Malware Infostealers and Ransomware Turn Attention to Manufacturers

Manufacturing is “always on,” which makes it attractive to former malware botnet operators looking to boost their own profits.

Ransomware Ransomnote On Computer 537383764 3775x2643

As manufacturers experienced significant operational challenges during the pandemic, they've also faced an increasingly menacing foe — cyberattackers. While enterprise attacks tripled during the pandemic's peak, the manufacturing sector was hit especially hard. In fact, the industry reported the highest number of ransomware attacks over the last 12 months.  

Worse yet, the economic impact that these nefarious parties pose is increasing, as they target manufacturers for Intellectual Property (IP). As such, the cost of a breach for manufacturers is now greater than $1M, according to MAPI. Why? The manufacturing industry is one that’s operationally “always on,” which makes them an attractive target for money-hungry, former malware botnet operators who are increasingly deploying ransomware and malware infostealers to boost their own profits. 

Although the takedown of the Emotet botnet in January brought short-term celebration, security researchers and analysts alike have been wary of the resulting fallout and what it means for all organizations. The action has resulted in scattered pockets of less familiar but equally aggressive cybercrime groups using both ransomware and infostealers in targeted new ways.

Take, for example, the recent ransomware attack on Acer, the computer manufacturer that was hit with a bold $50M ransomware demand from the REvil/Sodinokibi ransomware group. This stands as the highest ransomware demand to date and serves as a warning for what lies ahead for other manufacturers.

And with other advanced threat groups like WastedLocker, Egregor, Clop, Netwalker, and Lockbit also operating in the background from Emotet’s fallout, security teams certainly have their work cut out for them. 

Ransomware Thrives on Manufacturers’ Need to Pay 

As manufacturers continue to navigate their digital transformation by implementing new technologies such as IoT and cloud technology, they’re also putting themselves at a heightened risk for unnecessary exposure. Although Industry 4.0 holds the opportunity for enterprises to streamline and improve multiple facets of their organization’s processes, it also means industrial, and networking assets are often exposed by connecting operational and information technology.  

As such, human-operated ransomware where the criminals hack into the victim’s network and exfiltrate data before encrypting networks is becoming increasingly prevalent. The shift to stealing data has led manufacturers to worry about the sensitive loss of stolen IP rather than only worrying about being locked out of business operations. 

To do this, cybercriminals aren’t just relying on malware and opportunistic infections. They’re also bringing advanced network penetration and other skills to the top of their toolboxes. So, instead of only delivering malware through downloaders, the attackers gain control over the network through propagation. 

Although this sobering trend is not limited to the manufacturing industry, cyberattackers are keenly aware of the data manufacturing facilities have on hand. They also realize that these types of enterprises can suffer significantly from downtime. And although 2020 left a surge of manufacturing-related cyberattacks in its wake, 2021 is already shaping up to be more tumultuous for manufacturers.

 Given the damage done, manufacturing security professionals need to understand how ransomware and malware operators bypass detection to access the most critical aspects of their networks:

  • Cyberattackers are now bypassing behavior analysis used by security solutions by introducing noise or introducing trustworthy key indicators mixed with malicious content.
  • Hackers are bypassing best practice whitelisting products and configurations by leveraging already whitelisted processes. While many of these organizations have safeguards in place, there’s still a substantial portion of manufacturing executives that lack confidence that their IP assets are adequately protected.

In January, Morphisec identified a significant banking trojan/infostealer campaign targeting multiple German customers from the manufacturing industry for IP. In this specific example, targeted personnel were redirected to compromised websites that were still delivering advanced fileless downloaders that eventually lead to an Osiris client with a bundled mini-Tor communicating to a C2 onion Tor panel. The victim received a link to a compromised website that contained a download link to a malicious zip file, which then contained a JS file., the web page and the file name translates to “collective agreement on-call remuneration ig metal.” 

These types of infostealer and financially-motivated attacks, which have been common in the financial sector, are now targeting manufacturing companies for espionage. Unlike ransomware, which can be sudden and render short-term gains for hackers, malware is deployed as a part of a long-term campaign seeking access to specific proprietary information.

The Need for Zero Trust Grows by the Day

Without being able to let their guard down amid the skyrocketing use of ransomware and infostealers, ‘zero trust’ has become a rallying cry for manufacturing security professionals. The zero trust model is based on not automatically trusting anything inside or outside its perimeters. Instead, every application and other action trying to connect to the network needs to be verified before granting access. 

This concept is essential for manufacturers that are pivoting from their old, outdated legacy systems to the cloud with mission-critical data. A zero trust model serves to prevent automatic approval to anyone attempting to access their company’s network. This applies to everyone, including internal employees or even external suppliers and vendors. Although restricted access can potentially slow down operations, it also effectively reduces the access for cyber attackers by extension. 

A proactive defense approach can be particularly effective at achieving zero trust through means of hardening, deception, and creating active adversary engagement operations. These approaches can reduce the attack surface by either removing a surface that is not required or by hiding or morphing the operational surface, such as the application's runtime. Preventive protection needs to be applied end-to-end through the attack cycle, together with memory morphing, to enable privilege restriction and network segmentation. 

The good news is that even as manufacturers adapt to the challenging economic circumstances that they face today, proactive cybersecurity doesn’t have to break the bank. Additionally, implementing new practices could prove to be a vital competitive advantage, as recent high-profile breaches cause buyers to increasingly prioritize suppliers with proven security stacks that safeguard their own networks, too. 


Michael Gorelik is the CTO and Head of Threat Intelligence at Morphisec.

More in Cybersecurity