Connect with us

Hi, what are you looking for?



Seven Ransomware Families Target Industrial Software

A total of seven ransomware families have been found to target processes associated with operational technology (OT) software, and FireEye this week published an analysis of these pieces of malware.

A total of seven ransomware families have been found to target processes associated with operational technology (OT) software, and FireEye this week published an analysis of these pieces of malware.

Many ransomware families are designed to kill certain types of running processes. They might target security products to prevent them from blocking the attack and they can also terminate critical system processes so that they can encrypt files associated with these applications in an effort to cause disruption, which can increase the cybercriminals’ chances of getting paid by the victim.

According to FireEye, there are two main “process kill lists” that include industrial software. One of them, which targets over 1,000 processes, is used by six ransomware families, including SNAKE (SNAKEHOSE, EKANS), DoppelPaymer, LockerGoga, Maze, MegaCortex and Nefilim. The second list, which targets 1,425 processes, has only been found to be used by the CLOP ransomware.

While the first list targets only a couple dozen ICS processes, mainly associated with the GE Proficy solution, the second list targets over 150 processes related to industrial products, including Siemens SIMATIC WinCC, Beckhoff TwinCAT, National Instruments data acquisition software, Kepware KEPServerEX, and the OPC communications protocol.

“We think it is likely that these lists were the result of coincidental asset scanning in victim organizations and not specific targeting of OT,” FireEye explained. “While this judgement may initially seem like good news to defenders, this activity still indicates that multiple, very prolific, financially motivated threat actors are active inside organizations’ OT—based on the contents of these process kill lists—with the intent of profiting from the ransom of stolen information and disrupted services.”

In the case of the first list, which may have been posted on an underground forum or shared by a threat actor with other groups, the termination of the targeted OT processes can result in a limited loss of view of historical process data, but it’s unlikely to prevent the victim from controlling physical processes.

In the case of the second list, only used by the CLOP ransomware, which has been tied to a Russia-linked threat group tracked as TA505, FireEye researchers believe the list has been expanded based on the attackers’ reconnaissance activity conducted in victim networks.

Advertisement. Scroll to continue reading.

The group has been active since at least 2016 — possibly as early as 2014 — and based on what researchers know about it, the targeting of industrial systems is likely just another technique used to increase their chances of making money. However, the termination of OT processes targeted by CLOP is more likely to cause disruption compared to the other pieces of ransomware.

Learn more about threats to industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

“Unlike the first kill list, the CLOP sample includes a list of processes that, if stopped, may directly impact the operator’s ability to both visualize and control production. This is especially true in the case of some included processes that support HMI and PLC supervision,” FireEye said.

“While it is likely the physical processes this software controls would continue to operate even if the software processes were terminated unexpectedly, stopping the software processes included in the CLOP sample’s kill list could result in the loss of view/control over those physical processes due to the inability of operators to interact with the equipment. This can be caused not only by the ransomware’s disruption of intermediary systems, but also by the loss of access to relevant files on HMIs/EWS required for the operation of process control and monitoring software–for example configurations or project files. This could prolong the mean time to recovery (MTTR) of impacted environments without offline backups,” the cybersecurity firm added.

The operators of the CLOP ransomware have set up a website where they leak information from companies that refuse to pay up. One of their most high-profile victims is US-based pharmaceutical giant ExecuPharm.

The cybercriminals claim they will never target hospitals, nursing homes, orphanages and charitable foundations. On one hand, they threaten to leak data stolen from organizations whose systems they have hacked, and on the other hand they offer to help victims secure their systems for a fee of $250,000 in bitcoin.

Related: ICS-Targeting Snake Ransomware Isolates Infected Systems Before Encryption

Related: Honda Ransomware Confirms Findings of Industrial Honeypot Research

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...