As information technology (IT) and operational technology (OT) converge, ransomware has become a growing concern for those tasked with defending industrial control systems (ICS). Security personnel typically responsible for securing IT environments must now understand the current ransomware landscape from an OT-centric perspective. Following the aftermath of NotPetya, ransomware tactics have evolved substantially, as hackers have begun to capitalize on an expanded attack surface and vulnerability shift. This blog offers insight into this ongoing evolution, as well as the current state of ransomware threats to OT.
OT Ransomware refers to a specialized form of cyber threat, engineered to compromise Operational Technology systems. This variant of ransomware diverges from general IT-targeted attacks by its potential to not only disrupt digital processes but to also cause physical, real-world consequences in industrial environments. In this blog post, we'll explore the distinct impacts of OT Ransomware compared to traditional IT malware, while also examining their commonalities and strategies for effectively mitigating risks posed by both types of cyber threats.
Over the past several years, ransomware attacks have grown increasingly targeted, while the opportunistic "spray-and-pray" approach of arbitrarily infecting victims with self-propagating ransomware has largely fallen out of favor among threat actors. This strategic pivot may be a response to many organizations' efforts to minimize attack surfaces following NotPetya and WannaCry, which epitomize the opportunistic approach to ransomware.
A targeted approach to ransomware infection can significantly extend the shelf life of an exploitable vulnerability by making it more difficult to determine how the ransomware entered the victim's network in the first place. Strategic targeting also enables attackers to focus on organizations with deep pockets and a low tolerance for operational disruption, thus increasing the likelihood of ransom demands being met. An apparent example of this approach in action was the highly disruptive ransomware attack against Japanese car manufacturer, Honda, which was suspected to have involved the Snake ransomware, detailed in depth on The Claroty Blog earlier this year. The attack disrupted global operations, including manufacturing processes, thus demonstrating how a more deliberate infection strategy can culminate in highly damaging attacks.
In retrospect, the NotPetya ransomware attack can be seen as a watershed moment for OT security. Widely regarded as the most costly and destructive cyber attack in history, the global impact of NotPetya on OT environments across a broad range of industries served as a wake-up call for many CISOs and other decision makers who had mistakenly assumed ransomware threats were confined to the IT realm.
In reality, a successful ransomware attack can have devastating impacts on OT. Earlier this year, steel giant EVRAZ was hit hard by the Ryuk ransomware strain, bringing down plant operations at numerous sites across the U.S. and Canada. The ransomware attack halted manufacturing processes to such an extent that EVRAZ issued temporary layoffs to plant workers, and third-party trucking companies servicing the company's facilities reported disruptions in freight flows. This attack amongst others has served as a forewarning of a new paradigm, where the overlap between IT and OT security threats is more broadly recognized and prioritized in today’s hyper-connected world.
As digitization becomes the new standard, cyber risk evolves in a manner specific to the operations of each sector, thus necessitating more stringent industry standards for security. To cite a specific example, the FBI issued an advisory to trucking companies, warning them of the industry's growing susceptibility to ransomware attacks. In recent years, the trucking industry has increased its potential exposure to cyber threats through the ongoing digitization of its operations, including widespread adoption of tools such as GPS, AI-centric systems, and electronics logging devices (ELDs). The FBI advisory emphasized the potential for ELDs to serve as a means of lateral movement between trucking companies' IT and OT environments for attackers, with plausible impacts ranging from data exfiltration to life-threatening manipulation of vehicular functions.
Less than a month after the FBI advisory was issued, Canadian courier Canpar Express became the latest trucking company to fall victim to a ransomware attack, resulting in disruptions to its shipping operations and moving services. In addition to causing operational disruptions, the attackers also leaked several internal documents with the threat of releasing additional material — exemplifying the ability of cyber attacks to span an organization's IT and OT systems.
Within the cybersecurity community, there is ongoing discourse speculating when another ransomware attack will match — or even exceed — the scale and impact of the havoc wrought by NotPetya. But it's important to remember that NotPetya — along with its close predecessor, WannaCry — would not have been possible without the perfect storm created by the leak of EternalBlue, a wormable exploit developed by the National Security Agency. This public disclosure placed a secret cyberweapon into the hands of malicious actors, thus enabling the widespread, opportunistic infection of targets when combined with a brute-force approach to compromising accessible IP addresses.
Given the fundamental role of vulnerabilities in enabling ransomware attacks against OT and in other environments, Claroty has emerged as a leader in the broader effort to discover and help remediate security flaws present within the entire extended internet of things (XIoT) — detailed in depth in our most recent State of the XIoT Security Report. Our findings highlight the impact of the ransom epidemic and provide the top mitigations for new and emerging threats.
More often than not, improper segmentation between once-separate IT and OT environments is a key enabler of OT ransomware infections. As such, initiatives to ensure your organization's OT network and assets are isolated from IT in a manner that aligns with the Purdue Model and other segmentation best practices can be a highly effective means of prohibiting the lateral spread of ransomware and other malware from IT to OT.
By bringing attention to OT vulnerabilities and helping to remediate them before attackers have the opportunity to exploit them, Claroty aims to help reduce the frequency with which disruptive ICS ransomware incidents make headlines.
Read Next >> CISO Series: OT Security Best Practices and Recommendations
Claroty Products Remain Secure During Global Outage; Guidance for Customers
The Change Healthcare Cyber Attack: What It Means for Your Healthcare Delivery Organization
Public Exploits for MOVEit Vulnerabilities Increase Exposure
Interested in learning about Claroty's Cybersecurity Solutions?