A total of seven ransomware families have been found to target processes associated with operational technology (OT) software, and FireEye this week published an analysis of these pieces of malware.
Many ransomware families are designed to kill certain types of running processes. They might target security products to prevent them from blocking the attack and they can also terminate critical system processes so that they can encrypt files associated with these applications in an effort to cause disruption, which can increase the cybercriminals’ chances of getting paid by the victim.
According to FireEye, there are two main “process kill lists” that include industrial software. One of them, which targets over 1,000 processes, is used by six ransomware families, including SNAKE (SNAKEHOSE, EKANS), DoppelPaymer, LockerGoga, Maze, MegaCortex and Nefilim. The second list, which targets 1,425 processes, has only been found to be used by the CLOP ransomware.
While the first list targets only a couple dozen ICS processes, mainly associated with the GE Proficy solution, the second list targets over 150 processes related to industrial products, including Siemens SIMATIC WinCC, Beckhoff TwinCAT, National Instruments data acquisition software, Kepware KEPServerEX, and the OPC communications protocol.
“We think it is likely that these lists were the result of coincidental asset scanning in victim organizations and not specific targeting of OT,” FireEye explained. “While this judgement may initially seem like good news to defenders, this activity still indicates that multiple, very prolific, financially motivated threat actors are active inside organizations’ OT—based on the contents of these process kill lists—with the intent of profiting from the ransom of stolen information and disrupted services.”
In the case of the first list, which may have been posted on an underground forum or shared by a threat actor with other groups, the termination of the targeted OT processes can result in a limited loss of view of historical process data, but it’s unlikely to prevent the victim from controlling physical processes.
In the case of the second list, only used by the CLOP ransomware, which has been tied to a Russia-linked threat group tracked as TA505, FireEye researchers believe the list has been expanded based on the attackers’ reconnaissance activity conducted in victim networks.
The group has been active since at least 2016 — possibly as early as 2014 — and based on what researchers know about it, the targeting of industrial systems is likely just another technique used to increase their chances of making money. However, the termination of OT processes targeted by CLOP is more likely to cause disruption compared to the other pieces of ransomware.
Learn more about threats to industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
“Unlike the first kill list, the CLOP sample includes a list of processes that, if stopped, may directly impact the operator’s ability to both visualize and control production. This is especially true in the case of some included processes that support HMI and PLC supervision,” FireEye said.
“While it is likely the physical processes this software controls would continue to operate even if the software processes were terminated unexpectedly, stopping the software processes included in the CLOP sample’s kill list could result in the loss of view/control over those physical processes due to the inability of operators to interact with the equipment. This can be caused not only by the ransomware’s disruption of intermediary systems, but also by the loss of access to relevant files on HMIs/EWS required for the operation of process control and monitoring software–for example configurations or project files. This could prolong the mean time to recovery (MTTR) of impacted environments without offline backups,” the cybersecurity firm added.
The operators of the CLOP ransomware have set up a website where they leak information from companies that refuse to pay up. One of their most high-profile victims is US-based pharmaceutical giant ExecuPharm.
The cybercriminals claim they will never target hospitals, nursing homes, orphanages and charitable foundations. On one hand, they threaten to leak data stolen from organizations whose systems they have hacked, and on the other hand they offer to help victims secure their systems for a fee of $250,000 in bitcoin.
Related: ICS-Targeting Snake Ransomware Isolates Infected Systems Before Encryption
Related: Honda Ransomware Confirms Findings of Industrial Honeypot Research