Industrial cyber security has gone through the paces by attackers, and we continue to see permutations of older malicious techniques and the addition of new threats or strategies as it evolves further. Whether for extortion of money, disruption, or even as a vector to hide one’s tracks, ransomware in OT environments is a very painful experience for the victim of a successful attack. Just ask Maersk, Mondelez and Honda.
As with every cyber security risk or threat, it needs to be understood, clarified, deconstructed, and mitigated. The purpose of this blog is to answer these common questions about ransomware
- What is ransomware?
- How does ransomware work?
- Why is ransomware used and what are the potential impacts?
- How does ransomware affect operating technology (OT) specifically?
- What you can do to minimize the risk and impact of ransomware?
Now without the doom and gloom, or hacker in hoodie cyber security scare tactics, onwards we go.
What is ransomware?
Ransomware is a type of malicious software (aka malware) that isn’t easy to label as one single type of malware due to it possessing multiple attributes (e.g., a worm or virus), but rather by it’s objective: to make systems unusable through encryption, spread, and to extort money/cryptocurrency for the cure or even to blackmail the victim to prevent the disclosure of sensitive data.
In many cases, ransomware attacks are not strategic in their target selection, are indifferent to whom they target, and can be very opportunistic. Think of it as a group of criminals: they usually prey on the weak, and their victims are often forced to pay a protection fee or suffer the consequences.
In some cases, ransomware is used by more focused adversarial groups to target a specific organization and cause large-scale disruptions or costly downtimes.
It is important to note that ransomware is not new (e.g., AIDS trojan scam in 1989), but the increased preference of use by attackers as an easy way to scam large audiences is a growing concern. Between 2017 and 2018, ransomware usage grew by over 229%, and unfortunately, it is a risk that is here to stay.
Some of the most well-known forms of ransomware include WannaCry (known for exploiting Windows vulnerabilities), NotPetya (an evolvement from Petya ransomware, which targets Microsoft Windows systems to encrypt the hard drive’s file system to prevent reboot functionality), and Ruyk (which leverages manual hacking techniques and open-source tools to move laterally through private networks in order to gain administrative access to as many systems as possible before encrypting files).
How does ransomware work?
Ransomware is not a single tool that has a single function. In fact, it has several components that take advantage of multiple vulnerabilities in a system or organization, exploit them, then proceeds to encrypt files rendering a system unusable while requesting payment, and even look for further vulnerable hosts to attack. These components are generally a: dropper, encrypter, and decryptor.
Generally speaking, ransomware finds its way into a vulnerable system, compromises it (via the dropper), then activates other worm-like functionality to raise the numbers of infected systems while encrypting files (the encryptor), and then waits for payment/decryption (decryptor). The more systems infected, the higher the impact on the victim and the more likely the “ransom” will be paid.
In other cases, more criminal-driven actors manage to get privileged access to infrastructure such as an Active Directory (AD) server and use management channels to distribute group policy objects (GPO) that install ransomware on the managed systems.
Obviously, privileged access requires more hands-on activity by the actor, but it causes greater levels of impacts that might increase the likelihood of payment or sheer economic disruption for a nation-state target.
Why is ransomware used and what are the impacts of ransomware?
Ransomware has roots in the scam and extortion criminal world, but by nature, it can also be used to target larger asset owners and organizations or to mask other activities that might be more devious.
Let’s first look at why ransomware is so prevalent today as an attack vector in OT environments:
- Most ransomware takes advantage of older, unpatched vulnerabilities. When there is a huge supply of commodity exploits, there is little need to create new ones.
- Ransomware often exploits network-based insecurities to gain access (e.g., through RDP) but spreads from endpoint to endpoint. Compensating controls, system hardening, vulnerability management, and other techniques such as network isolation all play a critical role in reducing the impact and spread of an attack.
- Ransomware is often very effective because many organizations are insufficiently protected. Companies that are not protected against ransomware have non-existent or incomplete backups, the little capability to restore quickly, and inadequate endpoint protection to prevent commodity malware or attacks. This is even more true on legacy systems as commonly seen in industrial and operating technology environments
- Sometimes ransomware payment is required to restore operations (despite principle) because the organization is GREATLY unprepared for an attack despite decades of well-understood best practices.
