Ransomware posing rising threat to operational tech in industrial businesses

News by Mark Mayne

A gradual increase in adversaries’ internal reconnaissance skills and abilities has enabled them to target systems that are vital to support the chain of production.

Attackers are evolving their use of ransomware to deliver knockout blows to businesses OT structures - Operational Technology - which enables organisations to produce and deliver goods and services.

The move from opportunistic “shotgun” attacks - where an attacker indiscriminately spreads campaigns containing malware to encrypt files and data - towards a more sophisticated post-compromise approach should sound alarm bells for business, according to FireEye Mandiant Consulting researchers. 

Researchers found that attackers are increasingly avoiding the shotgun approach, taking a more stealthy approach involving credential theft, internal reconnaissance and lateral movement, privilege escalation and finally the deletion of backups before finally triggering a ransomware payload. In addition, the company’s separate 2020 M-Trends report found that ransomware as a whole is on the rise, with 29 percent of attacks motivated by direct financial gain (including extortion, ransom, card theft, and illicit transfers). 

“FireEye Mandiant has seen organisations largely improving their level of cyber-security sophistication, but combatting the latest threats is still a huge challenge for them,” said Jurgen Kutscher, executive vice president of service delivery at FireEye. “There are more active?groups?now than ever before and we’ve seen an aggressive expansion of their goals. Consequently, it’s crucial for organisations to continue building and testing their defences.”

The researchers detail a gradual increase in adversaries’ internal reconnaissance skills and abilities, which has enabled them to target systems that are vital to support the chain of production. 

“Mandiant Intelligence is aware of at least one incident in which an industrial facility suffered a plant shutdown due to a large-scale ransomware attack, based on sensitive sources. The facility's network was improperly segmented, which allowed the malware to propagate from the corporate network into the OT network, where it encrypted servers, HMIs, workstations, and backups. The facility had to reach out to multiple vendors to retrieve backups, many of which were decades old, which delayed complete restoration of production”, said the researchers in a blogpost

The major development as a result of this evolution is that threat actors will increasingly tailor their attacks to target companies with high-availability requirements such as public utilities, hospitals, and industrial manufacturing, as well as higher revenue companies that can theoretically afford to pay ransoms. In addition, the tactics, techniques, and procedures (TTPs) involved mirror those of highly-skilled financial crime actors, resulting in the likelihood that financial crime specialists will pivot to deploying ransomware in OT intermediary systems.

A key piece of evidence is the adoption of a ‘kill list’ within ransomware families including SNAKEHOSE, LockerGoga, MegaCortex, and Maze, which contains a list of processes to stop before the ransomware payload is triggered. This list is increasingly tailored to target OT assets, with the latest SNAKEHOSE ransomware stopping a series of processes that included some industrial software from vendors such as General Electric and Honeywell. 

“The earliest kill list containing OT processes we identified was a batch script deployed alongside LockerGoga in January 2019. The list is very similar to those used later in MegaCortex incidents, albeit with notable exceptions, such as an apparent typo on an OT-related process that is not present in our SNAKEHOSE or MegaCortex samples: “proficyclient.exe4”. The absence of this typo in the SNAKEHOSE and MegaCortex samples could indicate that one of these malware authors identified and corrected the error when initially copying the OT-processes from the LockerGoga list, or that the LockerGoga author failed to properly incorporate the processes from some theoretical common source of origin, such as a dark web post”, extrapolated the researchers. 

FireEye’s separate 2020 M-Trends report highlighted that malware authors are innovating fast, with 41 percent of malware families detected in 2019 being entirely new, and with 70 percent of the samples identified belonging to one of the five most frequently seen families, which are based on open source tools with active development. However, some things haven’t changed - the majority of new malware families impacted either just Windows or multiple platforms...

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews