Furthermore, researchers specializing in Industrial Control Systems (ICS) and Operational Technology (OT) security noted that ransomware has become a major threat to the manufacturing sector, which may be more sensitive to downtime compared to other sectors 23 . Another finding that corroborates the fact that ransomware has become a major concern for manufacturing organizations is the recent discovery that seven prominent ransomware strains – EKANS (or Snake), DoppelPaymer, LockerGoga, Maze, MegaCortex, Nefilim and Clop - have incorporated into their malware “kill lists” that have the ability to shut down ICS and industrial software-related processes (among others). This could potentially disrupt the operations of targeted victims. The number of ICS-related processes incorporated into these ransomware strains’ “kill lists” ranges from merely a couple of dozens to up to 150 ICS processes (in the case of Clop Ransomware) 24 . The targeting of ICS networks is more commonly associated with more advanced, nation-state actors, since they are known to be the type of threat actors with the required skills and knowledge to perform disruptive attacks. Some of the most notorious attacks against ICS networks, such as Stuxnet, Triton/TRISIS, and Industroyer, were attributed to state-sponsored actors 25 . In addition, ICS security researchers track five prominent ICS-focused groups targeting the manufacturing sector, and most of them are believed to be states-sponsored 26 . According to a sample of the activities of nation-state actors detected in the course of 2020 by Microsoft, it appears the government and defense sector was the industry in which nation-state APT groups (originating from Iran, North Korea, South Korea and China) showed the most interest. This sector is also one of the top six targeted industries by ransomware gangs according to our analysis 27 . It is noteworthy that various researchers in the cyber security community have highlighted the transition ransomware strains and the gangs operating them have recently made, to become more technically advanced and sophisticated, predicting they would continue to adopt “APT techniques” 28 . Others also noted that ransomware attacks have recently displayed the “hallmarks of state-sponsored activity”, and predicted that state-sponsored threat actors may use ransomware as a cover to masquerade their end game (whether it be espionage, physical disruption or even destruction) 29 . https://blogs.microsoft.com/on-the-issues/2020/09/29/microsoft-digital-defense-report-cyber-threats/ https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/; https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html https://www.zdnet.com/article/manufacturing-is-becoming-a-major-target-for-ransomware-attacks/ https://securelist.com/ics-threat-predictions-for-2021/99613/ https://blog.scadafence.com/snake-/-ekans-ransomware-nation-state-attackers-deploy-ot-oriented-malware https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_ Whitepaper_10_12_20.pdf https://www.dragos.com/blog/industry-news/manufacturing-sector-cyber-threats/ 29. 26. 27. 24. 23. 28. 25. 23 | The Ransomware Landscape