Ransomware has been widely recognized for years as the scourge of business, industry, and the public sector, with the manufacturing sector being hit as hard as any other. However, as common as reports of high-profile attacks have become, IT, security, and business leaders may not realize just how bad the impact is.
Companies are being targeted by ransomware not just once but repeatedly, with many suffering data loss and shutdowns, according to Semperis’ recently released 2024 Ransomware Risk report. According to the study, 83 percent of organizations in the manufacturing sector have been targeted by ransomware in the past 12 months. Of the organizations targeted, 42 percent suffered data loss and 30 percent had to take all systems offline.
The results for manufacturing reflected overall numbers in the study, in which 74 percent of organizations reported being attacked multiple times over the 12-month period, often within the same week. And although 67 percent of manufacturing and utility companies reported paying ransoms multiple times—and a quarter of them paid four or more times—33 percent said they either did not receive a decryption key from the ransomware operators, or they received a corrupted key. Even when agreeing to ransom demands, they did not immediately recover their systems.
The Real Costs
Ransomware attacks have become familiar news, but the constant barrage of attacks has not been widely acknowledged. Likewise, reports have often overlooked the long-term impacts of those attacks, which include plant closures, loss of revenue, worker layoffs and loss of insurance.
A successful attack has lingering effects, starting with the time and effort it takes to recover systems. In the study, 49 percent of organizations said it took one to seven days to recover minimal functionality, and 12 percent said it took longer than seven days. Thirty-three percent said it took five hours to one day, and only six percent said they had minimal functionality within five hours.
Leaders may not accurately assess the actual costs of ransomware. As a result, they are lagging in building robust operational resilience plans that could help them recover more quickly and mitigate long-term costs.
Ransomware attacks begin with access, which itself starts with compromising identities. In today’s highly digitized environments, identity systems are the perimeter, offering threat actors a large attack surface. For most companies, that attack surface involves Microsoft Active Directory (AD), the primary identity management tool for 90 percent of organizations. Yet relatively few companies have dedicated plans for recovering AD.
Most companies in the study said they had identity recovery plans, but only 31 percent of manufacturing companies had dedicated AD backup plans. Because AD is tied to almost everything a company does, attackers who gain access to AD can move laterally, escalate privileges and gain access to an organization’s most sensitive data. And in today’s sophisticated, coordinated ransomware environments, where threat actors share information and can easily purchase ransomware-as-a-service (RaaS) kits, multiple attackers could have access at the same time.
Building Resilience
Business, security and IT leaders not only need to adopt an “assume breach” mindset, but they should go a step further and assume constant breach. Once ransomware operators gain access, they can—and do—launch multiple attacks, regardless of whether a ransom has been paid.
As the study shows, trying to pay your way out of a ransomware attack doesn’t work, since it doesn’t deter subsequent attacks. Some attackers, in fact, aren’t after money but are looking to simply sow disruption. And paying ransom doesn’t correct the long-term damage of a successful attack; some marketplaces never fully recover from an attack.
Instead, organizations need to focus on operational resilience, which can help them protect and recover systems and give them the wherewithal to refuse demands for ransom payments. A few essential steps to achieving resilience include:
- Make ‘Assume Breach’ Part of the Culture. Increasingly, attacks are not singular incidents—they come in volleys, one after the other. An “assume breach” mindset can help grease the wheels with leadership when making critical cyber investments in defenses like those that employ continuous monitoring or detection and response. It can also help an organization prioritize risks, focusing first on protecting its most critical assets.
- Develop Robust Recovery Plans. Prevention is important, but with a mindset that assumes breaches, a strategy for recovering from an attack is essential. A recovery plan should focus initially on mission-critical systems that business operations can’t do without. A good example is AD, which attackers often use to get their foot in the door and is foundational to most day-to-day business operations. In addition to applications, recovery plans must address the infrastructure used by those applications. Organizations need to implement robust, dedicated recovery plans detailing how long it will take to restore applications such as AD and infrastructure. Backups should be stored offline whenever possible to prevent threat actor tampering and to help speed recovery.
- Perform Detailed Attack Path Analyses. Once a plan is in place, it’s vital to protect it from unwanted changes and ensure it’s ready when needed. Teams can make use of defense-focused attack path analysis tools that map your backup and recovery components, assess which users have access to the components, and define who should have access and what their roles should be. You can then monitor the environment for any anomalies or unauthorized changes.
Armed with sophisticated tools and backed by a network of other threat actors, ransomware operators are likely to increase their attacks on organizations in practically every sector, including manufacturing. And paying ransoms doesn’t necessarily resolve an attack or keep attackers from returning. Organizations need to shore up defenses and focus on robust recovery plans that can give them the ability to survive an attack while limiting the damage.