Critical industrial organizations continued to be hammered by ransomware skids in July, while experts suggest the perps are growing in confidence that law enforcement won't intervene.

Of the 395 ransomware attacks claimed by criminals last month, over a third (125 or 34 percent) targeted critical industrial organizations, NCC Group said today. According to the company's figures, the industrial sector has been the most targeted by ransomware since 2021.

"Organisations within CNI provide critical services to society making them valuable targets, and ransomware actors pressure these targets into payment, exploiting their need to remain operational," the report from the researchers states. 

"Additionally, greater interconnectivity between operational technology and IT has expanded the attack surface, providing a larger number of potential entry points to facilitate ransomware attacks."

Followers of infosec news this past year might think that healthcare would be at the top of the list, given the various catastrophes at the likes of Change Healthcare and Synnovis. However, those in the industrial sector were vastly more likely to be targeted, registering nearly three times as many attacks as the next hardest hit, consumer cyclicals.

Providers of critical sectors were not too long ago considered by many ransomware criminals as off-limits, given law enforcement's intervention with Darkside after its attack on Colonial Pipeline.

As WithSecure noted in its fresh H1 2024 threat report today, there was generally thought to be a line criminals wouldn't dare cross, fearing that they too would face the same pressure from US authorities as Darkside did. Some groups vowed to never target hospitals again, for example, although that didn't last long.

Yet that belief has waned, WithSecure said, and did so as early as last year. Criminals no longer have any reservations about going after the most critical of targets, even against the backdrop of multiple major takedowns in the past year.

Those takedowns, especially of LockBit and ALPHV, have bolstered other groups. Medusa, for example, had never posted more than 20 victims to its leak blog in a single month until LockBit fell.

Similarly, the likes of Qilin, Hunters International, RansomHub, and basically every other group have posted increased numbers since the two ransomware titans of the past few years shut down.

Somewhat confusingly, despite every other group benefiting from law enforcement's actions, the total number of victims being claimed year-on-year has fallen, and in the past quarter, numbers have dropped too, suggesting that fighting back is achieving the desired effect. It's working slowly, granted, but it does seem to be moving in the right direction.

"It is almost certain that law enforcement action has significantly impacted the ransomware ecosystem," said WithSecure. "While it is currently too soon to draw conclusions on the long-term effectiveness of this, in the short term there has been a marked, positive impact."

NCC Group noticed a similar downward trend towards the middle of 2024, but was less sure about whether it would continue. There was a 20 percent increase in claimed ransomware victims in July (395) compared to June (329), but the number is still significantly lower than the months between February and May.

"Whether this increase reflects the start of an upward trend remains to be seen, and we will continue to monitor such activity," said NCC Group.

Miscreants cling to infostealers

The trend established last year that found ransomware baddies were using infostealer malware on a much grander scale continues well into 2024, the researchers noted.

IBM X-Force noticed a massive uptick in infostealer use in 2023, a year in which many new infostealers hit the shelves, and subsequently a steep rise in attacks carried out using valid credentials.

SpyCloud research last year found that out of 2,613 ransomware cases examined, 30 percent involved the use of credentials harvested by infostealer malware in their early stages. Over three-quarters of these (76 percent) were the work of Racoon Stealer, the source code of which LockBit was thought to have been trying to purchase.

Initial access brokers (IABs), among their other activities, play an important role in the dealing of these credentials, and are often the type of criminals that abuse infostealers the most.

"[IABs] facilitate ransomware attacks in allowing these groups to focus less on facilitating initial access, and more on finding affiliates and the improvement of their malware," said NCC Group.

"In terms of corporate risk, we have observed that infostealers play a pivotal role in the initial access of the corporate environments. For example, an employee might be searching for an image editing software on their work laptop and downloads a trojanised application through SEO poisoning/malvertising, usually with some infostealer capabilities. This application extracts the system, network, and user information, which could later be sold or used for carrying out follow-up attacks on the user (targeted phishing, etc). 

"The whole ecosystem is known as initial access brokerage, where infostealers act as a method to gather information and/or valid credentials, up until the point that it can be used for other threat actors, like ransomware operators, for browser session hijackings, connections to valid enterprise accounts, and so on." ®

https://www.theregister.com//2024/08/22/critical_industrial_ransomware/