The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) earlier today issued a warning to all industries operating critical infrastructures about a new ransomware threat that if left unaddressed could have severe consequences.
The advisory comes in response to a cyberattack targeting an unnamed natural gas compression facility that employed spear-phishing to deliver ransomware to the company’s internal network, encrypting critical data and knocking servers out of operation for almost two days.
“A cyber threat actor used a spear-phishing link to obtain initial access to the organization’s information technology network before pivoting to its operational technology network. The threat actor then deployed commodity ransomware to encrypt data for impact on both networks,” CISA noted in its alert.
As ransomware attacks continue to escalate in frequency and scale, the new development is yet another indication that phishing attacks continue to be an effective means to bypass security barriers and that hackers don’t always need to exploit security vulnerabilities to breach organizations.
CISA highlighted that the attack did not impact any programmable logic controllers (PLCs) and that the victim did not lose control of its operations. But in the aftermath of the incident, the company is reported to have initiated a deliberate operational shutdown, resulting in a loss of productivity and revenue.
Noting that the impact was limited to Windows-based systems and assets located in a single geographic locality, it said the company was able to recover from the attack by getting hold of replacement equipment and loading last-known-good configurations.
Although the notification is lean on the specifics of the attack, this is not the first time phishing links have been employed to deliver ransomware. Lake City’s I.T. network was crippled last June after an employee inadvertently opened a suspicious email that downloaded the Emotet Trojan, which in turn downloaded TrickBot Trojan and Ryuk ransomware.
images from Hacker News