Ransomware Targeting Manufacturers Now

Hi guys,

Last year several healthcare organizations were hit by ransomware. But now according to research conducted by Fortinet, Manufacturing will be the next industry targeted.

During the time period between the 1st of October 2015 and 30th of April 2016, Fortinet monitored network traffic for 59 medium to large manufacturers in 9 countries across the Americas, EMEA, and APAC. During those seven months,  8.63 million attempted attacks were recorded on those 59 manufacturers. And 78% of this malicious activity was targeted at large manufacturers with 1000 or more employees.

Manufacturing floors are highly automated. Causing disruption in any part of the supply chain can have negative effects. For example, there is a lot of stake in hitting the delivery timetables. Sometimes companies rely on legacy systems and attacks can cause a complete shutdown of the business. Attack of a manufacturing company can cause millions of dollars.

The majority of ransomware were the common malware but  it was noticed that nearly a third of these attacks (29%) were a new variant of a Trojan called Nemucod. It is surprisingly a threat that has dropped out of the top ten threats during the past several months, except in manufacturing, where its presence has spiked.

Nemucod is a well-established Trojan that can capture financial data like infected user’s banking login information. It usually spreads through email attachments that would download and install malware when the recipient clicked on an infected attachment.

Out of the four different Nemucod variants that made the Top 10 list of malware attacks on manufacturers, three of these variants had advanced enhancements that no longer required a user to take an action, such as opening a compromised attachment to get infected. These payloads carry ransomware. This is no longer an average ransomware; it now uses robust Windows APIs and RSA encryption. This gives little chance for the organisations to decrypt their data without paying ransom.

Manufacturering companies infected with ransomware would naturally want to pay off the ransom comparing with the loss the downtime can cause.

DMA Locker is another variant noticed. It uses remote command-and-control servers to generate unique encryption keys. Currently it’s not possible to reverse engineer the encryption keys because these encryption keys are generated off-site. That means  if DMA Locker isn’t entirely removed from an infected network, it can repeat flare up attacks.

Organizations can protect themselves by doing the following:

  • Control network access
  • Deploy email security with sandbox filtering
  • Update and patch systems
  • Segment the network to limit the effect of a breach and get rid of vulnerable legacy devices.
  • Reduce the attack surface by eliminating Software and systems that are unnecessary
  • Backup the systems regularly and maintain them offsite
  • Security clients, staff training, extended visibility across networks and contingency planning can greatly help


Source: Akati

Comments are closed.