- Humans are often unknowingly participants in a cyber-related attack. They regularly fall for phishing scams, so email or clicking attachments/downloads presents a great (and easy) way to compromise an organization.
- The Internet and services stacked upon it (e.g., the Internet, or remote access) raise the ease of selecting a target. The economics of this type of attack are in the favor of the attacker.
Of course, there are other aspects that make ransomware attacks so prevalent such as the nature of cryptocurrency, but the key thing to keep in mind is that they often exploit:
- Phishing, and downloads
- Leverage older vulnerabilities that often have patches or compensating options
- Holes in network security (exposed systems or services)
- Adjacent networked hosts and segments
- Lack of validated backups and poor restorative processes
In the traditional enterprise Informational Technology (IT) world, ransomware is especially devastating when trying to keep businesses operating with tight dependencies on data and transactions. This ranges from denying access to a paid service, accounts payable, email, or more.
On the other hand, in Operational Technology (OT) or critical infrastructure environments (especially where there are IT systems providing OT services or an organization that has both IT and OT), ransomware lays waste to swaths of poorly protected systems or results in collateral damage (e.g., encryption and loss of utility of an HMI would render a loss of visibility event, that would result in either manual control or a complete shutdown of the process that it was monitoring).
So far to date, few, if any, ransomware attacks specifically targeted OT systems, but rather targeted organizations that had OT systems, and relied on IT to provide OT the means to operate/generate revenue.
What are the impacts of ransomware in OT/ICS cyber security?
In OT, regardless if OT is specifically a target of ransomware (which so far has stuck to traditional commodity IT systems such as Windows, Linux, or Apple/Macs), the potential impacts might be as follows:
- Windows-based infrastructure is compromised, and functionality is denied (e.g., no file servers, no AD, no HMIs, etc.)
- Infrastructure that is greatly dependent on information feeds such as orders or logistics are often based on data, but drive operational technology production. Without a suitable alternative (e.g., paper), the production may halt or be unable to ship.
- Disclosure of trade or process secrets may be a consequence of ransomware extortion (paid or not!)
- Costs to recovery ARE IN ADDITION to the costs of disruption. In other words, the cost to return to business as usual may be magnitudes greater than intended because it’s not just the restoration of computers, but the shutdown and revalidation of the process itself (e.g., integrity testing of a section of pressurized pipe when brought back online). This leads to additional closures due to additional faults being discovered or complications in your scheduled maintenance cycles.
- Business shutdown, divestment, and/or bankruptcy. In industries that are high-volume low-margin, or high-burn (e.g., hourly shutdown cost can easily outpace profits or contingency reserves), a high-impact ransomware attack may be the siren’s song signaling the permanent shutdown of a site (or organization). This has huge consequences.
- And it has to be said, there may be damage to an organization’s reputation, legislative/compliance costs, and a number of other consequences. For example, if a lack of controls is found, cyber insurance may be revoked, or be entirely unavailable.
What actions can you take to minimize the risk and impact of ransomware?
I promised this article would not be all doom and gloom, despite the technical and in-your-face risks. Ransomware is a challenging adversary, but it can also be similar to managing other cyber-enabled threats.
In fact, many of those IT-based technologies or strategies work in OT, provide an improved return on investment (ROI), and could even be more effective due to the nature of OT; it’s often steady-state, isolated, or, overly cautious.
However, overly cautious organizations that aim for a passive-only security approach (e.g., passive network monitoring or scanning) must realize that by the time you detect ransomware on a network and receive an alarm, it’s too late. Other controls relating to the prevention, reaction, and recovery have a larger impact on reducing ransomware risk and impact.
So, what can you do? Well, unfortunately, the reality is – you cannot entirely eliminate the risk, but you can reduce the risks/impacts to more tolerable levels.
Verve’s advice on protecting, defending, and responding to ransomware attacks is very similar to the recent guide to ransomware published by CISA and MS-ISAC. Both guides should act as a resource to defend against ransomware attacks, reduce risk, and respond to infiltration.
Protect against OT ransomware in 5 ways:
- Endpoint Management
- Asset inventory: Effective endpoint management begins with a robust asset inventory. As the age-old saying goes, if you don’t know what you have, you can’t manage the risks. A rich view of a 360-degree picture of each endpoint enables proper endpoint management.
