Industrial sites, companies at risk to sophisticated ransomware

A new version of ransomware, called Petya, is attacking companies and countries across the globe and is being compared to, yet more severe than WannaCry.

07/29/2017


Industrial sites, along with other industries, are undergoing an attack from a new version of ransomware that is being called quite a few different names, but is infecting networks in countries across the globe.

Petya ransomware, which is what it is mainly called, encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate the ransomware exploits vulnerabilities in server message block (SMB).

This malware is being compared to the WannaCry outbreak that struck computers in more than 150 countries last month—but so far, at least, Petya seems to be spreading more slowly in only about 64 countries. Like WannaCry, the Petya ransomware demands a $300 bitcoin payment to retrieve encrypted files and hard drives. As of Wednesday morning, the account had received around $10,000. German email company Posteo blocked the email address the Petya hackers were using to confirm ransom payments.

Some of the victims so far are the Ukrainian government, its National Bank and biggest power companies; airports and metro services in the country are also feeling the effect.

"The Ukraine continues to be in the cross-hairs of persistent cyber attackers," said Edgard Capdevielle, chief executive of Nozomi Networks. "Whether you believe the Ukraine is a test-bed for nation state aggression or an issue between two specific countries, the continued barrage of attacks against Ukrainian infrastructure is disturbing."

Companies fall victim

Shipping company A.P. Moller-Maersk reported a computer systems outage on Tuesday which it said could be a global issue.

"We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation," Maersk said on Twitter. A Maersk spokeswoman said the cause of the breakdown was not yet known, but that it could extend across the company's global operations.

Russia's top oil producer Rosneft said Tuesday its servers had been hit in a large-scale cyber attack, but its oil production was unaffected.

The malware is similar to WannaCry but leverages other techniques to propagate and encrypt systems, said Patrick McBride from Claroty in a blog post.

More severe

Our initial analysis suggests that Petya's potential impact on ICS networks appears to be more severe than WannaCry due to the following:

  • Impact on ICS Microsoft Windows machines: Petya does not encrypt files one by one per a matching extension list, but encrypts the master file table (MFT) so that the file system is not accessible – effectively bricking the machine. This means any infected HMI would be locked immediately. While this would not directly impact the underlying process, it would deprive all visibility and monitoring capabilities which would lead in most to all cases to shut down. The OT network would have to stay in manual mode until recovery of the infected Window endpoints. Further, other SCADA components e.g., historians, backup servers and engineering stations would also be impacted.
  • Propagation: Petya's propagation capabilities surpass those of WannaCry, as it leverages the user's privilege to propagate throughout the network (using PSexec). It also utilizes WMI as a propagation vector. McBride also said the mitigation steps are similar to those used in WannaCry. Patch the following CVEs, he said: CVE-2017-0199 and CVE-2017-0144.

McBride added some additional protection and recovery steps:

  • Block SMB & WMI port 135, 139, 445,1024-1035 TCP - if possible.

    • 1. NOTE: Some ICS software relies on these services so this can impact operations.
    • 2. Customers can use the Claroty Platform to determine if their current ICS environments are leveraging these ports/protocols.

  • Block execution of .exe within %AppData% and %Temp% as a temporary measure to avoid infection until other mitigation steps can be taken. This may cause issues—for example it will impact installers, but provides temporary relief until other mitigation steps can be taken.
  • Check logs for IOCs below
  • If infected:

    • Try to avoid a reboot. Shutdown -a to abort the shutdown and preserve a copy of the MFT table from memory for recovery. (cmd /k shutdown -a)
    • Try not to format the encrypted systems but rather get its image for use in recovery steps. 

Need protection

"Although details are still emerging, one thing is clear, attacks such as these do not discriminate between geography or industry," said David Zahn, GM of ICS cybersecurity at PAS. "Like the Wannacry attack, critical infrastructure was caught in the cross hairs with early reports identifying oil & gas and power as victims. Banking and pharmaceuticals also experienced issues.

"Prima facie, the motive behind this attack looks financial. But, were the motivation different, we'd face a much more serious situation today. Within critical infrastructure companies, such as chemical processing, there are proprietary industrial control systems responsible for production reliability and safety," Zahn said. "Compromising these systems could impact the environment, cause injury, or disrupt production. It's also possible the effect would be less noticeable. Imagine the process at a pharmaceutical plant being altered instead of halted."

New era of attacks

"It would seem we have arrived at the dawn of the ICS (Industrial Control System) attack," said Bryan Singer, director of security services at IOActive. "For the past ten years any attacks to industrial control systems have been one off, specifically targeted attacks by insiders; or otherwise had very limited visibility. For instance, we still talk about Vitek Boden from 2001 and Stuxnet in 2010. But it seems like over the last few weeks we have hit a new era, it is now impossible to say 'that can't happen to us' any more."

"The ransomware appears to be a new version of Petya that could possibly have similar characteristics to WannaCry, employing Eternal Blue to spread to other systems before encrypting files and demanding payment," Singer said. "One major difference between this outbreak and WannaCry though, is the possible inclusion of exploit code for another known vulnerability CVE-2017-0199, affecting Microsoft Office to further spread the payload."

"If rumors prove true that this attack was initiated by the External Blue Exploit, it is a well-known vulnerability using SMB v1," said Andrea Carcano, co-founder and chief product officer of Nozomi Networks. "SMB is a protocol used often in the industrial networks. Therefore, security staff should be identifying any Microsoft systems in their ICS that could be exploited and take immediate remediation steps to patch them."

Gregory Hale is founder of ISSSource. This article originally appeared on ISSSource's blog. ISSSource is a CFE Media content partner. Edited by Carly Marchal, content specialist, CFE Media, cmarchal@cfemedia.com.

See more ISSSource articles below. 



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me