The increasing impact of ransomware on operational technology

The increasing impact of ransomware on operational technology

The increasing impact of ransomware on operational technology image

Manufacturing, transportation and utilities companies are being targeted by cyber criminals.

Dragos research has found a surge in ransomware attacks on operational technology, disproving that such threats only target IT

Operational technology — hardware and software that directly monitors and pulls the strings of equipment and processes — is a critical part of day-to-day life. Responsible for monitoring and controlling critical infrastructure and manufacturing operations, the usage of OT can be seen across an array of mission-critical sectors, such as utilities, oil and gas and transport.

However, such infrastructure has been in the headlines in recent times for coming under attack by ransomware, notable examples being meat processor JBS and fuel supplier Colonial Pipeline. Indeed, threat actors are no longer just targeting IT, but also the technology behind its processes, resulting in widespread damage, as well as financial and reputational losses.

According to research conducted by cyber security experts Dragos, industrial infrastructure across Europe is being targeted for geopolitical or financial reasons. In regards to particular industries observed by Dragos, the most frequently targeted were:

  • Manufacturing (61 per cent);
  • Transportation (15 per cent);
  • Water (9 per cent);
  • Energy (8 per cent).

With this in mind, we delve deeper into Dragos’s findings to explore the impact of ransomware on operational technology.

The impacts of ransomware on OT

Ransomware threat actors are always evolving their tactics, growing attacks, raising stakes and increasing vulnerability intelligence. Due to the crucial and sensitive nature of infrastructure operations, victim organisations find themselves stuck between a rock and a hard place — a decision of whether to pay the ransom (often not recommended by experts) or shut operations down, putting critical supplies on hold.

Impact on OT, according to Dragos, manifests itself in four ways:

  1. Preemptive shut down of operations to prevent ransomware spread into OT, which protects the technology from long-term damage (as seen with the Colonial Pipeline attack).
  2. Quick spread of ransomware due to flat networks and a lack of visibility.
  3. Six ransomware strains contain built-in OT process kill lists: Cl0p; EKANS; LockerGoga; Maze; MegaCortex; and Netfilim.
  4. Attacks that solely target enterprise IT can lead to documentation on operational technology being leaked onto underground forums if the ransom isn’t paid, and in turn follow-on attacks on OT.

Major activity groups

Dragos has found an array of prominent activity groups ravaging European industrial infrastructure with ransomware in recent times. The most active groups being monitored include:

  • ALLANITE: The ALLIANTE group targets electric utility enterprise and OT networks based across the UK and US, as well as industrial infrastructure across Germany. The group constantly surveys OT environments for vulnerabilities.
  • DYMALLOY: Victims of attacks carried out by the DYMALLOY group include Europe, North America and Turkey-based electric and oil and gas providers. According to Dragos, the group is capable of carrying out long-term and persistent intelligence collection and future disruption events.
  • ELECTRUM: Found to be behind the 2016 CRASHOVERRIDE event in Ukraine, ELECTRUM can develop malware that leverages OT protocols and communications to modify the processes of electric equipment.
  • MAGNALLUM: Starting in Saudi Arabia, targeting aviation and oil and gas companies, MAGNALLUM expanded to Europe and North America in 2020, with a possible emphasis on semiconductor manufacturing and governmental bodies. Malicious samples found here came in the form of Hypertext Markup Language (HTML).
  • PARASITE: Targeting aerospace, oil and gas and utilities firms, this group targets VPN vulnerabilities and damage infrastructure using open source tools. According to Dragos, PARASITE has been active since 2017.
  • XENOTIME: Initially starting in the Middle East, the XENOTIME activity group began expanding into Europe in 2018, targeting oil and gas companies. Particularly, Dragos moderately believes that this group is capable of exploiting oil and gas operations in the North Sea.

Going forward, Dragos will look to continue keeping tabs on the activity of these groups, which are set to continue evolving to evade security measures.

Keeping OT protected

To keep operational technology protected against ransomware attacks going forward, Dragos recommends taking appropriate measures for initial intrusion defence, network access defence and host-based defence. A strategy that takes all of these areas into account, while staying vigilant, is vital towards keeping ransomware threat actors at bay.

Initial intrusion

To protect against initial intrusion of networks, organisations must consistently find and remediate key vulnerabilities and known exploits, while monitoring the network for attack attempts. Also, wherever possible equipment should be kept up-to-date.

VPNs in particular need close attention from cyber security personnel; new VPN keys and certificates must be created, with logging of activity over VPNs being enabled. Access to OT environments via VPNs calls for architecture reviews, multi-factor authentication (MFA) and jump hosts.

In addition, users should read emails in plain text only, as opposed to rendering HTML, and disable Microsoft Office macros.

