IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

One in seven ransomware extortion attacks leak critical OT data

Mandiant discovered data including usernames and passwords, IP addresses, and operator panels

Cyber security company Mandiant has found one in seven double-extortion ransomware attacks are  leaking sensitive information that could provide access to physical systems.

The company found data stolen from ransomware victims related to operational technology (OT) systems, which are responsible for managing physical processes ranging from manufacturing equipment to energy distribution.

Data discovered included usernames and passwords for OT systems, IP addresses, remote services, asset tags, original equipment manufacturer (OEM) information, operator panels, and network diagrams.

This information, available for anyone to download from the dark web, renders companies more valuable to attack.

"Data from extortion leaks may provide sophisticated actors with information on targets, while limiting their exposure to defenders and cost of operations," the company said, adding that they can use it to makes it easier to launch more precise attacks with a higher impact.

In the study, Mandiant employees downloaded information stolen from ransomware victims and uploaded to 'shaming' sites after victims refused to pay up.

The company identified 1,300 extortion leaks released by ransomware groups in 2021 involving companies likely to use OT systems. It downloaded 70 of these leaks and analyzed the dumps looking for sensitive information.

Data discovered included in-depth network and process documentation for two oil and gas companies, including diagrams and spreadsheets. Mandiant's team also found names, user privileges, and passwords for IT, plant maintenance, and operations employees at a hydroelectric energy company.

Even file sets that did not contain critical OT data often contained administrative data spanning employees, finance, customers, and legal documentation, the company said.

Mandiant used its own publicly available FlareVM Windows-based penetration testing and malware analysis virtual machine for the analysis, along with Autopsy, an open-source tool for digital forensics.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

OT attacks are rife, according to recent research. In November, Skybox Security revealed that 83% of critical infrastructure companies have suffered at least one OT-related cyber breach in the last three years.

Last month, the Federal Bureau of Investigation (FBI), Cyber Security and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) warned critical infrastructure companies to be on the lookout for attacks from Russia. The advisory detailed OT attacks as a particular danger.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
US and Israel join forces to fight ransomware
ransomware

US and Israel join forces to fight ransomware

15 Nov 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Costa Rica declares state of emergency following Conti ransomware attack
ransomware

Costa Rica declares state of emergency following Conti ransomware attack

10 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022