Ransomware families that affects ICS

A total of seven ransomware families have been found to target processes associated with operational technology (OT) software, and FireEye this week published an analysis of these pieces of malware.

Many ransomware families are designed to kill certain types of running processes. They might target security products to prevent them from blocking the attack and they can also terminate critical system processes so that they can encrypt files associated with these applications in an effort to cause disruption, which can increase the cybercriminals’ chances of getting paid by the victim.

There are two main “process kill lists” that include industrial software. One of them, which targets over 1,000 processes, is used by six ransomware families, including SNAKE (SNAKEHOSE, EKANS), DoppelPaymer, LockerGoga, Maze, MegaCortex and Nefilim. The second list, which targets 1,425 processes, has only been found to be used by the CLOP ransomware.

While the first list targets only a couple dozen ICS processes, mainly associated with the GE Proficy solution, the second list targets over 150 processes related to industrial products, including Siemens SIMATIC WinCC, Beckhoff TwinCAT, National Instruments data acquisition software, Kepware KEPServerEX, and the OPC communications protocol.

In the case of the first list, which may have been posted on an underground forum or shared by a threat actor with other groups, the termination of the targeted OT processes can result in a limited loss of view of historical process data, but it’s unlikely to prevent the victim from controlling physical processes.

In the case of the second list, only used by the CLOP ransomware, which has been tied to a Russia-linked threat group tracked as TA505, FireEye researchers believe the list has been expanded based on the attackers’ reconnaissance activity conducted in victim networks.

The group has been active since at least 2016 — possibly as early as 2014 — and based on what researchers know about it, the targeting of industrial systems is likely just another technique used to increase their chances of making money. However, the termination of OT processes targeted by CLOP is more likely to cause disruption compared to the other pieces of ransomware.

“Unlike the first kill list, the CLOP sample includes a list of processes that, if stopped, may directly impact the operator’s ability to both visualize and control production. This is especially true in the case of some included processes that support HMI and PLC supervision,”.

“While it is likely the physical processes this software controls would continue to operate even if the software processes were terminated unexpectedly, stopping the software processes included in the CLOP sample’s kill list could result in the loss of view/control over those physical processes due to the inability of operators to interact with the equipment. This can be caused not only by the ransomware’s disruption of intermediary systems, but also by the loss of access to relevant files on HMIs/EWS required for the operation of process control and monitoring software–for example configurations or project files. This could prolong the mean time to recovery (MTTR) of impacted environments without offline backups,” the cybersecurity firm added.

The operators of the CLOP ransomware have set up a website where they leak information from companies that refuse to pay up. One of their most high-profile victims is US-based pharmaceutical giant ExecuPharm.

The cybercriminals claim they will never target hospitals, nursing homes, orphanages and charitable foundations. On one hand, they threaten to leak data stolen from organizations whose systems they have hacked, and on the other hand they offer to help victims secure their systems for low fee

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s