Skip to content

Latest commit

 

History

History
106 lines (90 loc) · 12.1 KB

Issue03.md

File metadata and controls

106 lines (90 loc) · 12.1 KB
Raw

📰 Issue 03: Financial Impacts of Ransomware Can Reach Up to US$1 Million in Critical Infrastructure

Claroty published a report from an independent global survey that interviewed 1,100 cybersecurity professionals responsible for the protection of cyber-physical systems (CPS). CPS encompasses operational technology (OT), Internet of Things (IoT), connected medical devices (Internet of Medical Things [IoMT]), and building management systems (BMS). The report highlights the financial impacts and business disruptions resulting from cyber incidents.

This document also incorporates data from reports by KnowBe4 and Sophos. Sophos’ The State of Ransomware 2024 is based on a survey conducted with 5,000 information technology (IT) and cybersecurity leaders across fourteen countries between January and February 2024.

📝 General Notes

  • 1️⃣ According to 45% of respondents, financial impacts over the past year amounted to approximately US$500,000, primarily due to revenue loss, recovery costs, and overtime payments to employees.
  • 2️⃣ Additionally, 27% of professionals reported financial impacts reaching US$1 million or more as a result of cyberattacks affecting CPS.
  • 3️⃣ For 12% of participants, the financial losses associated with cyber incidents exceeded US$5 million.
  • 4️⃣ The electric sector stands out as one of the most financially impacted industries.
    • The situation becomes increasingly concerning as both virtual and physical vulnerabilities in the power grid continue to multiply. According to a report by KnowBe4, approximately 24,000 exploitable points were identified in the U.S. power grid as of April 2024.
    • As highlighted by the Sophos study, the energy, oil/gas, and utilities sectors are the most susceptible to the exploitation of unpatched security flaws. This vulnerability is largely attributed to the high prevalence of legacy technologies currently in use, which are more prone to security breaches.
  • 5️⃣ From an operational perspective, 49% of respondents experienced more than twelve hours of downtime, with the recovery process extending to a week or longer. Even more concerning, 29% of professionals reported that restoring operations took approximately one month.
  • 6️⃣ In terms of connectivity, 45% of respondents indicated that at least half of their institutions’ CPS assets are connected to the Internet for remote access. Among them, 36% indicated a virtual private network (VPN) as their preferred connection method.
    • However, most VPN solutions lack native session recording capabilities, role-based access control, and comprehensive monitoring and auditing functionalities.
  • 7️⃣ 32% of respondents admitted to directly connecting CPS to the Internet using public-facing/open ports. Another 32% reported using TeamViewer, which experienced a security breach this year, or similar tools like AnyDesk, which also suffered a cyberattack in 2024.
    • 46% of professionals indicated using six or more remote access tools for CPS within their work environments, significantly increasing the attack surface of these organizations.
  • 8️⃣ A total of 82% of respondents reported experiencing at least one cyberattack originating from third-party access to CPS.
  • 9️⃣ The lack of standardized cybersecurity practices, combined with the absence of incident response plans and other protective measures, can render some companies uninsurable, increasing the risk of irreparable financial and operational damage.
  • 🔟 The four main consequences of cyberattacks with the most lasting effects were:
    • Loss or malicious manipulation of data (19%).
    • Violations of data privacy policies (15%).
    • Inaccessibility of systems and data (13%).
    • Irrecoverability of systems and data (13%).

