Since at least 2017, the number of ransomware attacks against industrial companies and Operators of Vital Importance (OVI) has increased significantly.
WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and SNAKEHOSE (also known as Snake / Ekans): these ransomware names are only too well known and have cost victims from many sectors millions in ransoms and collateral damage.
These incidents have also greatly disrupted and slowed down the physical processes that allow these companies to produce and deliver goods and services.
Much has been said about the victims and the immediate consequences of ransomware campaigns launched against manufacturers.
But the public debate misses the point.
From opportunistic attacks, in the beginning, cybercriminals have moved to a two-step operating mode: compromising the environment, then deploying the ransomware.
Hence an increase in reconnaissance operations aimed at identifying and targeting the systems essential to the production chain.
Whether they affect critical corporate network resources or OT network machines, ransomware infections often have the same consequences: delivery delays, product shortages, or service chain disruptions.
To fully understand the specificities of ransomware campaigns in the industrial sector, it is necessary to know this environment well and have good IT and OT systems visibility.
This article invites you to discover how these new post-compromise ransomware campaigns have multiplied attackers’ nuisance capabilities with examples from our consulting engagements and threat research.
Post-compromise ransomware: the most dangerous scenario for manufacturers
Most traditional ransomware attacks rely on an “all-out” approach. They consist of conducting campaigns without a specific target to infect as many victims as possible and encrypt their files and data.
The hackers then demand a ransom of between 500 and 1,000 dollars, hoping that as many victims as possible will comply.
While operational technology (OT) was often overlooked in early campaigns of this kind, the recent targeting of entire critical and industrial infrastructure shows that cybercriminals have taken a much more complex approach.
In these multi-step operations, attackers still often use widespread malware to gain initial access to their victim’s environment.
But once infiltrated, they will attempt to obtain privileged access rights to move laterally on the networks and identify critical systems.
Only when these targets are identified, do they deploy their ransomware. This approach allows attackers to disable security processes that detect known ransomware indicators and behavior.
They cast a wider net hoping to hit critical systems, increasing the scale and effectiveness of their final offensive.
Thereby, attackers are in a strong position to negotiate and demand much higher ransoms – but usually commensurate with the perceived financial capacity of the victims and the value of the encrypted resources.
Historically, the impact of opportunistic attacks has often been limited to a few computers. Intermediate OT systems have been affected because they were accessible over the Internet, poorly segmented, or exposed to infected portable media.
2017 also saw campaigns like NotPetya and BadRabbit, which used data-destroying worms to disrupt business operations while masquerading as ransomware attacks.
Although campaigns like this pose a threat to industrial production, the adoption of post-compromise attack patterns has radically changed the game in several ways:
- At a time when cybercriminals are targeting their attacks on specific sectors or companies, those for which high availability is essential (water and energy companies, hospitals, manufacturers, etc.) or who seem to have kidneys strong enough to pay a ransom (by their turnover) are more than ever in the line of fire. We are therefore witnessing a widening of the hunting ground of cybercriminals historically known to dabble in the trading of market value information (bank card numbers, customer data, etc.).
- When conducting scouts, moving laterally through infiltrated networks, and deploying their ransomware to vital systems, cybercriminals put themselves in a position of strength for negotiations.
- More importantly, the Modi operandi often employed by financial hackers resembles those of sophisticated attackers in the early and mid stages of OT attacks. It can be inferred that these cybercriminals certainly have the wherewithal to deploy ransomware on intermediate OT systems to disrupt operations further.
Financial cybercrimes show force in OT environments
Ransomware’s ability to hit a compromised system depends on many factors, including its ability to cripple the systems critical to its victim’s core business.
Thus, it is likely that seasoned attackers will gradually evolve from simple IT and business processes to OT resources for monitoring and controlling physical processes.
As proof, ransomware families like SNAKEHOSE were designed to run their payload after stopping a series of processes, including some industrial software from vendors like General Electric and Honeywell.
At first glance, SNAKEHOSE’s “kill list” seems to target OT environments due to the relatively small number of processes (including many processes related to operational technologies) identified using automated initial screening tools.
However, after manually extracting this list from SNAKEHOSE’s function responsible for stopping processes, we discovered that it targeted more than 1,000 of them.
We also found similar process kill lists in samples from other ransomware families like LockerGoga, MegaCortex, and Maze.
Unsurprisingly, all these code families have been involved in serious incidents suffered by manufacturers over the past two years.
The oldest OT process kill list we identified was a batch script deployed with LockerGoga in January 2019.
This list was similar to those used during the MegaCortex incidents, except for a few notable differences as a typo on an OT process, missing from our SNAKEHOSE and MegaCortex samples: “proficyclient.exe4”.
The absence of this error in the SNAKEHOSE and MegaCortex samples suggests that one of the developers identified and fixed it when copying the OT processes from Locker Goga’s list.
Or is it the author of LockerGoga who badly copied these processes from a possible common source, like a publication on the Dark Web?
Regardless of which ransomware family first incorporated OT processes into a “kill list” or regardless of the source of that list, its ubiquity across different malware families shows how much more important its role is than any family that has appropriated it.
