The Next Disruptive ICS Attacker: A Ransomware Gang?

OT networks often rely on Windows systems for various ICS applications including HMIs, historians, and data gateways. Beyond that, they also commonly rely on Windows systems to run associated IT-networks.

A successful ransomware deployment into either of these networks may prevent engineers from controlling plant operations and lead to an unplanned shutdown. This creates an immediate cost on the organization due to lost productivity. In the worst case, unplanned shutdowns may lead to physical failures that can damage equipment, potentially endangering lives in the process. The downtime from such an event could also span many months depending on the system. Specialized industrial equipment often cannot be replaced with existing components and take months to produce.

How THE MALWARE is Deployed

Ransomware may find its way onto an ICS network through a variety of sources. As with any other organization, it may start with phishing attacks targeting employees. Phishing will typically attempt to either install malware or steal remote access credentials. Another common technique is for an attacker to compromise an industry website and implant malware or exploits. When unsuspecting engineers browse to or load software from this site, the attacker gains access to their system in what is known as a watering hole attack. The attacker can move laterally from a point of infection and deliver ransomware to critical targets.

Exploits targeting VPN portals or other externally exposed IT infrastructure may also provide a beachhead for a ransomware deployment. This is what happened at a manufacturing plant in Italy earlier this year when it was infiltrated through a vulnerable FortiGate VPN server. The attackers exploited CVE-2018-13379 to obtain credentials and then accessed a Windows system through the VPN. Next, Mimikatz was used to obtain other credentials and move laterally through the network until a Domain Admin account was compromised. The Domain Admin privileges were then used to disseminate Cobalt Strike malware. Once sufficient access was obtained, the ransomware itself was deployed to the compromised hosts. In addition to encrypting files, the malware disabled services to disrupt backups and remote maintenance. With the encryption complete, the malware left a note demanding two bitcoin as a ransom to restore data access.

How to Avoid Ransomware Attacks

The best way to avoid this scenario is to employ security best practices including vulnerability management. Attackers often scan the Internet for targets rather than identify a target and scan its network space. Considering this reality, low-hanging fruit vulnerabilities will likely attract unwanted attention. Network admins especially need to stay on top of vulnerabilities in externally exposed systems such as VPN portals and mail gateways. It is also important to strengthen internal security by limiting VPN access and restricting access between unrelated servers. A good practice is to make sure that users have the minimum permissions needed to do their job. Users should not have access to systems unless there is a business need.

Perhaps in response to organizations getting better at recovery, several prominent ransomware gangs have adjusted their strategy to include data theft as a second opportunity for extortion. Stolen data may be sold to the highest bidder or used in a private shakedown. This attack strategy has been tested on traditional IT networks and is now increasingly making its way into the ICS space. For an industrial or manufacturing plant, stolen data may include confidential manufacturing specifications, bid details, or personnel records.

The evolving threat posed by ransomware gangs requires organizations to step up their game or else risk catastrophe.

Read more in The Next Disruptive ICS Attacker Series:

The Next Disruptive ICS Attack: 3 Likely Sources for Major Disruptions

The Next Disruptive ICS Attacker: A Disgruntled Insider?