ransomware activity


Ransomware activity doubles in transportation and shipping industry

Ransomware activity continues to increase globally despite efforts by businesses to boost their cybersecurity. While some industries have doubled or tripled their protection, others are still vulnerable and are finding themselves being targeted by cybercriminals.

According to The Threat Report: Fall 2022 from Trellix’s Advanced Research Center, the third quarter of 2022 has seen ransomware activity double in the transportation and shipping industry. The report includes evidence of malicious activity linked to ransomware and nation-state-backed advanced persistent threat (APT) actors. It examines malicious cyber activity including threats to email, and the malicious use of legitimate third-party security tools.

The transportation and shipping industry, one of the most affected industries during the pandemic, has seen ransomware activity increase 100% every quarter in the US alone. Globally, the transportation industry was the second most active sector (following telecom). APTs were also detected in transportation more than in any other sector.

Germany generated the most threat detections related to APT actors in Q3 (29% of observed activity). The country also had the most ransomware detections as it rose 32% in Q3 and generated 27% of global activity.

The report also showed more threat actors that emerged in Q3 included the China-linked threat actor, Mustang Panda, which was the most detected threat indicator followed by Russian-linked APT29 and Pakistan-linked APT36. Phobos, a ransomware sold as a complete kit in the cybercriminal underground, which avoided public reports until now, accounted for 10% of global detected activity and was the second most used ransomware detected in the US. LockBit continued to be the most detected ransomware globally, generating 22% of detections.

Trellix also observed Microsoft Equation Editor vulnerabilities comprised of CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 to be the most exploited among malicious emails received by customers during Q3. Apart from that, Trellix saw Cobalt Strike used in 33% of observed global ransomware activity and in 18% of APT detections in Q3. Cobalt Strike, a legitimate third-party tool created to emulate attack scenarios to improve security operations, is a favorite tool of attackers who repurpose its capabilities for malicious intent.

Q3 also saw financial services (20%) as the most impacted by malicious emails. This was followed by the State and Local Government (13%), Manufacturing (12%), Federal Government (11%), and Services & Consulting (10%). Trojan comprised 83% of the top 5 most utilized attack categories detected in malicious emails in Q3 2022 as well.

“So far in 2022, we have seen unremitting activity out of Russia and other state-sponsored groups. This activity is compounded by a rise in politically motivated hacktivism and sustained ransomware attacks on healthcare and education. The need for increased inspection of cyber threat actors and their methods has never been greater,” commented John Fokker, Head of Threat Intelligence at Trellix.