Network access

For network access attempts from threat actors, organisations should perform an architecture review for routing protocols involving OT, and monitor for the use of open source tools.

MFA should be implemented to access OT systems, and intelligence sources utilised for threat and communication identification and tracking.

Host-based threats

For host-based ransomware threats, possible malicious PowerShell, Windows Management Instrumentation (WMI), and Python activity should be monitored, as well as malicious HTA payloads that lead to PowerShell execution.

Cyber security teams should also keep a close eye on possible use of credential stealing tools; unusual enumeration and use of system tools; and new services and scheduled tasks on hosts.

For more information on Dragos’s research around ransomware’s impact on operational infrastructure, download the Dragos European Industrial Infrastructure Cyber Threat Perspective report, here.

This article was written as part of a content campaign with Dragos.


IoT, blockchain and the future of the energy sector — Phil Skipper, head of IoT strategy at Vodafone Business IoT, discusses how IoT and blockchain can shape the future of the energy sector.

Tech Leader Profile: leading utilities IT strategy as CIO of Northumbrian Water — Nigel Watson, CIO of Northumbrian Water, spoke to Information Age about how he ensures tech leadership success in the utilities space.

jQuery(“#BH_IA_MPU_RIGHT_MPU_1”).insertAfter(jQuery(“.single .post-story p:nth-of-type(5)”));
//googletag.cmd.push(function() { googletag.display(‘BH_IA_MPU_INPAGE_MPU_1’); });
else {


Cryptominers and ransomware on rise in Q3 2021 — Kaspersky

Cryptominers and ransomware on rise in Q3 2021 — Kaspersky

Research from Kaspersky has revealed a rise in cryptominers and ransomware attacks in the third quarter of 2021 Cryptominers and ransomware on rise in Q3 2021 — Kaspersky image

The price of Bitcoin reached another record high this month, as well as the interest of cyber criminals in cryptomining.

According to the Kaspersky research, the number of unique users encountering cryptominers grew from June to August 2021, correlating with the value of Bitcoin, peaking 150,000 users in September.

Meanwhile, Kaspersky encountered a total of 46,097 new modifications of miners, programs downloaded onto users’ devices that extract cryptocurrency from infected systems, in Q3 — an increase of around 47% compared to the number of modifications found in Q2.

Also on the rise this past quarter were ransomware Trojans, with total users encountering ransomware attacks increasing by around 11% to 108,323, compared to Q2. This number peaked in September at 46,000.

Previous research from cyber security and anti-virus provider Kaspersky found a drop in DDoS attacks, which was believed to have been connected to a rise in cryptomining.

Utilising a post-breach mindset for ransomware

Rich Armour, senior advisor, and Edgard Capdevielle, CEO of Nozomi Networks, discuss how a post-breach mindset can lend itself towards efficient ransomware attack preparation. Read here

“What we’ve seen for a long time is that cyber criminals follow the trends both within the cyber security landscape and society as a whole,” said Evgeny Lopatin, security expert at Kaspersky.

“Cryptocurrency has been in the spotlight in the second half of the year — as has ransomware — so it’s not surprising malicious actors would want to profit off these trends.

“Whether or not the value of Bitcoin has a direct effect on the use of miners is impossible to say, but I could certainly be a contributing factor.

“However, the statistics here represent a positive: it represents the number of users that encountered miners or ransomware on their computer that were then blocked by the security products installed. Threats may grow, but users can still stay safe.”

Recommendations for mitigating cryptomining and ransomware threats

To stay safe from both ransomware and cryptominers, Kaspersky experts recommend:

  • Always keep software updated on all the devices you use to prevent attackers from infiltrating your network by exploiting vulnerabilities.
  • Use a dedicated security solution with application and web control, to minimise the chance of cryptominers being launched; behaviour analysis helps to quickly detect malicious activity, while a vulnerability and patch manager safeguards against cryptominers that exploit vulnerabilities.
  • Ensure regular backup of important files. A safe option is to create two copies: one to be stored in the cloud, and the other recorded to a physical means of storage, e.g. portable hard drive, thumb drive, extra laptop.
  • Fine-tune anti-spam settings to avoid threats from malicious email messages mimicking notifications from an online store or a bank, and never open attachments sent by an unknown sender.
  • Enable the ‘Show file extensions’ option in the Windows settings. This will make it much easier to distinguish potentially malicious files with extensions like “exe”, “vbs” and “scr”. Scammers could use several extensions to masquerade a malicious file as a video, photo, or a document (such as hot-chics.avi.exe or doc.scr).
  • Use a robust security solution to protect your system from ransomware, which prevents viruses from getting into your computer, or, should the virus infiltrate your system, protect important files using a special capability.
  • If you are unlucky to have your files encrypted, don’t pay the ransom, unless instant access to some of your files is critical.