Ransomware Threatens Industrial Control Systems

THE GROWING RISK OF RANSOMWARE ATTACK

One increasingly prevalent type of cyberattack is ransomware. This kind of malicious software infects an organization’s computers and network, makes files unavailable and demands payment to allow access to the files. The ransomware either encrypts the target’s files or makes them inaccessible by, for example, changing passwords. Some ransomware attacks include stealing confidential information, as well.

A ransomware attack is usually delivered through an e-mail attachment, which could be an executable file, an image or an archive such as a zipped folder. Even an innocent-looking Word file may contain a malicious macro. When an unsuspecting user opens the attachment, the malware is released into the user’s network. Cybercriminals can also plant malware on websites that release it when a user unknowingly visits the site.

The ransomware infection goes undetected while the malware stealthily infects the system. When the data-locking mechanism deploys, a dialogue box announces that the data has been locked and demands the ransom. “By then, it is too late to save the data through any security measures,” according to the No More Ransom Project.

VULNERABILITY OF INDUSTRIAL CONTROL SYSTEMS

“Ransomware adversaries are adopting ICS-aware functionality with the ability to stop industrial related processes and cause disruptive—and potentially destructive—impacts,” said the Dragos report. Thus, the threat may not be only making data inaccessible, but could include shutting down production or causing damage by altering operation parameters or modifying control loops, for example.

Targeted ransomware is already the single biggest cause of production downtime due to cyberattacks, according to a report from Waterfall Security Systems. Historically, ransomware spread automatically and demanded a modest ransom for individual encrypted machines. Now, the new generation of targeted ransomware is remotely operated by attack professionals. “The attackers dig deep into targeted networks, encrypt the most valuable machines they can find, and demand significant ransoms for the network as a whole, rather than for individual machines,” the report said. Ransoms demanded by these targeted attacks are often more than $100,000 and can be in the millions.

WHAT TO DO IN CASE OF A RANSOMWARE ATTACK

Every organization needs a disaster recovery strategy. Make sure your strategy includes cyberattacks in addition to other disruptive events such as extreme weather, pandemics and power outages.

If your organization falls victim to ransomware, follow these recovery steps recommended by Kaspersky:

• Do not pay the ransom. Paying the ransom does not guarantee that the cybercriminals will return your data. Paying the ransom also strengthens the attackers and makes future attacks more likely.
• Use a decryption tool, if available, from your internet security vendor or the No More Ransom Project.
• Restore your data from your external and/or cloud backups.

Recovery from a ransomware attack can be a complex and painstaking process. For a real-world example see “Anatomy of a Ransomware Attack” in this article.

FOCUS ON PREVENTION

To help prevent a ransomware attack and to make recovery easier if your systems are attacked, follow these guidelines from the No More Ransom Project:

• Back up your data. Have a recovery system in place so a ransomware infection can’t destroy your data forever. It’s best to create two back-up copies: one automatic and stored in the cloud, and another on external storage devices that are disconnected from your network when not actively backing up.
• Use robust antivirus software to protect your systems from ransomware. Be sure to enable heuristic functions, as these help the software to catch ransomware that has not yet been formally detected by the antivirus company.
• Keep all software up to date. When your operating system or applications release a new version, install it. If the software offers the option of automatic updates, choose it.
• Trust no one. Any account can be compromised and malicious links can be sent from the accounts of friends on social media, colleagues or online gaming partners. Never open attachments in emails from someone you don’t know. Cybercriminals often distribute fake email messages that look like they come from an online store, a bank or a tax agency, luring recipients into clicking on a malicious link and releasing the malware into their system.
• Enable the Show file extensions option in the Windows settings on your computer. This makes it easier to spot potentially malicious files with extensions such as exe, .vrb or .scr.
• If you discover a rogue or unknown process on your computer, disconnect immediately from the internet or other network connections (such as Wi-Fi) to prevent the infection from spreading. Notify your IT department.

Ransomware attackers are becoming more sophisticated and in recent years they have begun to target critical infrastructure companies. These attacks can hold entire networks hostage and the criminals controlling the attacks are demanding ever-larger ransom payments. Prevention includes all the standard cybersecurity procedures, from teaching employees not to open suspect email attachments to keeping software safeguards up to date. Backups, always good practice, are critical in making a timely recovery should a ransomware attack occur.

Barbara Donohue is a freelance technical journalist and former Web editor of VALVE Magazine.