with operational technology (OT) networks in 2021 involved ransomware, and operators of the Ryuk ransomware in particular appear to gravitate towards this type of target, according to research conducted by IBM’s X-Force cybersecurity unit.

The company says ransomware has been by far the top attack type launched against OT organizations to date in 2021, accounting for 32% of attacks. The Ryuk ransomware has been involved in many of these attacks and IBM says there has been more documented cases of Ryuk ending up on OT networks compared to most other ransomware strains.

This topic will be discussed on Wednesday at SecurityWeek’s ICS Cyber Security Conference by Camille Singleton, senior strategic cyber threat lead at IBM, in a presentation titled “Ryuk on industrial control system networks.” Registration for the online event is still open.

Singleton told SecurityWeek ahead of the event that the study is based only on attacks that have the potential to affect industrial control systems (ICS) or OT systems, including attacks involving insiders, remote access trojans, or IoT botnets.

“Manufacturing and transportation are the two operational technology-related industries X-Force most commonly observes Ryuk actors target, but we know Ryuk actors also love energy and utilities, industrial distribution, oil and gas, and healthcare,” Singleton explained.

While in many attacks the Ryuk ransomware actually makes it to ICS or other OT systems, there are attacks that only hit IT systems directly but still cause disruption to operational systems.

“Ransomware attacks on IT systems alone often also have operational impact because operational systems are shut down as a precaution,” Singleton said. “Our research shows that ransomware attacks have an operational impact 56% of the time—even when the ransomware does not get onto the OT network.”

Ryuk ransomware operators encrypt files found on the victim’s network in an effort to convince them to pay a ransom, but they sometimes also steal valuable data to increase their chances of getting paid. However, in the attacks where Ryuk got into OT networks, IBM did not observe any data theft.

Singleton says OT organizations should focus on segmentation if they want to reduce the risk of significant damage.

“In every instance we have seen where Ryuk got into an OT network, poor network segmentation played a role,” the expert said. “Paying close attention to domain controllers, limiting domain administrator accounts, locking them down and auditing them heavily can decrease the chances ransomware actors can gain access to domain controllers—which is key to deploying ransomware—and in some cases can even decrease opportunities to move over to the OT network.”

Both cybersecurity firms and government agencies have been warning industrial organizations about the threat posed by ransomware. This type of malware has been increasingly detected on ICS, including in critical infrastructure facilities.

Related: Seven Ransomware Families Target Industrial Software

ICS Cybersecurity Conference - Virtual Event

Related: Ransomware Hit SCADA Systems at 3 Water Facilities in U.S.

Related: CISA Warns of Threat Posed by Ransomware to Industrial Systems

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...