Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Many Ransomware Attacks on OT Organizations Involved Ryuk: IBM

Many attacks that impacted organizations with operational technology (OT) networks in 2021 involved ransomware, and operators of the Ryuk ransomware in particular appear to gravitate towards this type of target, according to research conducted by IBM’s X-Force cybersecurity unit.

Many attacks that impacted organizations with operational technology (OT) networks in 2021 involved ransomware, and operators of the Ryuk ransomware in particular appear to gravitate towards this type of target, according to research conducted by IBM’s X-Force cybersecurity unit.

The company says ransomware has been by far the top attack type launched against OT organizations to date in 2021, accounting for 32% of attacks. The Ryuk ransomware has been involved in many of these attacks and IBM says there has been more documented cases of Ryuk ending up on OT networks compared to most other ransomware strains.

This topic will be discussed on Wednesday at SecurityWeek’s ICS Cyber Security Conference by Camille Singleton, senior strategic cyber threat lead at IBM, in a presentation titled “Ryuk on industrial control system networks.” Registration for the online event is still open.

Singleton told SecurityWeek ahead of the event that the study is based only on attacks that have the potential to affect industrial control systems (ICS) or OT systems, including attacks involving insiders, remote access trojans, or IoT botnets.

“Manufacturing and transportation are the two operational technology-related industries X-Force most commonly observes Ryuk actors target, but we know Ryuk actors also love energy and utilities, industrial distribution, oil and gas, and healthcare,” Singleton explained.

While in many attacks the Ryuk ransomware actually makes it to ICS or other OT systems, there are attacks that only hit IT systems directly but still cause disruption to operational systems.

“Ransomware attacks on IT systems alone often also have operational impact because operational systems are shut down as a precaution,” Singleton said. “Our research shows that ransomware attacks have an operational impact 56% of the time—even when the ransomware does not get onto the OT network.”

Ryuk ransomware operators encrypt files found on the victim’s network in an effort to convince them to pay a ransom, but they sometimes also steal valuable data to increase their chances of getting paid. However, in the attacks where Ryuk got into OT networks, IBM did not observe any data theft.

Advertisement. Scroll to continue reading.

Singleton says OT organizations should focus on segmentation if they want to reduce the risk of significant damage.

“In every instance we have seen where Ryuk got into an OT network, poor network segmentation played a role,” the expert said. “Paying close attention to domain controllers, limiting domain administrator accounts, locking them down and auditing them heavily can decrease the chances ransomware actors can gain access to domain controllers—which is key to deploying ransomware—and in some cases can even decrease opportunities to move over to the OT network.”

Both cybersecurity firms and government agencies have been warning industrial organizations about the threat posed by ransomware. This type of malware has been increasingly detected on ICS, including in critical infrastructure facilities.

Related: Seven Ransomware Families Target Industrial Software

ICS Cybersecurity Conference - Virtual Event

Related: Ransomware Hit SCADA Systems at 3 Water Facilities in U.S.

Related: CISA Warns of Threat Posed by Ransomware to Industrial Systems

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.