Ransomware availability is now at an all-time high globally. Not only is ransomware more easily available, but the average cost of ransomware has dipped by as much as 70 percent since February 2022 when the Russo-Ukraine war began. This is one reason why complex ransomware is now turning up in places it never was before. This dip has attracted new players and also contributed in some extent to the growing attacks on businesses that run on or have OT in their infrastructure.
Growing Ransomware as a Service (RaaS) economy
The global RaaS economy is now estimated to be worth more than a billion dollars. The business is not just highly profitable but is also working its way towards evolving some kind of an information structure and functional streamlining. The hierarchy of RaaS is a simple one. At the bottom rung lie freelancers who work with a contractor who is tied to multiple ransomware groups. The contractors are responsible for the recruitment and allocation of freelancers for specific projects that are chosen by the ransomware groups such as Lockbit.
The freelancers are given assignments based on which their skill sets are evaluated and they also receive rewards based on these assignments. A contractor may float a job ad in the dark or surface web calling for the recruitment of freelancers for specific projects. Depending on the skillsets and scope of a project, a freelancer can expect to earn anywhere between $300 to $ 500000 for a single project. If the victim is attacked again based on stolen credentials or if the stolen data gets resold, the freelancers and contractors behind that project can expect to get additional commissions.
Groups like Contii have made RaaS projects exceptionally rewarding with a shoot, scoot, and regroup model. This model involves ransomware groups routinely reassembling after disbanding in the aftermath of a successful ransomware campaign. These groups also maintain a secret inventory of bugs to exploit. The malware development cycle for exploiting a specific high-value bug is today in the range of a day to a week depending on the complexity of the exploit.
Unlike earlier ransomware groups, groups today are more sophisticated and use better tools, communication means and random targeting is almost unheard of among them. Each target is chosen with diligence and handed over to contractors for acquisition. Contractors may also decide on targets at their discretion to increase their earnings from a specific family of ransomware. By mobilizing an army of freelancers the contractors and ransomware groups benefit from higher levels of anonymity and a more fluid chain of association. Thus the risks of an entire chain of cybercriminals being exposed are significantly reduced.
Implications of RaaS for OT security
Ransomware groups are now openly targeting manufacturing and utility firms that have a high percentage of OT installations. A soon-to-be-published study by Sectrio reveals the gravity of the problem. The study found that over 150000 ports connected with various OT and IT services were available for scanning by an external actor. Some of these ports also provided access to core IT and OT assets raising the alarming prospect of a massive and debilitating cyberattack unless these ports (opened inadvertently we assume) are closed rapidly and the networks connected assessed for any signs of unauthorized entry.
Here is why OT security teams need to get their act together fast:
- OT control systems are seen as easy entry points to other parts of the network by hackers
- Lack of visibility and control into connected OT systems and networks makes them the perfect candidates for intrusion and hijack attempts
- Our recent CISO survey revealed that the frequency of security audits, skill up-gradation, and infrastructure threat assessments conducted by businesses are not aligned to the needs of the evolving threat landscape out there. Such businesses are consequently rendered vulnerable to a cyberattack by these ransomware groups
- Many businesses do not have an OT security policy that could have drawn attention to the unique requirements associated with OT security