Emerging Ransomware Trends in Critical Infrastructure: How Proactive Defense Makes a Big Difference
This blog was authored by Drew Schmitt. Schmitt is the Principal Threat Intelligence Analyst for the GuidePoint Research and Intelligence Team (GRIT).
Introduction
Recently, the GuidePoint Security Research and Intelligence Team (GRIT) published a white paper examining ransomware trends in Q1 of 2022. Specifically, we focused on the overall trends and demonstrated how impactful ransomware is across all industry verticals. In this blog, we partnered with MCCEI to focus on ransomware trends affecting critical infrastructure with an emphasis on the construction sector. Additionally, we review case studies of destructive attacks against critical infrastructure and look at how having proactive defense makes a big difference.
For years, ransomware has been one of the most devastating attacks an organization can encounter, leaving information systems crippled and unable to maintain operations. In recent years, ransomware and other destructive attacks have become more popular against organizations within the critical infrastructure sector. This causes real-world impacts directly affecting citizens across multiple countries, including introduction of supply chain challenges, limiting operations, and various other issues. With so many critical infrastructure entities attacked by ransomware, it can be difficult to maintain a positive outlook for the future of critical infrastructure in a cyber world.
As critical infrastructure, and other sectors of our economy, continue to become more integrated with cyber operations, it becomes imperative that we start to take a proactive defense approach to protect our information and operational technology systems. Through this proactive approach, we can make a difference in how we protect our systems and prevent destructive attacks, like ransomware, from occurring.
For information about ransomware trends across other industry verticals and why threat intelligence matters, download GuidePoint’s recently published White Paper.
2021-2022 Ransomware Trends
Examining past and present ransomware trends allows us to take a look at how ransomware affects all industries on a global scale and establishes a baseline of threat activity that we can use to evaluate and prioritize threats in our environments. This approach also allows us to analyze the impact to critical infrastructure sectors, and, more specifically, the construction sector.
Ransomware Trends at a High Level
Ransomware continues to be one of the most prolific threats to organizations across all sectors. Examining publicly posted ransomware victims from 2021 shows a consistent rate of victims published across all of 2021 with an average rate of 7.2 victims posted per day. Similarly in 2022, we see similar trends with consistent leak site postings and an average posting rate of 6.8 victims posted per day. Although there is a slight decline in the average posting rate so far during 2022, the average posting rate observed through Q1 of 2022 is significantly higher than the average posting rate of 4.5 victims posted per day in Q1 of 2021.
Figure 1: Ransomware Trends 2021-2022
Countries Most Affected by Ransomware
Ransomware is a global problem and affects countries indiscriminately, however, there are countries that are significantly more affected than others. The United States has consistently remained at the top of the most affected countries with other western countries such as Canada, France, the United Kingdom, and Germany rounding out the top five most affected countries in both 2021 and 2022.
| Country | 2021 Percentage of Ransomware Victims | 2022 Percentage of Ransomware Victims | Rate of Change (%) |
| United States | 47.8 | 38.7 | -9.1 |
| Canada | 4.8 | 3.9 | -0.9 |
| France | 4.6 | 3.7 | -0.9 |
| United Kingdom | 4.6 | 7.3 | +2.6 |
| Germany | 4.4 | 5.4 | +1.0 |
Table 1: Top Five Countries Impacted by Ransomware 2021-2022
So far in 2022, the United States and multiple commonly affected western countries are showing a decline in the number of victims affected by ransomware groups while other countries such as the United Kingdom and Germany are showing an increase in victims affected by ransomware. Further tracking and research will determine if these trends continue to hold true.
Ransomware’s Effect on Critical Infrastructure
Critical infrastructure is essential for a country’s ability to support its citizens and economy. Ransomware groups are aware of this importance, see various advantages to targeting this vertical, and oftentimes make hostile threats as a means to “up the ante” when it comes to victims that fall within critical infrastructure sectors. In Q1 of 2022, critical infrastructure made up 40.5% of all publicly posted ransomware victims. More specifically, there have been 31 public ransomware victims from the construction sector globally which made up 12.9% of all critical infrastructure victims.
Figure 2: Critical Infrastructure Sectors Affected by Ransomware (2022)
Zooming in on the Construction Sector
We have already established that the construction sector has been heavily impacted during Q1 of 2022. By reviewing the rate of public ransomware victims from 2021 and 2022, we see a consistent trend of the construction sector being affected by ransomware. On average during Q1 of 2022, ransomware claimed one public victim from the construction sector every 2.5 days.
Figure 3: Ransomware Impact on the Construction Sector
Much like general trends in ransomware, the construction sector is most affected in the United States with 14 publicly named ransomware victims in Q1 of 2022. The United Kingdom, Italy, Canada, and Qatar round out the top five most impacted countries with respect to the construction sector ranging from 1 – 3 publicly posted ransomware victims.
Figure 4: Construction Sector Countries Most Impacted by Ransomware
Case Studies Impacting Critical Infrastructure
Since 2017, there have been notable ransomware attacks that have impacted critical infrastructure sectors. More specifically, since 2021, critical infrastructure has been moved into the spotlight and was one of the most affected sectors on a global scale. The following case studies examine how ransomware groups have moved into a direct and open targeting methodology for critical infrastructure, and how ransomware and other destructive attacks have had a global impact.
Ukraine/Russia Conflict – Wipers Targeting Critical Infrastructure
Russia officially began their invasion of Ukraine on February 23, 2022, however, preceded by the physical invasion was a series of targeted cyber-attacks that focused on impacting Ukraine’s critical infrastructure, a behavior by the Russian government that is consistent with previous operations. In 2015, Russia attacked the Ukrainian power grid which resulted in power outages for over 200,000 consumers for multiple hours. We have observed similar behavior in 2022.
