Manufacturers, service providers primary targets of Q1 ransomware incidents

Dive Brief:

Ransomware attacks increased 25% in Q1 2020 compared to Q4 2019, according to incidents recorded by Beazley Breach Response (BBR) Services, the breach response arm of cyber insurer Beazley.
Manufacturing was hit the hardest, seeing a 156% quarter-on-quarter increase. While vendors and managed service providers were targets before, BBR found ransomware attacks targeting service providers for financial institutions and healthcare organizations spiked.
In Q2, cybercriminals are ramping up phishing schemes and other tactics that seize on "the opportunities presented by the pandemic," according to the report. Common scamming strategies include COVID-19-related information, repurposed scam templates to include COVID-19, and spoofs of leading healthcare organizations, such as Centers for Disease Control and Prevention, and the World Health Organization.

Dive Insight:

The coronavirus pandemic was the leverage cybercriminals wanted. In a pandemic, everyone is a target.

Cybercriminals are "preying on people's heightened anxiety during this pandemic," said Katherine Keefe, head of BBR Services, in an email to CIO Dive. Newly-remote workers "may have weaker IT security than corporate networks typically provide."

It's a perfect storm for malicious actors.

In March, Beazley found total ransomware attacks increased 131% from 2018 to 2019. Nearly one-third of total ransomware attacks were targeting healthcare organizations.

When a medical research firm based in the United Kingdom was on deck for COVID-19 response, it was hit by the Maze ransomware. The operators behind Maze turn encrypting data into data breaches. When the medical firm "repelled" the attacks and restored its systems, the operators published the stolen data online.

But businesses outside of healthcare are feeling the heat too.

Supply chain-style attacks tunnel ransomware through a victim to infect an extended network. In March, the ransomware DopplePaymer encrypted and then published data from a manufacturer for Tesla, Boeing and Lockheed Martin. In April, IT services provider Cognizant was hit by Maze. This month, REvil ransomware operators started auctioning off data stolen from an agricultural producer, a food distributor, and a law firm representing high-profile celebrities.

Most recently, Honda suffered a cyberattack, which was likely the Snake ransomware. Snake was identified near the end of 2019 but "the ransomware itself wasn't very sophisticated, Josh Smith, security analyst at Nuspire, told CIO Dive.

What makes Snake "interesting was that it had additional functionality programmed into it to forcibly stop processes, especially items involving Industrial Control Systems operations," he said.

Snake leveraged an internal domain for Honda, but "if a DNS request to the internal domain doesn't resolve, the sample wouldn't execute. This is similar to the attack on Fresenius who fell victim to Snake, where a DNS query to ads[.]fresenius[.]com resolved to a private IP," according to Smith.

The attack gauges Honda's overall cyber. Because Snake interrupted operations and factories globally, it indicates that Honda's network "may not be segmented and isolated in a way to prevent 'jumps' between different business functions," according to Chris Kennedy, CISO and VP of customer success, AttackIQ, in an email to CIO Dive. Manufacturers that isolate IT systems can prevent a spread.