Factories in ASEAN hardest hit with ransomware in 2023

The manufacturing sector in ASEAN was the most targeted industry for ransomware extortion in 2023 as Palo Alto Networks’ Unit 42 saw a 49% increase globally in multi-extortion ransomware attacks over 2022.

The latest report form Unit 42 is based on a study of 3,998 leak site posts from various ransomware groups. Leak sites are platforms where threat actors publicly disclose stolen data as a means of coercing victims into paying ransom.

Of the 3,998 leak site posts from 2023 globally, LockBit ransomware remains the most active, with 928 organisations accounting for 23% of the total. 

LockBit was also the most active group in ASEAN (before the recent law enforcement disruption of LockBit). At least 25 new ransomware leak sites were observed in 2023; of which Akira led the way.

Steven Scheurmann, regional VP for ASEAN at Palo Alto Networks, said manufacturing’s shift towards more digitised and integrated IoT processes make them prime targets for cyberattacks as hackers are always seeking out new opportunities to infiltrate internal systems. 

Scheurmann the consequences of not prioritising security on the factory floor can have detrimental knock-on effects on the business. 

“Any production halt caused by a cyber threat activity can be very expensive and disruptive,” he said. “It can also result in the loss of highly valuable trade secrets such as IPs and technical know-hows, to the market, thus losing any competitive edge the organisation might originally have had.”

Scheurmann added that factories need to prioritise securing their high-tech equipment and networks, as well as their digital connections with any supply chains. 

Unit 42 analysed more than 600 incidents from 250 organisations, going beyond ransomware leak site posts into the overall casework volume. While phishing has historically been a popular tactic with attackers, the report found that it is declining.

Phishing’s share of initial access incidents dropped from one-third in 2022 to just 17% in 2023. This indicates a potential de-prioritisation of phishing as cybercriminals adapt to more technologically advanced and efficient infiltration methods. 

More advanced threat actors are moving away from traditional and interactive phishing campaigns to less noticeable and possibly automated methods of exploiting system weaknesses and pre-existing credentials leaks. 

Findings also show that there has been a discernible rise in the exploitation of software and API vulnerabilities. Exploiting such vulnerabilities accounted for 38.6% of the initial access points in 2023, up from 28.2% in 2022.

Also, in 93% of incidents, threat actors took data indiscriminately rather than searching for specific data. This is up from 2022, when 81% of cases involved non-targeted data theft. 

In 2021, it was even lower at 67%. The surge points to a growing trend among cybercriminals who seem to be casting a wider net, gathering any data they can access rather than expending effort to locate and extract particular datasets.

In addition, while the rate of harassment and other extortion tactics with regards to ransomware has remained steady over the past few years, the rate of harassment in cases where payments were made has jumped by 27 times since 2021.

Further, in 2023, median ransom demands increased from $650,000 to $695,000 (up by 3%) but median payouts decreased from $350,000 to $237,500 (down by 32%). This can be potentially attributed to organisations calling-in Incident Response teams with negotiation capabilities, which fewer did in the past.