While the presence of OT processes in these lists may be simply the result of a simple automated collection of processes from the targeted environments and not the sign of a deliberate desire to target operational technologies, it offers de facto cybercriminals the ability to harm OT systems.
Furthermore, as financial cybercrime actors grow encouraged in their ability to harm the industrial sector,
Ransomware on IT and OT systems is a real threat to manufacturers.
As a direct consequence of the new post-compromise attack strategy and the increased interest of hackers in the industrial sector, ransomware has had a visible impact on industrial production, regardless of whether the malware was deployed on IT systems or TO.
The paralysis of servers and computers on IT networks has directly or indirectly disrupted the physical production processes controlled by OT networks.
Results: loss of markets due to shortages and delays in the delivery of products and services, expenses incurred in incident response, fines, damaged reputation, and even payment of ransoms in certain cases. In short, lasting financial losses. In the case of operators of vital importance (OIV), such as energy and public service players, it.
Among the direct repercussions of the paralysis of IT networks on industrial production, the Norsk Hydro incident caused a stir.
In March 2019, disruptions to business process management systems (BPMS) forced many of the company’s sites to shut down all automation.
Among other damage, the ransomware also disrupted communications between IT systems used to manage production line resources.
The interruption of these information flows (on product stocks, in particular) forced the company’s employees to manually keep inventory registers for more than 6,500 references on 4,000 shelves.
FireEye Mandiant has responded to at least one similar incident at an oil rig builder.
TrickBot was then used to deploy the Ryuk ransomware. If only the corporate networks were infected, the immobilization of Oracle ERP nevertheless temporarily blocked the company and its production.
Ransomware can cause the same damage when it infects computer resources in OT networks (human-machine interfaces, SCADA systems, engineering workstations, etc.).
Most of this equipment relies on software and systems standard operating systems, over which hangs a wide variety of IT threats.
Confidential FireEye Mandiant sources report at least one case of a large-scale ransomware attack that forced a manufacturer to shut down its factory.
The poorly segmented facility network allowed the malware ( early launch anti malware) to spread from the corporate network to the OT network, where it was able to encrypt servers, human-machine interfaces (HMIs), workstations, and backups.
To recover these, the manufacturer had to call on several suppliers.
As recently as February 2020, the Cybersecurity Infrastructure and Security Agency (CISA) issued alert AA20-049A, which details how a post-compromise ransomware infection reached the communication and control systems of the OT network of a natural gas compressor station.
The impact on HMIs, historical data, and polling servers has reduced the availability of systems, but also the visibility of human operators. The company then had to cease operations for two days.
Protect IT and OT systems to mitigate the impact of ransomware
More organized and efficient than ever, ransomware attackers are driving up the operating costs of their victims.
Therefore, we encourage all companies to assess their security level and industrial risks in the face of a ransomware attack. Although each case is different, the recommendations below should help you prepare well for it and strengthen your defenses against other threats to your operations (crypto-jacking, for example).
- Conduct controlled simulation and Red Team exercises to assess your current level of security and your organization’s ability to respond to ransomware attacks. Typically conducted in non-production environments, these attack simulations will help you measure your incident response team’s ability to detect, analyze, and recover from such an attack. Reevaluate your needs considering the results of these exercises. As a rule, the regular organization of simulations raises the teams’ awareness and improves their effectiveness in the face of real incidents.
- Take stock of your operations, business processes, and workflows to identify the critical resources for the continuity of your industrial activity. Ensure as much redundancy as possible for all critical resources with a low tolerance for downtime. The level and type of redundancy vary from company to company: a risk diagnosis and a cost-benefit analysis will allow you to determine yours. But be careful to involve the business process managers and get the IT and OT teams to work together.
- Logically separate your primary and redundant resources using a network or host-based firewall, then harden their security (for example, by disabling services like SMB, RDP, and WMI, which are often used to propagate ransomware). In addition to creating policies that disable unnecessary remote and peer-to-peer connections, we recommend that you regularly audit all systems that may be hosting these services and protocols. Such an architecture is generally more resistant to security incidents.
- When establishing a rigorous backup plan, consider your backups’ security (and integrity). Anything critical should be kept offline or, at a minimum, on a separate network.
- Optimize your disaster recovery plans to shorten recovery times. Your plan should provide for alternate workflows (including manual ones) until you return to normal. These workflows are particularly essential for companies whose critical resources are little or not redundant. When restoring from backups, harden the security of the restored resources and your entire infrastructure to prevent recurrent ransomware infection and spread.
- Define everyone’s responsibilities and provide clear rules for managing OT network protection devices so that changes can be made immediately across the enterprise. Maintain effective network segmentation in the event of ongoing containment and intrusion.
- Track potential malicious activity on your middleware – those networked servers and workstations that use standard protocols and operating systems. Even though these systems do not have direct control over physical processes, they are much more likely to harbor attackers.
- Every business is different. It has its internal architecture and processes to meet the specific needs and expectations of its customers and other players in its ecosystem. Our recommendations should therefore be considered considering your infrastructure. For example, segmenting the network is highly recommended to reduce the spread of ransomware. However, in budgetary constraints, enterprises may resort to the diversification of redundant resources, on-host firewalls, and security hardening measures in place of hardware firewalls.