Understanding the Ransomware Victim Profile (Part One)

Understanding the Ransomware Victim Profile (Part One)

29 Jun 2020

Understanding How Ransomware Attacks Work is the Key to Dealing With Them, and Perhaps, Preventing Them Altogether 

Industrial companies operate in a highly competitive ecosystem and cannot afford production slowdowns. That is why ransomware attacks are considered by many “the sum of all fears”, a catastrophic “natural disaster” of the digital era. 

The estimated damage of ransomware attacks grew from $325 million USD in 2015 to ~$11 billion USD in 2019. These numbers are expected to double and reach $20 billion USD by 2021.

Damage of Ransomware Attacks

To understand the impact of ransomware attacks - and why they continue to wreak havoc on companies and entire industries - we first need to understand their violent nature. Aside from the significant financial and reputational damage they cause, ransomware attacks have an added effect of psychological pressure that resembles terrorist acts in that they can hit virtually anyone. Not surprisingly, ransomware threats are on the top of the list of concerns of CISOs and executives across numerous industries. 

Another way of thinking about a ransomware attack on your business is like preparing for a wildfire to hit your house: it can happen, it’s best to be prepared, but what are the odds? For many of us, the mere thought of our house turning into ashes is so frustrating, that we usually just avoid it. Before we can decide whether or not to tackle the problem, we must estimate the chances of being hit versus the potential damage. In other words, we need to do some risk management. 

Understanding the odds of being hit by ransomware requires the evaluation of ransomware trends and “landscape”. This includes:

  • A variety of metrics such as the geographic distribution of the victims
  • The price attackers request for decrypting compromised files
  • The variation of delivery and propagation methods
  • The strains a ransomware attack might place on security, operational and management teams
  • How ransomware works to ruin a network
  • The financial losses or infrastructure damage caused to the victim, and more. 

Still, this is a lot of analysis to do, and one can easily get lost in it and give up. 

When we try to evaluate the overall threat ransomware attacks impose on industrial organizations, we suggest emphasizing the “victimology” and the context of those attacks. By doing so, we can make sense of what's happening around us, and better predict if our business is at risk of becoming the next victim.

Ransomware Threat Trends - Are You at Risk?

To understand if your industrial vertical is the current focal point of ransomware attackers, use this simple rule of thumb: if it is making headlines, for good or for bad, it is at a higher risk. The boldest examples we can think of are the COVID-19-related attacks on hospitals, laboratories, pharmaceutical research and development companies and numerous other suppliers, service-providers and authorities involved in the crisis. The "Snake" ransomware attack on the largest operator of private hospitals in Europe, Fresenius Group, is perhaps the most remarkable one. Going after the healthcare sector in the midst of a pandemic is simple: there is no time to lose on negotiation when there's a crisis to manage. ‘Just get the system back online and let us go back to saving the world’.

As the attacks progressed, during April and May we saw the focus shifting to industries and services suffering from the secondary effects of the pandemic on the global economy. These included companies in the energy, oil and gas, logistics, and automotive sectors.

The table below sums up the most recent attacks: 

Industry Most Targeted Tier No. of Known Attacks Ransomware Strains
Energy
  • Electricity providers
  • Oil & gas upstream and related services
  • Solar energy producers
9
  • Maze
  • Snake
  • Sodinokibi
  • Netwalker
Logistics
  • Fleet operators
  • Cargo systems & services
  • Multi-method shipping companies
7
  • Netwalker
  • Clop
  • Netfilim
Automotive
  • Vehicle manufacturers
  • Seats & car accessories
5
  • Snake
  • Maze
  • Netfilim

 

What caught our attention the most was that multiple ransomware strains attack simultaneously, targeting the same industries and verticals. As mentioned above, these industries are already suffering from business slowdown, a fact that weakens their bargaining power.

“Snake”, for example, is a ransomware strain that has a proven history of hitting industrial organizations, targeting both IT and OT environments. In May this year, it hit both Honda (automotive) and ENEL (energy), causing both companies’ stocks to plummet once the incident was reported.

“Clop”, another sophisticated ransomware, allegedly attacked Hoedlmayr, an Austrian logistics company, as well as a German provider of electricity and other industrial companies in Europe.

Cherry Picking the Victims

When large corporations such as Honda, ENEL, or PEMEX are attacked, they can’t escape admitting it. And the pressure to “get their network back” is immense. As the level of anxiety and frustration on the victim’s side soars, pressure from customers, suppliers and shareholders, not to mention the media and the competition, add fuel to the fire. This is exactly the situation the attacker desires as the victim is more likely to agree faster to pay the ransom. 

In contrast to the above, little is reported about small, medium, and even large industrial companies that suffer ransomware attacks. OTORIO’s incident response team is often called upon to deal with ransomware attacks on industrial companies worldwide. It’s from their experience that we can confirm that attacks on small and mid-sized companies are just as devastating and impactful as ones that hit huge enterprises. And while we cannot expose any of our customers, we can look at some examples that did make the news. 

One example is Symbotic LLC, a Massachusetts-headquartered provider of robotic solutions for warehouses, which was hit in early 2020 by the advanced Sodinokibi ransomware. Privately owned by New England billionaire Rick Cohen, the owner of C&S grocery chain, Symbotic LLC supplies robotics to some of America’s largest corporations including Target and Coca Cola. So while most of us have never heard of Symbotic, the operators of Sodinokibi have done a great job in cherry-picking their victim. The attackers managed to steal personal employee information, but what they were really after was the potential to create a larger disruption to the businesses that depend on Symbotic’s solutions.

Another example is Mead O’Brien, a producer of automated valves and instrumentation for pipelines in the USA, which was allegedly hit by Maze ransomware. The collateral damage of halting the production of Mead O’Brien is far greater than the actual size and value of the company itself. The company serves multiple infrastructures, pipelines, and industries all of whom rely on its valves and need them to be supplied on time. 

Mead O’Brien is not alone. Faxon Machining, a manufacturer of drilling gear for the oil and gas industry, was also hit by the same ransomware and the damage - had the attackers not been stopped in time - might have been significant.

What Have We Learned So Far

Ransomware is a violent type of cyberattack which is growing both in numbers and in financial damage. Attackers are cherry-picking their targets, often going after victims who are located deeper in the supply chain - but have the potential to disrupt the production of bigger (and more well-known) players.

One way for you to find out if your company is at risk is by reading the news. If you operate in a vertical that is making headlines - you had better start preparing for an attack. 

In our next blog post, we will dive deeper into the “victim profile” and provide guidelines to help organizations assess the likelihood of a ransomware attack against them.

Matan Rudis
Threat Intelligence Team Leader

Ran Finkelstein
Threat Intelligence Researcher

For more information contact us at [email protected].

04 May 2020 Industrial Cyber-Security During COVID-19: From a Hackers’ Paradise to Resilient Remote Operations more...
26 Mar 2020 Coronavirus: Time for Remote Connection Solutions for ICS more...
18 Mar 2020 COVID-19 is a Wake-up Call for Manufacturing SMBs more...
loader
×

OTORIO website uses cookies. By continuing to browse the site you are agreeing to our use of cookies. For more details about cookies and how to manage them, see our cookie policy.

Continue