A team of researchers at Temple University in Philadelphia has presented a project named CIRWA (repository of critical infrastructure ransomware attacks) that aims at tracking ransomware attacks on critical infrastructure worldwide.
The project was launched in September 2019 and as of August 2020, the experts collected 680 records of ransomware attacks that took place since November 2013. The maintainers of the project also mapped the attacks to the MITRE ATT&CK framework.
“In September 2019, we started a repository of Critical Infrastructures Ransomware Attacks (CIRWAs). These are based on publicly disclosed incidents in the media or security reports.” reads the project description. “This repository (version 10.2) now has 687 records assembled from publicly disclosed incidents between November 2013 and August 2020.”
Anyone can request access to the data by compiling this form.
For each ransomware attack, the researchers collected a broad range of information, including the targeted organization, data of the attack, the date when the attack started, location of the targeted organization, duration of the attack, the ransomware family, the ransom amount, the payment method, industry, whether the amount was paid, and the source of the information.
According to the summary findings related to the period 2013-2020, the most targeted critical infrastructures are government facilities, followed by education and healthcare. The threat actor most active against critical infrastructure are the Maze ransomware operators, while the typical duration of a ransomware attack is of 1 week or less, and the most commonly demanded ransom amount is $50,000 or less.
Exerts pointed out that there are 13 known incidents where the ransomware operators demanded more than $5 million.
Data collected by the researchers are very interesting and very useful for future research projects on the security of the critical infrastructure.
The researchers highlighted the importance of the contribution from the security community, anyone could submit info related to attacks to CIRWA using this form.
(SecurityAffairs – hacking, ransomware)