💸 Specific Insights on Ransomware

  • 53% of respondents reported facing ransom demands exceeding US$500,000 for the recovery of encrypted files and systems.
    • 23% encountered ransom requests ranging from US$1 million to US$5 million.
  • According to data from Sophos, 63% of ransom demands in 2024 were US$1 million or higher.
    • 30% of these demands reached US$5 million or more.
    • In 2024, among the 1,097 respondents whose organizations paid the ransom, the average payment amounted to US$3,960,917.
  • Despite recommendations to the contrary from law enforcement and cybersecurity experts, organizations often find themselves compelled to negotiate and comply with cybercriminal demands to minimize operational impact.
    • As highlighted in the KnowBe4 report, the Colonial Pipeline ransomware attack serves as an example. The company supplies over 45% of gasoline, diesel, jet fuel, and natural gas to the U.S. East Coast. As a result of the attack, parts of the pipeline system were taken offline, leading to a state of emergency declaration in seventeen states and the District of Columbia. The company chose to pay 75 bitcoins, equivalent to approximately US$5 million at the time. This decision, unfortunately, perpetuates the incentive for cybercriminals to continue investing in malicious ransomware operations.
    • In 2024, 56% of organizations surveyed for the Sophos report paid the ransom to recover their data.
  • Ransomware remains a significant threat to hospitals, compromising patient care integrity. In this sector, 78% of professionals reported ransom payments of US$500,000 or more.
  • As highlighted in the Sophos investigation, 59% of participating organizations reported being targeted by ransomware attacks.
    • On average, fewer than 49% of an organization’s devices are typically impacted by ransomware attacks.
    • Approximately 4% of organizations reported that between 91% and 100% of their systems and data were encrypted.
  • The Claroty survey emphasizes that to minimize disruptions in CPS, four types of threats should be prioritized in order of importance:
    1. ❗ Ransomware and extortion.
    2. ❗ Disruption and sabotage by state actors.
    3. ❗ Hacktivists.
    4. ❗ Denial-of-Service (DoS) attacks.
  • The Sophos survey identifies the typical origins of ransomware attacks in 2024:
    1. 💀 Exploited vulnerability (32%).
    2. 💀 Compromised credentials (29%).
    3. 💀 Malicious email (23%), containing a malicious link or attachment that downloads malware.
    4. 💀 Phishing (11%).
    5. 💀 Brute-force attack (3%).
    6. 💀 Download (1%).
  • 🚨 In its report, Sophos indicates that 94% of organizations victimized by ransomware observed that attackers attempted to compromise their backups during the attacks. Notably, 57% of these attempts were successful.

Recommendations

  • The Claroty report recommends five priority areas to strengthen CPS resilience against cyberattacks, ensuring service integrity and production continuity:
    1. 🔒 Asset inventory and visibility.
    2. 🔒 Exposure and risk management.
    3. 🔒 Secure remote access.
    4. 🔒 Network protection (machine-to-machine & cloud workload-to-machine).
    5. 🔒 Threat detection.
  • The KnowBe4 report also presents recommendations for strengthening organizations’ cyber defenses. Complementing the previously mentioned areas, the following strategies are emphasized:
    1. 🔒 Foster a cybersecurity culture through continuous training, regular assessments, and periodic cyber incident simulation exercises.
    2. 🔒 Establish secure backup systems.
  • Additionally, the Sophos report suggests the following measures:
    1. 🔒 Implement multi-factor authentication (MFA) to limit credential abuse.
    2. 🔒 Utilize dedicated ransomware protection solutions, with a particular focus on endpoints (including servers).

📚 References

  • Greenberg, A. (2021, May 08). The Colonial Pipeline Hack Is a New Extreme for Ransomware. WIRED, Security. Link
  • Ilascu, I. (2021, May 10). US Declares State of Emergency After Ransomware Hits Largest Pipeline. BleepingComputer. Link
  • Newman, L. H. (2021, May 14). Colonial Pipeline Paid a $5M Ransom—and Kept a Vicious Cycle Turning. WIRED, Security. Link
  • Claroty. (2024). The Global State of CPS Security 2024: Business Impact of Disruptions — An Analysis of the Financial and Operational Impact of Cyberattacks Affecting Mission-Critical Infrastructure. Link
  • KnowBe4. (2024). Cyber Attacks on Infrastructure: The New Geopolitical Weapon. Link
  • AnyDesk. (2024, February 02). AnyDesk Incident Response 2-2-2024. Link
  • AnyDesk. (2024, February 05). AnyDesk Incident Response 5-2-2024. Link
  • Akamai Security Intelligence Group. (2024, February 07). The AnyDesk Breach: Overview and Recommendations. Akamai, Blog. Link
  • Kearney, L. (2024, April 04). US Electric Grid Growing More Vulnerable to Cyberattacks, Regulator Says. Reuters. Link
  • Sophos. (2024, April 22). The State of Ransomware 2024. Link
  • Abrams, L. (2024, June 27). TeamViewer's Corporate Network Was Breached in Alleged APT Hack. BleepingComputer. Link
  • TeamViewer. (2024, June 27). TeamViewer IT Security Incident (TV-2024-1005). Link
  • Abrams, L. (2024, June 28). TeamViewer Links Corporate Cyberattack to Russian State Hackers. BleepingComputer. Link
  • Arghire, I. (2024, October 04). Ransomware Hits Critical Infrastructure Hard, Costs Adding Up. SecurityWeek. Link

🔖 Nomenclature

  • BMS: Building management systems.
  • CPS: Cyber-physical systems.
  • DoS: Denial-of-Service.
  • IoT: Internet of Things.
  • IoTM: Internet of Medical Things.
  • IT: Information technology.
  • MFA: Multi-factor authentication
  • OT: Operational technology.
  • VPN: Virtual private network

Ind.Cyber.Sec Letters . Issue 03 . 2024-10-28

Prof. Dr. Luiz F. Freitas-Gutierres