Ransomware Has Outsized Impact on Gas, Energy & Utility Firms

When ransomware targeted the city of Dallas, Texas last year, it took down city services, the municipal water utility's ability to bill and read meters, and emergency services. The city required more than a month to bring all its systems back online.

Dallas is not alone. In 2023, two-thirds of critical infrastructure operators (67%) in the oil, energy, and utility sectors suffered a ransomware attack, compared to 59% of all industries, according to a survey by Sophos. In addition, attacks on those critical-infrastructure sectors affected an average of 62% of systems, far higher than the 49% of systems across all industries impacted during a ransomware attack.

In fact, the groups collectively tie healthcare as the second-most impacted sectors, with only federal government agencies impacted more often, says Chester Wisniewski, global field CTO at Sophos.

"This sector needs to recognize this as a serious risk and position themselves to not be so vulnerable to ransom demands," he says. "This isn't impossible work. Ultimately it's about getting the basics right, just like in previous years."

Critical infrastructure sectors have been perennial favorites of ransomware gangs, dating back to the Colonial Pipeline incident and even earlier. Ransomware cases in the industrial sector almost doubled between 2022 and 2023 to 1,484 attacks, from 804 incidents, according to data from the NCC Group, a cybersecurity consultancy.

The industrial sector — under which critical-infrastructure companies fall — manages essential services, and disruptions can have severe consequences, prompting quick ransomware payments, says Ian Usher, associate director of threat intelligence operations and service innovation for the NCC Group.

"Organizations that provide a public service or support critical infrastructures are more attractive for ransomware attacks because they face external pressure to restore operations," he says.

What Makes a Successful Industrial Ransomware Attack?

Most ransomware attacks against companies in the critical-infrastructure sectors of oil, energy and utilities succeeded through exploiting software vulnerabilities, which accounted for 49% of successful attacks versus 35% the previous year, according to Sophos's report. Compromised credentials (27%) and malicious emails (14%) rounded out the top-3 vectors.

A critical measure is how often an attack led to data being encrypted. In 2023, eight in 10 attacks resulted in encrypted data, the same as the previous year, but significantly higher than the previous two years, says Sophos' Wisniewski.

"This is worrying," he says. "These numbers should be improving as the adoption of extended detection and response (XDR) and managed detection and response (MDR) is becoming increasingly common."

The impact of ransomware attacks are often brutal for businesses. The average respondent in Sophos's survey required more than a month to recover. For the first time, more companies paid the ransom (61%) than used backups for recovery, even while the median payment jumped to $2.54 million. The average cost of recovery from an incident topped $3 million in 2023, matching the previous year. (Note, while Sophos's report is labeled 2024, the data is from 2023, so Dark Reading uses the latter year.)

Don't Be The Low-Hanging Cyber Fruit

Organizations that fail to adopt simple technologies, such as multi-factor authentication (MFA), and fail to keep up with software updates, will likely find themselves targeted not just once, but multiple times, says Sophos' Wisniewski.

While the high rate of ransom payments really stood out this year, organizations should no longer consider paying cybercriminals as a solution, he says.

"There isn't a way to buy your way out of situations like a ransomware attack," Wisniewski says. "In rare cases, the payment can expedite recovery, but it is the exception, not the rule ... You are almost guaranteed not to get all of your files back, and you will still need to rebuild ... your systems."

The government needs to help set cybersecurity standards for the critical infrastructure sectors, says NCC Group's Usher. Currently, under the Cyber Incident Reporting for Critical Infrastructure Act passed in 2022, critical-infrastructure operators are required to report significant cyber events within 72 hours and disclose ransom payments within 24 hours, he says.

"The government can...ensure consistent cybersecurity standards across critical infrastructure," he says. "A continued lack of alignment will only serve to create an ever more complex Web of rules. This will likely be counterproductive to delivering better cyber resilience, and contribute to the problem of cybersecurity compliance becoming a 'tick box' exercise."