2016 was a year in which ransomware increased exponentially and the opinions of experts suggest no indication that this is going to change. Ransomware has traditionally had more of an impact on IT environments, affecting OT environments only indirectly. This does not imply that attackers develop malware as KillDisk, used in BlackEnergy, which now is able to encrypt Linux systems, blocking all data stored in the computer and preventing the infected computer from starting. This evolution, in addition to the real cases detected, is starting to raise concerns among experts in the industrial sector.
Ransomware has been a recurring topic in conferences such as the S4 2017, where there were two sessions on ransomware incidents in industrial control systems, or at the RSA conferences held this year, where some researchers of the Georgia Institute of Technology published an investigation on LogicLocker, a ransomware capable of affecting certain PLCs. Prior to these sessions, in 2016, the security researcher Tim Gurganus explained at the event BSides Augusta how ransomware threats may affect the Healthcare sector, which has been one of the sectors worst affected by this type of attack. In addition to these events, the Cybercamp, held in December 2016 and organised by INCIBE, hosted a session to talk about ransomware in industrial control systems, with a practical example about an attack to an oil pipeline plant.
In order to fully understand the impact that ransomware may have on industrial control systems, it is important to be familiar with the definition of ransomware:
- Ransomware is malware whose mission is to restrict access to parts of the system or to files hosted within it. This type of malware comes with a ransom requested as a bargaining chip so that the victim may recover the data. Criminal organisations, attackers that work independently, etc. may be responsible for these types of infections. As is common in the case of any highly complex malware, identifying the possible origin of the infection is no easy task.
All ransomware families and their variants may be classified according to the three types of known ransomware based on their behaviour once the system has been infected:
- Locker Ransomware: It blocks the device affected preventing access to it. This type of blocking is usually associated with limiting the capacity of the victim's device, which means that the mouse may be disabled and the functionalities of the keyboard may have been reduced to only numerical typing to indicate the code of the payment made as a ransom.
- Crypto Ransomware: The purpose of this type of software is to prevent access to data and files by encrypting them. As in the case of locker ransomware, crypto ransomware comes with a message to enable payment to the attackers and retrieve the data, which may be extremely valuable.
- Ransomware in the MBR (Master Boot Record): This type of ransomware affects the start of hard disks, preventing them from starting properly, and it requests a ransom in order to turn control of the equipment back over to the owner. This type of ransomware is not as common as the others but we are seeing an increasing number of variants emerge.
- Example of ransomware which affects the MBR -
- Top 7 sectors worst affected by the ransomware Locky Source: Fireeye, LOCKY RANSOMWARE DISTRIBUTED VIA DOCM ATTACHMENTS IN LATEST EMAIL CAMPAIGNS -
Some recent cases of ransomware in control systems:
- February 2016, Hollywood Presbyterian Medical Center: Attackers used attached WORD 2007 files with macros (extension .DOCM), which were enabled by employees at the hospital. A sum of 6,000,000€ was requested to retrieve the data, which in this case was paid by the hospital. The service interruption caused disruption to patients, who had to be transferred to other hospitals.
Do not enable macros of attached files if we are not sure whether their origin is safe.
- February 2016, German Hospitals: Several German hospital suffered a Locky ransomware infection. As in the previous case, this infection caused disruption to the normal operation of the hospital, even being forced to postpone some high-risk surgeries. In this case, the ransom required by the attackers was not paid and the systems could be restored thanks to the backups made prior to the infection.
Access to a program for data recovery for these types of disasters which include backups of the systems allows for normal operation to be resumed in a short space of time
- March 2016, Ottawa Hospital: Ottawa Hospital (Canada) was affected by an infection caused by the WinPLock ransomware, which affected some 4 computers of the 10,000 owned by the hospital. Luckily, the infection did not spread to more computers and the infected ones were restored using restoration copies.
The rapid detection of ransomware and the availability of backup copies prevented the spreading of the malware and allowed the restoration of the affected computers.
- April 2016, Michigan BWL: On 25 April, BWL, a water and power provider in the State of Michigan, detected abnormal activity in its systems due to infection by ransomware. It took a week to resume normal activity, and the company confirmed that the data of neither employees nor customers were affected.
The creation of whitelists or the use of tools for the detection of abnormalities in the processes makes it possible to detect the execution of or attempts to execute malware or unauthorised applications.
- November 2016, BART (San Francisco Transport): Over 2,000 computers were compromised within the public transport system of San Francisco. The attacker, who was subsequently identified, requested a €65,882 ransom. This ransom was not paid but the infection forced the transport authority to provide services for free, as ticket machine services were down for 2 days.
Staff awareness of social engineering and the use of corporate resources helps to prevent unwanted infections.
Although at present there is no specific ransomware which affects industrial devices, it is not even necessary for an infection to reach the field level devices. Affecting supervision level devices or general equipment with commercial operating systems could be enough to give rise to significant problems in industrial control systems. The impossibility of managing certain variables due to a loss of communication or availability of access would give rise to a halt of the process with its relevant associated losses.
Ransomware prevention and best practice
In addition to the lessons learned above, there are some other points which must be taken into account:
- Configurations and tools
- Use of updated indicators of compromise and improved YARA rules for the detection of known threats.
- Use of antiransomware tools where possible, such as Anti Ransom.
- Configuration of anti-spam filters in firewalls, execution of programs and document processing in execution isolated environments, etc.