Disrupting operations at manufacturing plants is a potentially lucrative path for threat actors specializing in ransomware. This article discusses the current state of ransomware in the manufacturing sector by focusing on the vulnerabilities, statistics, and some recent attacks.
Ransomware in Manufacturing: The Vulnerabilities and Statistics
Downtime in IT or OT systems is incredibly costly for manufacturers. Ransomware groups tend to direct more of their attention to companies that are more likely to pay to get their systems or data back. The vulnerability of manufacturers to production halts makes them prime targets for ransomware.
The move towards smart manufacturing increases the surface area for all types of cyber attacks. Industrial OT devices control, monitor, and manage the physical assets and processes in manufacturing plants from assembly lines to furnaces to motors. These devices are often connected to the internet, and they are exploitable.
Further, increasing the vulnerability to ransomware in the manufacturing sector are the potentially far-reaching consequences of a successful attack. For example, a ransomware attack on a company that manufactures vaccines could end up impacting the supply of vaccines to citizens.
The statistics back up the notion that manufacturers are a significant target for ransomware attacks:
- The number of ransomware attacks targeting manufacturing companies tripled in 2020.
- Manufacturing companies are the biggest targets for double extortion ransomware, which exfiltrates data before locking down systems, further incentivizing victims to pay up.
- A Dragos paper on ransomware in industrial control systems environments found that 56% of attacks affected operations functionality at victim organizations
Recent Ransomware Attacks in the Manufacturing Sector
AGCO: May 2022
AGCO, a global manufacturer, and distributor of equipment used in the agriculture industry announced that they had been hit with a ransomware attack. The total impact of the attack has not been published, but reports are that multiple production facilities were affected.
Snap-on: March 2022
Snap-on, an American-based manufacturer of tools and software used throughout the transportation industry, announced in April 2022 that they had been impacted by a ransomware attack the previous month. The company reported that it was the Conti ransomware gang who had attacked them and that a limited amount of personal employee data had been stolen. The impacted employees were provided with a free year of credit monitoring service.
The Conti group went on to claim that the attack had in fact taken down IT operations at one of Snap-on's subsidiaries named Mitchell1. Conti proceeded to leak the stolen employee data online, but shortly thereafter the data was removed. This led security researchers to believe that Snap-on had paid the ransom demanded, but there are no details confirming payment or, if it indeed happened, what the amount of the ransom paid was.
JBS Foods: May 2021
JBS Foods is the world’s largest meat supplier. In one of the most high-profile attacks of 2021 to date, the company’s North American and Australian systems were hit by a ransomware attack. The attack resulted in a temporary shutdown of every single JBS meat plant in North America.
As with many recent ransomware incidents that have made media headlines, the Russian group REvil was behind this attack. A Bitcoin ransom payment of $11 million made by JBS resulted in an extremely profitable payday for the REvil gang. By targeting a huge company that plays a critical role in the supply of meat to millions of end customers, REvil once again demonstrated the vulnerability of manufacturers to ransomware and the higher probability of receiving large payouts.
Sierra Wireless: March 2021
Sierra Wireless manufacturers several types of wireless devices, including wireless modems, gateways, and IoT devices. In March 2021, the Canadian multinational became the victim of yet another high-profile ransomware attack. According to a public statement at the time, “the attack was limited to Sierra Wireless’ internal systems and corporate website”.
Even though customer data remained untouched, this attack was not without its severe impact. In fact, production was temporarily halted at several of Sierra Wireless’ manufacturing locations. Thanks to a swift response by the company’s IT team and external advisors, the attack was stopped in its tracks before it could inflict further damage and disruption.
Symrise: December 2020
Symrise is a German company that manufactures various fragrances and flavors used in a wide range of consumer-facing products. In December 2020, Symrise had to halt production in response to a ransomware attack. Bringing all critical IT and OT systems offline was regarded as necessary to stop the further spread of the attack.
The Clop ransomware gang was behind this attack on Symrise. Despite some arrests made by Ukrainian police in 2021, it appears that the Clop ransomware gang remains functional. The group encrypted up to 1,000 different devices on the Symrise network and stole 500 gigabytes of data.
Ransomware Defense Strategies for Manufacturing Companies
As threat actors continue to devise new ways of exploiting companies in the manufacturing sector, ransomware defense strategies need to focus on defense-in-depth. While ransomware prevention requires investment, that investment is still cheaper than the cost of operational disruptions.
As with many other sectors, ransomware attacks often establish an initial entry point to a network using a phishing email. When it comes to manufacturing, hackers use more targeted phishing techniques, such as spear phishing, to target specific individuals.
It is important to have an email security solution in place that can stop suspicious emails before they make it to employees. The targeted nature of these emails can easily convince even employees who have reasonable levels of security awareness. As soon as a targeted individual opens an attachment or clicks a link, it is already a battle against the clock to avoid operational disruption.
Classify and Protect Production Systems
If production systems are compromised, the impact on operations is often immediate and devastating. It is critical for manufacturers to classify and take an inventory of all devices that are critical for operations.
It is also helpful to take an inventory of the firmware version level, patch level, and configured users for each asset. Using the results of this classification effort, implement a zero-trust strategy for these assets so that you can properly segment the network and control communication flows. Unidirectional gateways can provide a way to communicate between production and other business systems without risking immediate operational disruption from ransomware that spreads across the network.
Have a Backup Strategy
A backup strategy is still helpful for restoring operations quickly in the aftermath of a successful ransomware attack even if the perpetrators manage to exfiltrate data. If downtime is one of the most expensive outcomes to manufacturers, it’s worth minimizing it with robust offline backups of production systems.
Manufacturers across all industries are susceptible to ransomware attacks. It’s important for all manufacturers to harden their defenses against ransomware in light of several devastating recent incidents that resulted in costly downtime and, in some cases, enormous payouts. Manufacturing operations will always be vital to more than just the companies that make products, so it’s prudent to take a cautious security-first approach in all manufacturing plants.
To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today.
This blog was updated in June 2022