Utility Companies Face 42% Increase in Ransomware Attacks

Ransomware groups are focusing on utilities more than ever, with the sector facing a 42% increase in attacks over the past year, according to ReliaQuest.

In his latest report, Uncovering Critical Cyber ​​Threats to Public ServicesPublished on December 10, the American cybersecurity company shared its findings on cyber threats to the utility sector between November 1, 2023 and October 31, 2024.

The report shows that the increase in ransomware is driven by cybercriminals shifting their focus to businesses that need to manage a mix of IT and operational technology (OT) systems.

In dark web forums, initial access brokers (IABs), ransomware operators and other cybercriminals are increasingly talking about the compromise of industrial systems.

These conversations include detecting exposed supervisory control and data acquisition (SCADA) systems or selling access to a zero-day vulnerability exploit to the Internet of Things (IoT) system that controls OT devices at the using industrial control protocols.

The report mentions that Play, currently one of the largest ransomware-as-a-service (RaaS) cartels, was particularly interested in targeting utilities.

After LockBit, Play (aka PlayCrypt) ramped up its attacks on utilities in 2024 like no other group, marking a 233% increase in successful attacks.

This attraction to utility companies is explained by their need to always be operational and, therefore, their potential willingness to pay the ransom more quickly.

“The possibility of malicious actors gaining access to OT systems is likely a major concern for utility security teams. Discussions on cybercriminal forums about researching and targeting these systems, as well as selling access to them, are particularly disconcerting,” it reads. the report.

Initial access: spear phishing largely dominates

The significant dominance of spear phishing in the total number of cyberattacks during the reporting period suggests that ransomware groups are specifically targeting public services.

According to GreyMatter data from ReliaQuest, 81% of true positive alerts from utility customers involved spear phishing – a significantly higher share than the 23% seen across all industries during the same period.

“This trend is likely explained by the unusual position of utility employees, who often have access to both IT and operational technology (OT) environments,” the report states. “Given their existing infrastructure and the critical need to avoid downtime, OT systems typically have weaker cybersecurity defenses. This means that attackers can use spear phishing to more easily exploit these vulnerabilities.

Domain impersonation, credential exposure and open ports

Domain spoofing is the leading technique used by cyberattackers to compromise their targets in the utility sector, accounting for 57% of all true positive alerts, up from 48% during the same period last year .

This technique is followed by credential theft and port opening.

“During the current reporting period, open ports accounted for 9% of all true positive alerts among our customers, compared to 7% in the same period last year. Additionally, open ports ranked fourth in frequency for both periods, showing that this attack vector remains popular with malicious actors,” the report adds.

Cyber ​​forecasting for the utilities sector

Another threat to public services, state-sponsored attack, was best exemplified by the Chinese group Volt Typhoon, accused by US federal agencies of carrying out disruptive and destructive cyberattacks against US critical national infrastructure (CNI). .

ReliaQuest believes that with the new Donald Trump administration’s hawkish stance toward China and its proposals to impose high tariffs on Chinese goods, it is very likely that Beijing will allow groups like Volt Typhoon to intensify their offensive operations against American public service providers.

Other ReliaQuest forecast evaluations for the utility sector include:

• An increased Iranian threat to US public services amid Trump’s support for Israel
• Water companies in danger as OT hacktivism continues to evolve
• New cyber threat opportunities offered by the transition to renewable energy

Read now: Securing the Energy and Utilities Sectors from CNI Cyber ​​Threats