Industry Trends

Move over Healthcare, Ransomware Has Manufacturing In Its Sights

By Bill McGee | June 06, 2016

Everyone has heard how ransomware shut down the networks of several large healthcare providers this past year. To get their systems unlocked, these organizations paid huge ransoms to cybercriminals. Healthcare networks are notoriously vulnerable, and have been tagged by the media and security professionals as the preferred target for these sorts of attacks.

That may be about to change. Fortinet research conducted over the past several months shows that manufacturing is likely to be the next industry specifically targeted by ransomware. In our latest report we detail two specific trends that support this conclusion. The first is an alarming spike in custom ransomware attacks targeted at the manufacturing industry, and the second is the development of a new generation of ransomware that is especially devastating.

Between October 1, 2015 and April 30, 2016, Fortinet monitored and collated network traffic for 59 mid-sized to large manufacturers, spread out over 9 countries in key markets across the Americas, EMEA, and APAC. During those seven months, we recorded 8.63 million attempted attacks on those 59 manufacturers. And 78% of this malicious activity was targeted at large manufacturers with 1000 or more employees. That is a lot of attacks.

So, why is the manufacturing sector being targeted? 

Today’s manufacturing floors are highly automated, and often provide just-in-time inventory in order to prevent getting caught with warehouses full of products in the event of an economic downturn. Which means there is a lot at stake in hitting delivery timetables. Disruptions at any point along the supply chain can have massive negative effects, resulting in missed shipments of material and products, lost man-hours, stalled production lines, and in some cases where companies are reliant on legacy systems, a complete shutdown of their business. These compounded repercussions can cause losses in the millions of dollars. 

While the majority of the attacks targeting manufacturers were the sorts of traditional malware and botnet variants you would expect to see, we also noticed something else. Nearly a third of these attacks (29%) were a new variant of a Trojan called Nemucod. This was particularly interesting because, over the past several months, Nemucod has dropped out of the top ten global threats lists across all industries EXCEPT for manufacturing, where its presence has spiked.

Nemucod is a well-established trojan that has typically targeted financial data, like capturing an infected user’s banking login information. It has traditionally propagated through email attachments that would download and install malware when the recipient clicked on an infected attachment. 

As an established piece of malware, security teams would not be surprised to see Nemucod or one of its variants on the list of threats targeting their organization. But what we discovered is that of the four different Nemucod variants that made the Top 10 list of malware attacks on manufacturers, three of these variants had advanced enhancements that no longer required a user to take an action, such as opening a compromised attachment to get infected. 

And something else. They were all carrying ransomware in their payload. 

With downtime and losses often calculated by the minute, manufacturers infected with ransomware would be highly motivated to pay a ransom in order to get their production floor back up and running.

And this wasn’t your average ransomware. This new ransomware had undergone significant enhancements. Recent variants of the Locky ransomware that we saw, for example, had traded custom encryption algorithms for much more solid and robust Windows APIs and RSA encryption. This seems to have clearly been an attempt to thwart organizations that try to decrypt their files without paying the ransom.

Another ransomware variant we have been tracking is DMA Locker. Once it infects an organization, DMA Locker uses remote command-and-control servers to generate unique encryption keys. Because these encryption keys are generated off-site, reverse engineering the encryption is not currently possible. Which also means that if DMA Locker isn’t entirely removed from an infected network, repeat flare-ups by the exact same ransomware can generate additional ransom demands.

There are a number of things organizations can do to protect themselves. These include:

  • Control network access
  • Deploy email security with sandbox filtering
  • Maintain and patch software and operating systems
  • Segment your network to limit the affect of a breach
  • Eliminate or isolate vulnerable legacy devices and code
  • Perform regular system backups and store backups offsite
  • Reduce your attack surface by eliminating unnecessary devices and software, especially cloud-based applications that have not been vetted and approved by your IT team
  • Install security clients on endpoint devices and keep them updated
  • Enact regular staff training on how to detect and avoid common email and web-based attacks
  • Extend visibility across your entire distributed network
  • Assume you will be a victim of an attack and have a plan

That last one is critical. If you knew that you were going to be compromised, what would you do differently than you are doing right now?

To learn more about this new threat trend, click to read Fortinet’s latest CTAP report that covers these findings in technical detail.