The ransomware threat to UK manufacturers is currently at unprecedented levels, resulting in significant potential commercial, reputational and legal impact for those in this industry. Three dominant forces are at play; firstly, its extended and vulnerable technical attack surface; secondly, its position within key supply chains underpinning the UK economy and finally its prevalence to quietly pay the large ransoms encouraging the threat actors further. Without any short-term changes to these forces, it is likely that manufacturing will remain a key target for ransomware groups for the foreseeable future.
Those operating in this industry should exercise caution and be on high alert for attempted attacks. Consideration of proactive cyber security countermeasures, such as threat monitoring and detection is recommended.
Current ransomware attack tactics result in wholescale encryption and theft of sensitive data, locking all users out of their devices and administrators out of servers. The effects are often catastrophic for these organisations, with production lines halted along with significant commercial, reputational and financial damage.
Black Room Intelligence is focused on protecting UK Manufacturing. Our third-party supply chain monitoring solution detects attacks against your third parties. Our Russia and Asia Desks include analysts with significant language and geopolitical expertise, with the cybersecurity knowledge to follow ransomware trends and developments.
Black Room Intelligence has observed ransomware attacks against manufacturing organisations of all sizes, from small organisations to those with thousands of employees.
Threat actors are targeting a wide range of manufacturing companies, from those specialising in military equipment to food services. Recently, alleged ransomware attack was conducted by RansomHub, a Russian threat actor, against Racal Acoustics, a company with over 100 employees which develops communications and hearing protection for military applications. [1] [2]
UK manufacturers specialising in equipment and electronics are some of the most affected by ransomware attacks, with food and drink manufacturers being the third largest sector targeted by ransomware threat actors. [3]
To date, the most prolific ransomware threat actors targeting UK manufacturing are Black Basta and Lockbit. However, since an international law enforcement operation the majority of Lockbit's infrastructure has been seized, reducing the pace of their operations.
Both groups are Russian speaking and are primarily financially motivated. These threat actors specifically target English-speaking countries, suggesting a potential political agenda. These two threat groups alone have compromised nine UK manufacturing companies alone this year. Other financially motivated ransomware groups targeting UK manufacturers include Ransomhub, INC Ransom and Blacksuit.
Black Basta targeted five UK manufacturing companies so far in 2024, with one breach allegedly leading to the exfiltration of 750GB of stolen data. In some cases, this stolen data is published on the dark web blogs of various threat actors. Since the group began compromising systems through ransomware attacks, manufacturing has been a key target for Black Basta. A significant 28% of all ransomware attacks conducted by Black Basta were against manufacturing companies.
Out of all the companies compromised by Lockbit, the manufacturing industry is the most affected sector with 102 compromises out of a total of 655 Lockbit related ransomware incidents, demonstrating 16% of all compromises. Findings show that the majority of ransomware attacks against industrial organisations in 2023 were conducted by Lockbit. [4]
The methods of initial access by Black Basta and other ransomware groups that target manufacturing vary. The main strategy that Black Basta uses in ransomware campaigns is spear-phishing, where a highly targeted email is sent to an individual. This email may include a malicious link or attachment which will download a zip file, once extracted, a trojan establishes backdoor access and connection to a command-and-control server.
The threat actor will then move laterally and eventually deploy the ransomware variant. [5] Black Basta and other ransomware threat actors offer financial incentives to insiders within a target organisation, often recruiting the individual via an illicit dark web forum. Ransomware groups may also exploit known vulnerabilities if systems are not kept up-to-date and finally, these threat actors may gain access to a company network through buying credentials from initial access brokers.
Tactically, UK manufacturers are highly recommended to assess the ransomware threat and proactively engage Cyber Threat Intelligence organisations, such as Black Room Intelligence, to monitor and alert for any emerging threats directed at the organisation, their supply chain or their staff.
Through training and awareness, employees should be aware of the targeted techniques the ransomware gangs employ to gain access to an organisation’s systems, such as targeted spear-phishing email campaigns.
Mid-term, organisations are recommened to review the current cybersecurity posture and engage in incident response planning in the event of a cyber incident, such as a ransomware attack. Manufacturers have diverse and disparate information systems supported by a deep supply chain, all of which increases their attack surface. As a result, manufacturers should conduct reviews of this large attack surface and consider corresponding security controls.
