Dragos, a company specializing in industrial control system (ICS) cybersecurity, recently released their 2021 Year in Review report providing insights and lessons learned from their customer field engagements across the range of industrial sectors. In regards to threat activity, Dragos found that the growth and acceleration of ICS cyber risk in 2021 was largely led by ransomware. Among industry sectors targeted by ransomware attackers, manufacturing represented 65% of attacks*.
*ANALYST NOTE* It is important to consider that the data set providing the insights found within Dragos’ annual report is limited to their own customer field engagements and may therefore inherit biases that may exist in their business strategy and operations. For example, the 65% share of ransomware attacks takes on different meaning if 65% or more of Dragos' customers come from the manufacturing sector or if manufacturing represents 65% or more of all ICS networks. Thus, without more information, it is difficult to accurately assess whether 65% represents a degree of targeting that is disproportionate or expected. For the sake of this analytical exercise, we'll assume these variations were accounted for by Dragos.
Dragos’ report also highlighted four common findings relevant to their customer’s network security posture. These “lessons learned” include:
- 70% had external connections to their ICS network.
- 44% had shared credentials – enabling lateral movement and privilege escalation.
- 86% had limited or no network visibility – hindering detection, triage, and incident response.
- 77 % had poor security perimeters or improper network segmentation.
These four concerns were particular prevalent among the wind, food and beverage, and rail sectors. It is interesting to observe and consider the overlap that exists between these sectors and those most targeted by ransomware attackers.
Observe that, after the manufacturing sector, the next three sectors most frequently targeted by ransomware attackers also encompass the industry sectors with the highest prevalence of risk-increasing findings. But this begs the question – if Dragos’ findings suggest wind, food and beverage, and rail sectors are more vulnerable than manufacturing, why were there more ransomware attacks targeting manufacturing than all other sectors combined? Seeking for possible explanations points to a more nuanced understanding of cyber risk. In a course on assessing the cybersecurity of ICS networks, the International Society of Automation teaches that the likelihood of a given threat event includes the target’s attack surface and vulnerabilities. But other factors include the motivation or intent of the attacker and other characteristics of the target, beyond vulnerabilities, that make it attractive in achieving their goal. The tendency to over emphasize vulnerabilities while neglecting other aspects of cyber risk was expressed in a comical tweet by Dragos’ director of cyber risk, Jason Christopher.
Among Dragos’ 2021 customer engagements, two ransomware-as-a-service groups – Lockbit 2.0 and Conti – were responsible for over half of ransomware attacks. A Conti insider, disgruntled by the group’s support of Russia in the Russia-Ukraine war, leaked hundreds of files containing tens of thousands of chat logs. The nearly two years’ worth (January 2020 to March 2022) of day-to-day internal conversations provides unique insight into the operations of the top-earning ransomware group of 2021 with at least $180 million extorted from victims. One chat dated June 29th, 2021 provides the following snapshot of the composition and pay of various Conti teams. At least for this particular month, the average Conti member was, approximately, in the top 15% of Russian wage earners..
|# OF PEOPLE
|1-MONTH PAYOUT (USD)
|PER PERSON MONTHLY PAYOUT (AVE.)
|3 (+1 on-boarding)
|Reverse Engineering Team
Per person, the open source intelligence (OSINT) team was paid the most, highlighting the importance of their role in prioritizing deep-pocketed targets and negotiating payouts. Paid OSINT tools apparently used by Conti include ZoomInfo, Crunchbase Pro, Shodan, and SignalHire. Cyfirma offers an excellent review of other tools and TTPs used by Conti’s front-line team of hackers to enumerate, establish persistence, and move laterally through a target’s network.
The annual revenue of their ransomware targets were of particular interest and ZoomInfo appeared to be a commonly-referenced source. Based on a chat between “Pumba” and “Tramp” and another between “Bio” and “Skippy”, both in December of 2021, Conti appears to typically demand a ransom of nearly 3% of a companies revenue but a chat in December of 2021 suggests a discounted rate of 2%. In October of 2020, “Target” and “Professor” were particularly upset that a target with an annual revenue of $30 Million wasted their time only to propose a ransom payment of 18 bitcoin which, at the time, had a value of about $200,000 – approximately 0.7% of their revenue. Many have reported that Conti targets companies with $100 Million or more in revenue, however, our independent review found chats from multiple Conti members suggesting an interest in companies with a revenue of $50 Million and up**.