In the weeks leading up to the Russian invasion of Ukraine, several “wipers,” a type of malware that focuses on rendering systems and data unusable though wiping rather than encryption, were observed targeting Ukrainian governments and critical infrastructure entities. On May 10, 2022, the U.S. Department of State released an official statement attributing early cyber-attacks in Ukraine with operations conducted by the Russian government.
It is clear from the actions of the Russian government that targeting critical infrastructure is becoming an explicit component of military and cyber strategy and demonstrates the need for improved cyber defense capabilities focused on critical infrastructure protection and resiliency.
Conti Ransomware Group’s Threat to Critical Infrastructure
Shortly after the Russian invasion of Ukraine, Conti, one of the most prolific ransomware groups in 2021 and 2022, issued a statement indicating that they would “use [their] full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.”
Figure 5: Critical Infrastructure Warning Posted to Conti News Leak Site
This message by Conti, which was posted to their ransomware leak site called “Conti News” is a clear example of how critical infrastructure is being targeted by nation states and ransomware groups alike.
2021 DarkSide Attack on Colonial Pipeline
The May 7, 2021 DarkSide ransomware attack on Colonial Pipeline may be one of the most well-known instances of critical infrastructure being attacked by ransomware that resulted in a tangible impact to fuel availability on the east coast for over a week.
Figure 6: DarkSide Ransom Note
In this case, the FBI was able to conduct an offensive operation that recovered a large portion of the 2.3 million USD ransom payment, however, the recovery of ransom payment from a threat actor is extremely rare and not likely to occur.
The Positive Outlook – Proactive Defense
Throughout this blog we have outlined how ransomware and other destructive attacks continue to be a significant problem for critical infrastructure. Ransomware as a primary threat continues to grow from year to year and is completely indiscriminate with how they target their victims to steal data and encrypt files. All of this gives a very “doom and gloom” feel, however, there is a bright side to all of this.
Despite the high risks associated with ransomware, we can still have a positive outlook that is focused on proactive defense to ensure our organizations are protected, and, in the event of an incident, we are ready to defend and respond to threats. Through the use of a layered defense, adequate preparation, and having an active approach to cybersecurity, we can make a big difference in our preparedness level that may prevent, or at least significantly limit, adverse impacts associated with a ransomware attack.
The Layered Defense Approach
Whether this strategy or another, such Zero Trust, it is important for an organization to establish a security strategy and build a program that will achieve a roadmap of progressive strategic objectives that will increase their sophistication, maturity, and ability to address various threats. A layered defense strategy consists of having multiple defense mechanisms that provide a redundant and comprehensive set of capabilities focused on defending your information systems and technology environment. This methodology allows for multiple detection and prevention points that provide the most resilient defense strategy. Through the implementation of multiple defense layers, we give ourselves the best opportunity to prevent and defend against destructive attacks like ransomware.
Preparation is Key
Being prepared for a destructive attack like ransomware is a key component of having a proactive defense strategy. Ensuring that an incident response plan has been drafted, approved, and reviewed is essential for ensuring that the incident response team and cybersecurity organization are ready to respond to active threats in the environment.
Similarly, practicing your incident response plan through table-top exercises and purple team engagements provides an environment where incident response teams can invoke the incident response plan and ensure that there are no gaps that would hinder response during an active threat. Additionally, a well-practiced incident response plan allows internal individuals, business units, and or other stakeholders within your organization to fully understand their unique roles and responsibilities during a response effort, versus having to actuate the plan in the middle of an incident.
Knowing when to bring in additional support and resources is critical for ensuring adequate preparedness. Exploring third party incident response retainers and cyber insurance policies are key components of cyber risk management and ensuring the organization can properly respond to ransomware.
Having an Active Approach to Defense
Cybersecurity is one of the most challenging and dynamic environments for a technology professional to operate. Threat actor tactics, techniques, and procedures seem to change continuously. Having an active approach to defense focuses on utilizing proactive incident response, hunting, and threat intelligence practices to keep pace with threats.
Performing regular hypothesis-based threat discoveries in your environment is a great way to find active threats. Using threat profiles to define common threat actor techniques and tactics improves the likelihood that you will discover eCrime and ransomware threats actively operating in your environment.
Having a pulse on dark web conversations and monitoring your attack surface is another method to proactively approach cybersecurity defense. Threat actors often have conversations, sell access, or discuss vulnerabilities that affect your infrastructure. Being able to detect these early gives a much better chance of mitigating the threat before it becomes a reality, or to help minimize the overall impact. Similarly, actively monitoring your attack surface allows you to see your infrastructure through the attackers’ eyes, which may reduce the likelihood of an attacker infiltrating your environment.
Both of these strategies align with an active approach to cyber defense, and, when integrated with cybersecurity teams such as vulnerability management, incident response, and security architecture, give organizations a thorough approach to reducing cybersecurity risk.
Conclusion
Ransomware is an all-too-common threat that affects industries across all verticals. Critical infrastructure is no exception and is explicitly targeted due to its value to the economy and society in general. As we have seen with the Russian government and ransomware groups such as Conti and DarkSide, critical infrastructure is at high risk for destructive attacks that have real world consequences for economies and citizens from multiple countries. That said, we can still have a positive outlook on how to approach the risks associated with ransomware and other destructive threats.
MCCEI, GuidePoint, and ABC Baltimore are hosting an in-person event on June 9 at Little Havana in Baltimore: Emerging Ransomware Trends in Construction and Critical Infrastructure: How Proactive Defense Makes a Big Difference. Sign up here.
Listen below to our podcast with Drew Schmitt as he talks about his career in cybersecurity.