- OT systems management: But OT asset inventory is only the beginning of a robust endpoint management program. A robust OT Systems Management program includes configuration hardening, user and account management, software management, etc. In many cases, OT systems are insecurely designed and unpatched, making it ripe for ransomware.
- Patch management: Most threats enter through commodity systems such as Windows machines. You cannot patch everything in OT, but an end-to-end patch management program (i.e. automation and intelligent application of patches) is of great importance due to several environmental factors such as compliance, legislation, and risk management (e.g., patches on hosts with RDP or firewalls connected to the Internet should be prioritized over a PLC protected by several layers). Where unfeasible, application whitelisting, and policy enforcement makes an attacker’s life very difficult improving your chances to defend or deny a ransomware attack on your OT organization.
- Removable media: USBs, removable media, and transient devices are other forms of low hanging fruit, especially if your network is “air-gapped” or heavily controlled. Users WILL bypass your controls by way of removable media. As a best practice, system policies are easily deployed, whitelisting software used, registered secure drives, and other technologies such as 802.X ensure authorized systems are allowed on network segments.
- Network Defense
- Network segmentation and access controls: Limiting network access between zones, conduits, devices, and even business units/function is a critical mechanism for reducing the spread of a ransomware infection. After all, it works in real life preventing/slowing the spread of infectious diseases and adds a barrier to limit initial infection, so it also applies to malware and attackers as well.
- Monitor network, system, and application logs for anomalies: A cyber attack often has precursory elements that indicate an infection. However, it could indicate a vulnerable system that is amidst an attack or is about to be compromised giving your defensive team an advantage to prevent a wide-scale infection or attack.
- Technical diversity between zones or systems: Consistency across systems has scaling advantages, but when a single vulnerability affects multiple products, this strategy grounds your entire operations if exploited. Barriers such as a VPN with 2FA, a remote access terminal server, and multiple firewall vendors, exponentially increases the efforts if it is an external attack, or from a network zone that has a lot of churn.
- Access Control
- Isolated systems based on software, user role, and function: To protect systems compromised through remote access, local Windows networking flaws (e.g., print spool or SMB/NETBIOS), or Office/Acrobat, isolate them based on function and ensure unnecessary software is NOT included in standardized golden images or the same AD server is not serving policy for IT and OT. This also applies to user-based accounts; if an HMI is an HMI, treat its operator as an operator, not as an administrator.
- Monitored external attack surfaces: Many attacks are successfully accomplished due to a misconfiguration or an inadvertent hole caused by a gap in change management. It is a best practice to monitor for exposed services (e.g., Shodan).
- Backup and Recovery
- Expanded backup coverage and frequent snapshots (more hosts): The more hosts that are frequently backed up SECURELY, and assuming an adequate pipeline to get systems back those backups (e.g., enough network bandwidth), the faster you can recover from a ransomware attack. However, you must ensure the vulnerability is mitigated or the host is isolated when the backup is restored, or they may become re-infected.
- Have offline backups of critical assets: Offline backups as a resilience or disaster recovery strategy is critical to ensure your most important OT assets are protected or can be readily restored if your infrastructure is down. This includes PLC logic code, configuration, documentation, and system images/files. It may sound expensive, but it is often accomplished with securely encrypted USBs that are periodically rotated such that file integrity is maintained.
- Well-Defined and Tested Policies and Procedures
- Well-defined and well-tested processes for cyber security in IT & OT: Cyber security processes for traditional IT or even the physical aspects of OT are usually well-defined. However, when it comes to OT, or even handling cyber events and incidents, they are not. Ensure your organization and teams understand the end-to-end processes and identify gaps to ensure escalation or recovery will go without a hitch. When you need them, you need them.
- Regularly have “cyber fire drills” to test backups and their recovery: Again, I cannot stress this enough, a frequent training regime should be absolutely applied for OT and cyber-related events. Forensics, failed hardware, shutdowns, etc. should have at least an initial note for cyber, just to ensure it was not cyber-related, and if so, a chain of custody and due diligence can be assured. Secondly, it is important that your resources know what to do when there is an issue, so this is another way to double-check processes while improving the likelihood of a quick recovery.
Improving these five categories reduces the risk and impact of a ransomware attack, leverages existing technology investments, and improves recovery in the event of a compromise. These are all likely to be standard in an OT cyber security program, but also hinge on effective cyber security controls, products, and services should you need them.