palestra realizada no s4x17 - miami - eua (em inglês)

TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.

Ransomware in ICS..... It begins

Marcelo Branquinho

January, 2017

www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.

• Introduction

• About Ransomware

• Ransomware in ICS

Study Case #1 – Furniture Factory

Study Case #2 – Electrical Company

• What if the worst happens?

Agenda


INTRODUCTION


Threats have changed: Advanced Attacks

Data Data Internet

Encryption Targeted

PURPOSE: Profit, Sabotage and Conflict

among organized nations • Targeted Attacks

• Funded – Industry Growing Focus

PURPOSE: Notoriety • One person, small groups

• Limited Knowledge and

Resources

• Basic Attacks

Internet ? Past

Present


SCADA / ICS - The perfect storm for cyber attacks


Unknown control and persistent advanced threats

Malware impacting industrial production


The scenery is bad, but can it get worse ??


The attackers have figured

out that ICS are an easy

target…..and started to

attack them!

Sure!!


ABOUT RANSOMWARE


What is Ransomware?

• Ransomware is a type of

malware that prevents the

user from accessing your

data.

• The user will recover

access to the data only by

paying a redemption.

• Ransomware affects

directly the availability of ICS

by blocking access to vital

information for its operation.


Is Ransomware a new threat?


Ransomware in ICS....It Begins


The redemption is rising...just happened last week


Ransomware in OT x Ransomware in IT

• Ransomware in OT can be much worst than Ransomware in IT because it

can directly affect SCADA systems operation by:

Blocking Access to HMIs

Ciphering Windows SCADA supervision and programming machines

(HMI)

Ciphering Historians and Production Databases

Ciphering Engineering stations

Spreading to other plants through remote access or VPNs

Blocking access to utilities systems


RANSOMWARE IN ICS

TWO STUDY CASES IN BRAZIL


STUDY CASE #1

FURNITURE FACTORY



• Where: State of Goias, Brazil

• Type of Ransomware: cryptoRSA4096-Ransomware

• Machines infected: Windows SCADA supervision and programming

machines (HMI) inside the factory.



• Consequence: The factory stopped working. The company lost customer

and supplier registrations, employee payroll and machine supervision and

programming.

• Redemption requested: U$ 3.061,00

• Financial Loss: The factory stayed 15 days stopped (loss of

approximately US $ 100,000.00 due to downtime in production and

delays in deliveries), until it restructured, to return the normal routines.

• No redemption was paid for infected machines that had to be fully

recovered because the OT team didn´t have healthy and updated

backups.


Video - Ransomware in Furniture Factory

Video produced by Globo TV (Brazil) and broadcasted for the

whole brazilian territory at “Fantastico”, a sunday night TV show


STUDY CASE #2

ELECTRICAL COMPANY

Special thanks to Mr. Alexandre Freire, from the Palo Alto Networks

SCADA & ICS Tiger Team, for sharing information over this study case


Study case #2 – Electrical Company

• Where: South of Brazil

• Type of Ransomware: CryptoLocker

• Machines infected: Windows SCADA supervision machines (HMI) inside a

control center.


Study case #2 – Electrical Company

• Infection Vector: A Flash Drive used at one HMI. The ransomware

spreaded through file shares and network mapped folders infecting other 3

supervision stations at the same automation network segment.

• Consequence: momentary loss of supervision and control of power

distribution.

• Redemption requested: USD 300,00 per machine (4 machines were

infected)

• Financial Loss: No financial loss happened because the control was

automatically transferred to a secondary control center that wasn´t

physically connected to the main control center. No redemption was paid

for infected machines that could be resettled through healthy backups.


WHAT IF THE WORST HAPPENS?


What if the worst happens?

When mitigation fails, it is important for organizations and individuals to

consider all possible responses to a Ransomware attack:

• Have a prepared incident response team: This team must have previously

planned a procedure to follow in the event of a ransomware attack during its risk

assessment. This procedure should start notifying the authorities and regulators

because Ransomware attacks are crimes prescribed by law.

• Switch control to a secondary control center: in case of non stop real time

systems, a secondary control center must be fully prepared to be activated.

• Try to recover lost data: System backup and recovery are the only technical

solution to revert ransomware attacks. Having updated backups is vital in cases of

critical data loss. In this case, it will be necessary to perform a recover of the systems

and data to return to normal business activity.

• Do Nothing: In cases where the rescue outweighs the cost of the system, the victim

can purchase a new device and dispose of the infected system.


What if the worst happens? ( cont.. )

• Pay the redemption: Some attackers may release the system after receiving

payment, because doing different would reduce the probability that new victims will fall

into the blow. Unfortunately, however, there is no guarantee that the attackers would

help you recover the data after the redemption paid.

•A Hybrid Solution: includes simultaneous efforts to pay the rescue and attempt to

restore systems from a trusted backup. Organizations opt for this strategy when

system downtime is even more critical than the consequences of the redemption

payment.


An important detail ....

• Modern Ransomware is able to search servers and backup applications

running on the network and also encrypt them ...

• In these cases, the only possible solution will be to pay the redemption.

• Paying redemptions can be easy for private institutions, but public companies

do not have the money allocated for this ... They would have to bid the

redemption


Marcelo Branquinho

[email protected]

+55 21 994002290

mailto:[email protected]

palestra realizada no s4x17 - miami - eua (em inglês)

Technology