Report: 1 in 7 Ransomware Attacks Expose Critical Enterprise Information
A recent security report found that the threat of ransomware attacks aimed at organizations resulting in critical operational technology (OT) information being leaked is on the rise.
The study, conducted by security firm Mandiant, found that there is an increase in what it calls "multifaceted extortion," in which large amounts of compromised organizational data is disclosed on shaming Web sites -- sites specializing in humiliating individuals or businesses by posting sensitive internal data.
Per the Mandiant research report:
Based on our analysis, one out of every seven leaks from industrial organizations posted in ransomware extortion sites is likely to expose sensitive OT documentation. Access to this type of data can enable threat actors to learn about an industrial environment, identify paths of least resistance, and engineer cyber physical attacks.
Mandiant said that more than 1,300 organizations were affected by a multifaceted extortion attack in 2021, and the data included admin credentials and passwords, in-depth process documentation, legal agreements and financial records, to name a few. While Mandiant redacted the names of those affected organizations, the most notable ones included a manufacturer of industrial and passenger trains, two oil and gas companies and a satellite vehicle tracking service provider.
The nature of the leaked data can open up an organization to further attacks. The security firm found that the data can then be secured by espionage groups to aid in state-sponsored campaigns against specific targets, as was the case in the widely covered Ukraine power outages in 2015 and 2016, which started as multifaceted extortion. Mandiant pointed to its own ease in securing the terabytes of leaked data for this report as an example of how readily available this information is once released by attackers.
Another major problem with exposed OT data is that the threat of a follow-up attack can come years after the initial incident. "Even if the exposed OT data is relatively old, the typical life span of cyber physical systems ranges from twenty to thirty years, resulting in leaks being relevant for reconnaissance efforts for decades -- much longer than exposed information on IT infrastructure," read the report.
As for what organizations can do to mitigate their risk of leaked OT data due to ransomware attacks, Mandiant said it all starts with a strong proactive approach from IT, which includes:
- A robust data handling policy for employees and contractors that includes limiting sensitive data on unsecured networks.
- Proper training and vetting of any outside contractors on organizational safety procedures.
- If a leak does occur, conduct an immediate audit of the leaked data to identify any possible attack entry points and change all affected credentials.