Black Room Intelligence has a specific focus on protecting UK organisations and provides an extensive third-party monitoring solution to detect and mitigate attacks against third parties. Our Russia and Asia Desks include analysts with significant language and geopolitical expertise, with the cybersecurity knowledge to follow ransomware trends and developments.
Lockbit – Appearing in January 2020, Lockbit is a financially motived Russian cybercriminal group which offers ransomware as a service. According to a joint statement authored by multiple government agencies, this group was the world’s most prolific ransomware group in 2022. [6] Lockbit infrastructure has since been significantly impacted by an international effort named ‘Operation Cronos’. [7]
Black Basta – First observed in April 2022, Black Basta is a Russian-speaking financially motivated ransomware group. The group uses a highly targeted approach and targets organisations in the construction and manufacturing industries, the group also targets other critical infrastructure including the health sector. [8]
Ransomhub – A financially motivated ransomware group that has rapidly expanded operations since February 2024. It is thought to be a rebrand of the previous “Knight” ransomware group, therefore the group may consist of proficient threat actors, despite being relatively new. [9]
INC Ransom – A ransomware group that began operations in July 2023. The group conducts itself like other ransomware threat actors by stealing victim data and threatening to leak this data online if a ransom is not paid. The group carefully selects its targets and mainly attacks corporate entities. [10]
Blacksuit – A ransomware group that emerged in April/May of 2023. The group is financially motivated and conducts ransomware attacks against a variety of targets, including against the healthcare and education sectors. There are no public affiliates, meaning this group does not offer ransom as a service. [11]
Ransom as a service – A cybercrime service where veteran ransomware operators create software that affiliates pay to use, relying on the technical apititude of more experienced ransomware threat actors. [12]
1. Racal Acoustics Ltd (INVISIO’s UK subsidiary) - recent Cyber Incident. INVISIO. 2024 June 24. Available from: https://corp.invisio.com/news-and-events/press-releases/2024-06-24-racal-acoustics-ltd-invisio-s-uk-subsidiary-recent-cyber-incident
2. Racal Acoustics Ltd. ADSGroup. 2023. Available from: https://www.adsgroup.org.uk/members/racal-acoustics-ltd-2/
3. Food manufacturers top three for ransomware attacks. Foodmanufacture. 2023 August 3. Available from: https://www.foodmanufacture.co.uk/Article/2023/08/03/food-manufacturers-top-three-for-ransomware-attacks
4. Industrial ransomware attacks spike, manufacturing most hit. SCMagazine. 2024 February 21. Available from: https://www.scmagazine.com/brief/industrial-ransomware-attacks-spike-manufacturing-most-hit
5. #StopRansomware: Black Basta. IC3. 2024 May 10. Available from: https://www.ic3.gov/Media/News/2024/240511.pdf
6. Understanding Ransomware Threat Actors: LockBit. CISA. 2023 June 14. Available from: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
7. The NCA announces the disruption of Lockbit with Operation Cronos. National Crime Agency. 2024 February 20. Available from: https://www.nationalcrimeagency.gov.uk/the-nca-announces-the-disruption-of-lockbit-with-operation-cronos
8. Threat Profile: Black Basta. HC3. 2023 March 15. Available from: https://www.hhs.gov/sites/default/files/black-basta-threat-profile.pdf
9. RansomHub: New Ransomware has origins in older Knight. Symantec. 2024 June 5. Available from: https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware
10. Dark Web Profile: INC Ransom. SOCRadar. 2024 Jan 24. Available from: https://socradar.io/dark-web-profile-inc-ransom/
11. BlackSuit. SentinelOne. 2024. Available from: https://www.sentinelone.com/anthology/blacksuit/
12. Ransomware As A Service (RAAS) Explained How It Works & Examples. Crowdstrike. 2023 January 30. Available from: https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/
Registered in England and Wales (number 14885394) whose registered office is at 20-22 Wenlock Road, London, N1 7GU.
Address: 20-22 Wenlock Road, London, N1 7GU
Email: contact@blackroomintelligence.comPhone: +44 (0) 208 058 2971Linkedin: linkedin.com/black-room-intel.png)
.png)
