CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Seven Ransomware Families Target Industrial Software

A total of seven ransomware families have been found to target processes associated with operational technology (OT) software, and FireEye this week published an analysis of these pieces of malware.

A total of seven ransomware families have been found to target processes associated with operational technology (OT) software, and FireEye this week published an analysis of these pieces of malware.

Many ransomware families are designed to kill certain types of running processes. They might target security products to prevent them from blocking the attack and they can also terminate critical system processes so that they can encrypt files associated with these applications in an effort to cause disruption, which can increase the cybercriminals’ chances of getting paid by the victim.

According to FireEye, there are two main “process kill lists” that include industrial software. One of them, which targets over 1,000 processes, is used by six ransomware families, including SNAKE (SNAKEHOSE, EKANS), DoppelPaymer, LockerGoga, Maze, MegaCortex and Nefilim. The second list, which targets 1,425 processes, has only been found to be used by the CLOP ransomware.

While the first list targets only a couple dozen ICS processes, mainly associated with the GE Proficy solution, the second list targets over 150 processes related to industrial products, including Siemens SIMATIC WinCC, Beckhoff TwinCAT, National Instruments data acquisition software, Kepware KEPServerEX, and the OPC communications protocol.

“We think it is likely that these lists were the result of coincidental asset scanning in victim organizations and not specific targeting of OT,” FireEye explained. “While this judgement may initially seem like good news to defenders, this activity still indicates that multiple, very prolific, financially motivated threat actors are active inside organizations’ OT—based on the contents of these process kill lists—with the intent of profiting from the ransom of stolen information and disrupted services.”

In the case of the first list, which may have been posted on an underground forum or shared by a threat actor with other groups, the termination of the targeted OT processes can result in a limited loss of view of historical process data, but it’s unlikely to prevent the victim from controlling physical processes.

In the case of the second list, only used by the CLOP ransomware, which has been tied to a Russia-linked threat group tracked as TA505, FireEye researchers believe the list has been expanded based on the attackers’ reconnaissance activity conducted in victim networks.

The group has been active since at least 2016 — possibly as early as 2014 — and based on what researchers know about it, the targeting of industrial systems is likely just another technique used to increase their chances of making money. However, the termination of OT processes targeted by CLOP is more likely to cause disruption compared to the other pieces of ransomware.

Advertisement. Scroll to continue reading.

Learn more about threats to industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

“Unlike the first kill list, the CLOP sample includes a list of processes that, if stopped, may directly impact the operator’s ability to both visualize and control production. This is especially true in the case of some included processes that support HMI and PLC supervision,” FireEye said.

“While it is likely the physical processes this software controls would continue to operate even if the software processes were terminated unexpectedly, stopping the software processes included in the CLOP sample’s kill list could result in the loss of view/control over those physical processes due to the inability of operators to interact with the equipment. This can be caused not only by the ransomware’s disruption of intermediary systems, but also by the loss of access to relevant files on HMIs/EWS required for the operation of process control and monitoring software–for example configurations or project files. This could prolong the mean time to recovery (MTTR) of impacted environments without offline backups,” the cybersecurity firm added.

The operators of the CLOP ransomware have set up a website where they leak information from companies that refuse to pay up. One of their most high-profile victims is US-based pharmaceutical giant ExecuPharm.

The cybercriminals claim they will never target hospitals, nursing homes, orphanages and charitable foundations. On one hand, they threaten to leak data stolen from organizations whose systems they have hacked, and on the other hand they offer to help victims secure their systems for a fee of $250,000 in bitcoin.

Related: ICS-Targeting Snake Ransomware Isolates Infected Systems Before Encryption

Related: Honda Ransomware Confirms Findings of Industrial Honeypot Research

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.