Emerging Threats in Industrial Sectors: Ransomware

2016 was a year in which ransomware increased exponentially and the opinions of experts suggest no indication that this is going to change. Ransomware has traditionally had more of an impact on IT environments, affecting OT environments only indirectly. This does not imply that attackers develop malware as KillDisk, used in BlackEnergy, which now is able to encrypt Linux systems, blocking all data stored in the computer and preventing the infected computer from starting. This evolution, in addition to the real cases detected, is starting to raise concerns among experts in the industrial sector.

Ransomware has been a recurring topic in conferences such as the S4 2017, where there were two sessions on ransomware incidents in industrial control systems, or at the RSA conferences held this year, where some researchers of the Georgia Institute of Technology published an investigation on LogicLocker, a ransomware capable of affecting certain PLCs. Prior to these sessions, in 2016, the security researcher Tim Gurganus explained at the event BSides Augusta how ransomware threats may affect the Healthcare sector, which has been one of the sectors worst affected by this type of attack. In addition to these events, the Cybercamp, held in December 2016 and organised by INCIBE, hosted a session to talk about ransomware in industrial control systems, with a practical example about an attack to an oil pipeline plant.

In order to fully understand the impact that ransomware may have on industrial control systems, it is important to be familiar with the definition of ransomware:

• Ransomware is malware whose mission is to restrict access to parts of the system or to files hosted within it. This type of malware comes with a ransom requested as a bargaining chip so that the victim may recover the data. Criminal organisations, attackers that work independently, etc. may be responsible for these types of infections. As is common in the case of any highly complex malware, identifying the possible origin of the infection is no easy task.

All ransomware families and their variants may be classified according to the three types of known ransomware based on their behaviour once the system has been infected:

• Locker Ransomware: It blocks the device affected preventing access to it. This type of blocking is usually associated with limiting the capacity of the victim's device, which means that the mouse may be disabled and the functionalities of the keyboard may have been reduced to only numerical typing to indicate the code of the payment made as a ransom.
• Crypto Ransomware: The purpose of this type of software is to prevent access to data and files by encrypting them. As in the case of locker ransomware, crypto ransomware comes with a message to enable payment to the attackers and retrieve the data, which may be extremely valuable.
• Ransomware in the MBR (Master Boot Record): This type of ransomware affects the start of hard disks, preventing them from starting properly, and it requests a ransom in order to turn control of the equipment back over to the owner. This type of ransomware is not as common as the others but we are seeing an increasing number of variants emerge.

- Example of ransomware which affects the MBR -

It is known that the worst affected sector by this type of threats is the health care sector, and that a large part of the problems was caused by the Locky ransomware. This ransomware used macros in Office suite documents and embedded JavaScript codes as an attack vector, infecting many hospitals trying to retrieve their data. What's more, Locky accounted the highest number of infections in the second half of 2016, which has placed it as the 5th most active malware, a position never before held by ransomware whose infection is not usually so virulent.

- Top 7 sectors worst affected by the ransomware Locky Source: Fireeye, LOCKY RANSOMWARE DISTRIBUTED VIA DOCM ATTACHMENTS IN LATEST EMAIL CAMPAIGNS -

Real Cases

Some recent cases of ransomware in control systems:

• February 2016, Hollywood Presbyterian Medical Center: Attackers used attached WORD 2007 files with macros (extension .DOCM), which were enabled by employees at the hospital. A sum of 6,000,000€ was requested to retrieve the data, which in this case was paid by the hospital. The service interruption caused disruption to patients, who had to be transferred to other hospitals.

Lessons learned

Do not enable macros of attached files if we are not sure whether their origin is safe.

• February 2016, German Hospitals: Several German hospital suffered a Locky ransomware infection. As in the previous case, this infection caused disruption to the normal operation of the hospital, even being forced to postpone some high-risk surgeries. In this case, the ransom required by the attackers was not paid and the systems could be restored thanks to the backups made prior to the infection.

Lessons learned

Access to a program for data recovery for these types of disasters which include backups of the systems allows for normal operation to be resumed in a short space of time

• March 2016, Ottawa Hospital: Ottawa Hospital (Canada) was affected by an infection caused by the WinPLock ransomware, which affected some 4 computers of the 10,000 owned by the hospital. Luckily, the infection did not spread to more computers and the infected ones were restored using restoration copies.

Lessons learned

The rapid detection of ransomware and the availability of backup copies prevented the spreading of the malware and allowed the restoration of the affected computers.

• April 2016, Michigan BWL: On 25 April, BWL, a water and power provider in the State of Michigan, detected abnormal activity in its systems due to infection by ransomware. It took a week to resume normal activity, and the company confirmed that the data of neither employees nor customers were affected.

Lessons learned

The creation of whitelists or the use of tools for the detection of abnormalities in the processes makes it possible to detect the execution of or attempts to execute malware or unauthorised applications.

• November 2016, BART (San Francisco Transport): Over 2,000 computers were compromised within the public transport system of San Francisco. The attacker, who was subsequently identified, requested a €65,882 ransom. This ransom was not paid but the infection forced the transport authority to provide services for free, as ticket machine services were down for 2 days.

Lessons learned

Staff awareness of social engineering and the use of corporate resources helps to prevent unwanted infections.

Although at present there is no specific ransomware which affects industrial devices, it is not even necessary for an infection to reach the field level devices. Affecting supervision level devices or general equipment with commercial operating systems could be enough to give rise to significant problems in industrial control systems. The impossibility of managing certain variables due to a loss of communication or availability of access would give rise to a halt of the process with its relevant associated losses.

Ransomware prevention and best practice

In addition to the lessons learned above, there are some other points which must be taken into account:

• Services
  • Use of public services such as INCIBE's Antiransomware Service of.
  • Visit the websites of initiatives or companies which provide solutions both for private individuals and for other companies, such as nomoreransom.org.

• Configurations and tools
  • Disabling of use of Javascript in programs used for document processing, such as PDF viewers.
  • Use of updated indicators of compromise and improved YARA rules for the detection of known threats.
  • Use of antiransomware tools where possible, such as Anti Ransom.
  • Configuration of anti-spam filters in firewalls, execution of programs and document processing in execution isolated environments, etc.