**ANALYST NOTE** While some likely relied solely on auto-generated Russian-to-English translations of the leaked chat logs, we leveraged an experienced Russian linguist to provided additional context and insights which may account for the $50 Million vs $100 Million disparity. For example, the Russian word "Ревенью" or "Ревеню" is auto-translated to "rhubarb", but is in fact a loanword whose pronunciation sounds like "revenue".
Out of about 60 companies whose ZoomInfo links were shared by Conti members, the median annual revenue was about $75 Million. While we continue to review a second distinct set of about a dozen other targeted companies, our review of the chat logs leads us to agree with Cyfirma’s assessment that Conti relies heavily on third-party brokers for initial access into their target’s network. Thus, for the most part, Conti does not appear to be organically sourcing their targets but rather prioritizing them based on revenue and their success in gaining sufficient access for their locker code to deal a devastating blow once deployed. But this doesn’t explain why manufacturing would be disproportionately* targeted by ransomware as the increased external connections, shared credentials, and poor security perimeters found within wind, food and beverage, and rail sectors should translate to easier access, whether it be a broker or a ransomware group doing the leg work. It is worthy to note that Lockbit 2.0, among other ransomware groups, are taking a proactive approach by recruiting insiders to help them gain initial access.
One potential explanation for why manufacturing, as a sector, is a prime target for ransomware groups is their comparatively deep pockets. While it’s true that ICS sectors represent a narrower subset of all industries it is important to consider that, in general, ransomware attackers are looking for a payout, whether or not it comes from an ICS sector or elsewhere. So while the chart below is not a one-to-one match to an ICS sector break-down3 and does not reflect the density of companies in each industry, gross output data from the U.S. Bureau of Economic Analysis provides some insight into how a ransomware group may view a given sector’s payout-potential. It is also important to consider that no assumption need be made as to the depth of market or target research being done by ransomware targeteers. But whether their targeting decisions are informed by preparatory research or by trial and error experience, reality remains the same and both the proactive and reactive approaches will largely coalesce towards similar conclusions, or at least a shared general direction.
***ANALYST NOTE*** For example, manufacturing excludes “chemical products” and “food and beverage and tobacco products” but still includes “petroleum and coal products” and “plastics and rubber products”. Thus, depending on sector differentiation, some sectors may be over-represented while others may be under-represented. The intent is to provide a general idea of industry size by output and to consider how this may affect a ransomware attacker’s targeting.
Another possible variable in an attacker’s perception of payout likelihood may be the association to government agencies that may lead to a refusal to pay a ransom in accordance with FBI guidance. For example, after Baltimore became victim to a Robinhood ransomware attack in May of 2019, city leaders refused to pay the $76,280 ransom and instead suffered millions more in remediation and loss revenue. For reference, that ransom was 0.002% of Baltimore’s $3.5 Billion budget. A month after the attack, the Mayor defended the decision by stating that they were “advised by both the Secret Service and the FBI not to pay the ransom” and that they “won’t reward criminal behavior”. Similarly, after 22 Texas municipalities fell victim to a coordinated REvil ransomware attack in August of 2019, each one refused to pay the ransom. Thus, despite the increased vulnerability of the rail and wind sectors, ransomware attackers might not view the companies and agencies within them as especially desirable targets if they are run by or strongly associated with federal or municipal governments that may find it easier to make a costly principled stance over one that best serves their bottom line.
What cyber risk assessors should understand is that, while vulnerabilities are certainly a critical enabler of ransomware attacks, the likelihood of being targeted is a multi-variable function guided by the attacker’s perceived confidence in securing a large payout. For ransomware attackers, as with all malicious**** cyber threat actors, a target’s vulnerabilities are a critical means, not the end.
****ANALYST NOTE**** The caveat of “malicious” exists primarily for gray-hat hackers that may have a more altruistic motive of exposing vulnerabilities with the misguided intent of moving the needle as it pertains to the attention given to cybersecurity. However, even this motive will likely lead to targeting not based on vulnerability alone, but bigger target that store lots of PII that will drive more headlines; otherwise they’d more likely be white-hat bounty hunters more motivated by a lawful payout.