palestra realizada no s4x17 - miami - eua (em inglês)
TRANSCRIPT
TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
Ransomware in ICS..... It begins
Marcelo Branquinho
January, 2017
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
• Introduction
• About Ransomware
• Ransomware in ICS
Study Case #1 – Furniture Factory
Study Case #2 – Electrical Company
• What if the worst happens?
Agenda
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
INTRODUCTION
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
Threats have changed: Advanced Attacks
Data Data Internet
Encryption Targeted
PURPOSE: Profit, Sabotage and Conflict
among organized nations • Targeted Attacks
• Funded – Industry Growing Focus
PURPOSE: Notoriety • One person, small groups
• Limited Knowledge and
Resources
• Basic Attacks
Internet ? Past
Present
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
SCADA / ICS - The perfect storm for cyber attacks
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
Unknown control and persistent advanced threats
Malware impacting industrial production
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
The scenery is bad, but can it get worse ??
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
The attackers have figured
out that ICS are an easy
target…..and started to
attack them!
Sure!!
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
ABOUT RANSOMWARE
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
What is Ransomware?
• Ransomware is a type of
malware that prevents the
user from accessing your
data.
• The user will recover
access to the data only by
paying a redemption.
• Ransomware affects
directly the availability of ICS
by blocking access to vital
information for its operation.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
Is Ransomware a new threat?
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
Ransomware in ICS....It Begins
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
The redemption is rising...just happened last week
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
Ransomware in OT x Ransomware in IT
• Ransomware in OT can be much worst than Ransomware in IT because it
can directly affect SCADA systems operation by:
Blocking Access to HMIs
Ciphering Windows SCADA supervision and programming machines
(HMI)
Ciphering Historians and Production Databases
Ciphering Engineering stations
Spreading to other plants through remote access or VPNs
Blocking access to utilities systems
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
RANSOMWARE IN ICS
TWO STUDY CASES IN BRAZIL
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
STUDY CASE #1
FURNITURE FACTORY
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
Study Case #1 – Furniture Factory
• Where: State of Goias, Brazil
• Type of Ransomware: cryptoRSA4096-Ransomware
• Machines infected: Windows SCADA supervision and programming
machines (HMI) inside the factory.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
Study Case #1 – Furniture Factory
• Consequence: The factory stopped working. The company lost customer
and supplier registrations, employee payroll and machine supervision and
programming.
• Redemption requested: U$ 3.061,00
• Financial Loss: The factory stayed 15 days stopped (loss of
approximately US $ 100,000.00 due to downtime in production and
delays in deliveries), until it restructured, to return the normal routines.
• No redemption was paid for infected machines that had to be fully
recovered because the OT team didn´t have healthy and updated
backups.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
Video - Ransomware in Furniture Factory
Video produced by Globo TV (Brazil) and broadcasted for the
whole brazilian territory at “Fantastico”, a sunday night TV show
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
STUDY CASE #2
ELECTRICAL COMPANY
Special thanks to Mr. Alexandre Freire, from the Palo Alto Networks
SCADA & ICS Tiger Team, for sharing information over this study case
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
Study case #2 – Electrical Company
• Where: South of Brazil
• Type of Ransomware: CryptoLocker
• Machines infected: Windows SCADA supervision machines (HMI) inside a
control center.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
Study case #2 – Electrical Company
• Infection Vector: A Flash Drive used at one HMI. The ransomware
spreaded through file shares and network mapped folders infecting other 3
supervision stations at the same automation network segment.
• Consequence: momentary loss of supervision and control of power
distribution.
• Redemption requested: USD 300,00 per machine (4 machines were
infected)
• Financial Loss: No financial loss happened because the control was
automatically transferred to a secondary control center that wasn´t
physically connected to the main control center. No redemption was paid
for infected machines that could be resettled through healthy backups.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
WHAT IF THE WORST HAPPENS?
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
What if the worst happens?
When mitigation fails, it is important for organizations and individuals to
consider all possible responses to a Ransomware attack:
• Have a prepared incident response team: This team must have previously
planned a procedure to follow in the event of a ransomware attack during its risk
assessment. This procedure should start notifying the authorities and regulators
because Ransomware attacks are crimes prescribed by law.
• Switch control to a secondary control center: in case of non stop real time
systems, a secondary control center must be fully prepared to be activated.
• Try to recover lost data: System backup and recovery are the only technical
solution to revert ransomware attacks. Having updated backups is vital in cases of
critical data loss. In this case, it will be necessary to perform a recover of the systems
and data to return to normal business activity.
• Do Nothing: In cases where the rescue outweighs the cost of the system, the victim
can purchase a new device and dispose of the infected system.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
What if the worst happens? ( cont.. )
• Pay the redemption: Some attackers may release the system after receiving
payment, because doing different would reduce the probability that new victims will fall
into the blow. Unfortunately, however, there is no guarantee that the attackers would
help you recover the data after the redemption paid.
•A Hybrid Solution: includes simultaneous efforts to pay the rescue and attempt to
restore systems from a trusted backup. Organizations opt for this strategy when
system downtime is even more critical than the consequences of the redemption
payment.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
An important detail ....
• Modern Ransomware is able to search servers and backup applications
running on the network and also encrypt them ...
• In these cases, the only possible solution will be to pay the redemption.
• Paying redemptions can be easy for private institutions, but public companies
do not have the money allocated for this ... They would have to bid the
redemption
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
Marcelo Branquinho
+55 21 994002290