Ransomware continues to dominate as one of the most pressing security challenges for organizations around the world. In the first installment of our blog series on ransomware, we dove into findings from the Cyentia Institute’s CISA-sponsored ransomware report, which revealed that exposed, public-facing assets are top initial access vectors for ransomware groups.
In this next installment of our series, we’re exploring key insights from the Global Resilience Federation’s (GRF) H1 2024 Semiannual Ransomware Report and their implications for the manufacturing industry, as well as what manufacturing security teams can do to take action.
What Did GRF Research?
GRF’s ransomware report collected data from both public sources and closed threat actor forums to compile data on 1,690 ransomware attacks in the first half of 2024. Their semiannual report sets out to measure the impact of ransomware attacks and identify trends shaping the security landscape.
Overarching takeaways from their H1 2024 report include:
- The top ransomware threat actor was LockBit, with 340 successful attacks.
- The United States was targeted by 64% of all ransomware attacks.
- Re-extortion has emerged as a complication for both victims and the Ransomware-as-a-Service business model itself.
- Manufacturing was the most targeted industry of ransomware attacks, with 281 victims.
Given that manufacturing is a top target, we’re taking a closer look at key findings for this industry in particular. (Note: GRF’s reporting also covers the impact of ransomware across other industries, including education, energy, and professional services.)
The Impact of Ransomware on Manufacturing in H1 2024
-
The Threat to the Global Manufacturing Ecosystem Remains High
GRF’s analysis finds that in the first half of 2024, critical manufacturing companies experienced the most ransomware attacks of any industry, with 281 successful attacks globally. The sector has retained its top spot from 2023; critical manufacturing was also the most targeted industry in GRF’s 2H 2023 ransomware report.
Source: GRF H1 2024 Global Ransomware Resiliency Report
GRF suggests manufacturing has been an attractive industry for ransomware groups because the sector heavily relies on physical operations to generate profit. Rather than just encrypt data, bad actors can launch denial-of-service attacks on OT, ICS, and other Internet-connected systems that manufacturers rely on for production. These attacks can bring operations to a standstill, with the potential to incur longtail ripple effects throughout the supply chain.
The opportunity for disruption in manufacturing is therefore high – as is threat actors’ expectation that manufacturing companies will make ransom payments to resume operations. In 2023, 62% of manufacturing victims made ransom payments, nearly double the amount of those who paid in 2022 (34%), according to reporting from Sophos.
Examples of recent ransomware attacks in manufacturing abound. In 2023, a ransomware attack on consumer goods manufacturer Clorox resulted in extended product shortages and $356 million in total damages. Ransomware attacks on laptop manufacturer Clevos and telecommunications equipment manufacturer Allied Telesis are among the many that have played out across the industry in the first half of 2024, according to reporting from Dragos.
2. The Shift to Small Manufacturers: A Growing Concern
Ransomware groups are also targeting new demographics within manufacturing. GRF states that while ransomware attacks have historically been launched against mid-sized manufacturing companies, in H1 2024 small manufacturers emerged with a slight lead to become the most attacked group within the industry. As GRF states, “The reason for this shift may not be financial incentives, but rather that mid-sized manufacturers are increasingly hardening their systems, forcing a shift to easier targets.”
In one sense, this finding offers encouragement, as it suggests that more manufacturing companies with the means to fortify their cybersecurity defenses are doing so. In another sense, the finding underscores the reality that no company is too small to avoid attention from ransomware groups, and that these threat actors will take ransom payments where they can get them.
3. Bolstering Defenses: A Mixed Picture
GRF’s report offers a glimmer of hope: there seems to be a growing awareness within the manufacturing sector of the need for robust cybersecurity measures. The number of successful ransomware attacks on manufacturers decreased by 20% in the first half of 2024 compared to the second half of 2023 according to GRF’s reporting. However, it’s too early to say if this is a sustained trend.
Despite this progress, manufacturers remain a top target. Understanding how ransomware groups operate is critical to staying ahead. The Cyentia Institute’s recent ransomware report revealed that exploited, public-facing assets are the primary access points for ransomware attacks. Threat actors see these unpatched vulnerabilities as easy pickings, often exploiting them before security teams can patch.
How Censys Helps Security Teams Stay Ahead
To minimize the risk of successful ransomware attacks and take immediate action against the exposures bad actors will exploit, manufacturing security teams need continuous visibility into all of their systems and devices that are connected to the public-facing Internet.
Manufacturing security teams can gain this complete visibility with Censys.
Customers of Censys Search and Censys ASM can run the following manufacturing use case queries against our leading set of Internet intelligence to identify, monitor, and protect their Internet-facing assets.
Queries for Manufacturing Use Cases
Relevant Protocols:
Building Automation Protocols
BACnet
LonWorks
PLC (Programmable Logic Controller) Communication
Unitronics PCOM
CODESYS
Siemens S7
Industrial Networking and IIoT
EtherNet/IP
OPC UA
HMI/SCADA
Red Lion Crimson
IEC 61850
Vendor Queries:
Allen-Bradley/Rockwell Automation
Beckhoff
Siemens
For an example of Censys in action, check out our tutorial on how to discover and protect OT devices using a simple string of queries.
The Censys Research Team has also leveraged the proprietary dataset that powers Censys Search and Censys ASM to identify exposures across Internet-connected Industrial Control Systems (ICS), many of which are relied upon by manufacturers.
In their most recent research report, the team found 18,000 exposed devices in the U.S. that likely control industrial systems. These findings further underscore the important opportunity manufacturers have to better manage exposures and minimize the risk of attacks. You can read their report here.
Conclusion: Reducing Risk with Censys
Manufacturing companies of all sizes rely on Censys as a critical line of defense against ransomware and other attacks.
With Censys Attack Surface Management (ASM), manufacturing security teams gain a comprehensive, accurate, and up-to-date view of their entire attack surface, including visibility into both known and unknown assets.
Censys ASM empowers teams with:
- Continuous Asset Discovery: Automatically uncover all assets across your attack surface, including those often missed by other tools.
- Comprehensive Asset Inventories: Maintain a detailed, real-time inventory of all assets, helping prioritize vulnerabilities effectively.
- Risk Prioritization: Identify and prioritize the most critical vulnerabilities to ensure they’re patched before ransomware groups can exploit them.
- Rapid Response Alerts: Receive alerts within 24-72 hours if your assets are affected by new zero-day exploits. Censys is the only ASM provider to offer a Rapid Response program.
Security teams can also leverage Censys Search to directly search for exposed protocols and services. As with Censys ASM, Censys Search leverages our leading Internet intelligence to give users an unparalleled view into the public-facing Internet. With easy-to-use queries, plain language labels, and thousands of searchable fields, manufacturing security teams can use Censys Search to swiftly identify and mitigate risks before they lead to an attack.
You can learn more about the specific ways Censys helps limit the impact of ransomware on manufacturing and other organizations in our recent blog. Or, you can reach out to us for a personalized conversation with one of our team members.
Read GRF’s Full Report
