Critical infrastructure sectors in the US suffered a wave of ransomware attacks in 2021, according to new data collected by the FBI’s Internet Crime Complaint Center.
The FBI’s annual Internet Crime Report, released Tuesday, revealed the FBI’s most frequently reported incidents to its Internet Crime Complaint Center (IC3) over the past year, including ransomware, business email compromise (BEC) and the use of illegal cryptocurrency. While all three exploits generated high returns for threat actors, ransomware posed the top threat to critical infrastructure organizations, with an alarming 649 complaints.
The FBI said it began tracking reported ransomware incidents in critical sectors in June. Two notable ransomware attacks occurred between May and June; one against Colonial Pipeline Co., which was disrupting US gas supplies, and one against meat processing company JBS Foods.
The report highlighted a total of 16 sectors “whose assets, systems and networks, whether physical or virtual, are deemed so important to the United States that their decommissioning or destruction will have a debilitating impact on public health, safety and other critical elements would”.
“Of the 16 critical infrastructure sectors, IC3 reports showed that 14 sectors had at least one member that fell victim to a ransomware attack in 2021,” the report said.
Healthcare and public health topped the list with 148 reported ransomware incidents. Financial services ranked second with 89 attacks. The IT sector was also affected with 74 victims affected by ransomware. Critical manufacturing was not far behind with 65 reported incidents. Similar numbers were found in Dragos’ Year in Review 2021 report, which cited growing concerns about ransomware attacks on the manufacturing sector.
Phishing emails, Remote Desktop Protocol (RDP) exploits, and software vulnerability exploits “remained the top three vectors for initial intruders,” according to IC3. The report also found a link between popular vectors and increasing use of remote work and schooling.
Three primary ransomware-as-a-service gangs were responsible for most attacks: Conti, LockBit, and REvil. Each ransomware group appeared to have preferred targets, according to the IC3 report.
“Conti has most frequently victimized the critical sectors of manufacturing, commercial facilities, and food and agriculture. LockBit has most frequently victimized the government, healthcare and public health, and financial services sectors. REvil/Sodinokobi most frequently bullied the financial services, information technology, and healthcare and public health sectors,” the report said.
BlackBerry researchers also observed a strong link between ransomware and attacks on critical infrastructure over the past year. In its 2022 threat report, Conti was singled out for its attacks on manufacturing and healthcare providers in the United States, Japan, and Europe.
REvil, which was behind the JBS Foods attack, was shut down this year, but Conti and LockBit remain a major threat to this day, as do ransomware attacks on critical infrastructure sectors.
“The IC3 anticipates an increase in victimization of critical infrastructure in 2022,” the report said.
Last week, President Joe Biden tightened transparency deadlines for cyberattacks on critical industries. He signed federal law requiring critical infrastructure companies to report a cyberattack within 72 hours and a ransom payment within 24 hours.
Although critical infrastructure companies suffered significant losses from ransomware attacks in 2021 — more than $49.2 million, according to the IC3 report — phishing was the most common cybercrime observed by the FBI in 2021. The report cited an increase over the past five years. During a panel at the SecureWorld conference in Boston earlier this month, US Secret Service financial fraud investigator Stephen Dougherty said that even “seasoned victims fall for phishing attacks.”
According to the report, while data breaches increased slightly between 2020 and 2021, extortion decreased. Broken down by casualty losses, BEC was the main culprit with losses in excess of $2 billion. One reason has been attributed to BEC attacks, which evolved to “use virtual meeting platforms to hack email and forge corporate executives’ credentials to initiate fraudulent transfers.” The FBI noted that these transfers were “often immediately transferred to cryptocurrency wallets and quickly distributed, complicating recovery efforts.”
Similarly, Dougherty, who specializes in BEC crimes, said the funds are going straight into cryptocurrency and threat actors are investing that money straight back into their programs. During the panel, he estimated that the numbers of BEC attacks in 2021 would be “alarming.” This is now confirmed by the IC3 report.
“They’re getting better phishing kits, they’re getting more sophisticated, they’re getting better money launderers,” he said during the panel. “They even customize their attacks and recruit specific people to improve their attacks. For example, if they attack a German company and see a bunch of emails in German that they hacked, they recruit a German speaker to write a well-crafted, well-crafted email to launch their BEC attacks.”
For ransomware attacks, IC3 offered immediate responses, including providing system updates, implementing user training and phishing awareness exercises, and securing and monitoring RDP.