By Raheem Beyah, Ph.D.
School of Electrical & Computer Engineering
Georgia Tech
Ransomware has evolved significantly over the years as malware authors have learned and adapted their methods of distribution, approach to extorting victims, and the technology that they use to hold assets for ransom.
In 2015, Symantec issued a technical report about the evolution of ransomware that categorized it into four main types along with key points in ransomware’s history when malware authors pivoted between the different types.
- The first epidemic of ransomware appeared in the form of fake applications promising to fix imaginary problems in the victim’s computer for a small fee.
- Next, attackers increased the supposed threat to the victim by posing as fake antivirus programs promising to clean out all the infections it found with the free scan.
- As the average user became more tech-savvy and better at spotting these scams, attackers became even more aggressive and began locking users out of their computers, usually under the pretense of some law enforcement agency forcing them to pay a fine for piracy. Again, average users began to learn how to detect these scams, and legitimate security products were released to restore victim’s computers without paying the ransom.
- To compensate for all the previous weaknesses in ransomware, attackers finally moved to cryptoransomware to have stronger control over the victim’s valuable assets and gave up trying to deceive users at all, instead opting to overtly demand payment or destroy their data.
It is this cryptographic breed of ransomware that has been making headlines recently by extorting large payouts such as $10,000 to restore a public school district’s records or $17,000 to restore patient records at a hospital. The FBI estimated that ransomware cost the United States a total of $24 million in the year 2015, with the cost flying up to an estimated $209 million in just the first three months of 2016.
With cybercriminals clearly catching on to the profitability of ransomware, they appear to be starting to look into Industrial Control System (ICS) networks as their next potential victims. In a report released by Fortinet in 2016, evidence shows that attackers seem to be retooling their standard cryptoransomware and targeting it at manufacturing facilities in particular. Another report from Booz Allen Hamilton in 2016 takes this concept one step further by speculating that ransomware will not only shift to the manufacturing sector but also shift to attacking the programmable logic controllers (PLCs) rather than just personal computers.
As further evidence for the truth of these predictions, the world is seeing high profile ransomware attacks creep ever closer to control systems. In November 2016, the ticketing machines at San Francisco’s Muni transit system were infected with ransomware. It took several days to recover from this costly incident. Then, in late January 2017, it was reported that ransomware infected a luxury Austrian hotel, preventing new room key cards from being programmed for guests and essentially locking them out of their rooms. With each hotel room costing upwards of several hundred U.S. dollars per night, the victim decided it was worth paying the attacker roughly $1,600 to restore the systems and continue normal business operations quickly.
It certainly appears as if ransomware (and other forms of malware) is headed toward Level 2 of the Purdue Reference Model (i.e., the controllers). So, if ransomware does make it to PLCs in ICSs, what would the attacker hold for ransom? In traditional ransomware attacks, the attackers have focused on the most valuable component of most businesses—their data. ICS networks usually have little valuable data but instead place the highest value on downtime, equipment health, and personnel safety. Therefore, ransomware authors can threaten all three to make ICS ransomware profitable.
At RSA Conference 2017, my Ph.D. student presented a simulated ransomware attack on a water treatment plant using a testbed in my lab at Georgia Tech’s School of Electrical & Computer Engineering. We built the testbed to mimic the disinfection and storage stages of a city water treatment facility. In the disinfection stage, precise ratios of input water is mixed with chlorine. In the storage stage, the mock up facility keeps a minimum amount of reserved water to ensure demand can always be met.
Our ransomware took advantage of several known weaknesses in popular PLCs to gain a foothold into the network. Then, it pivoted and propagated the malicious payload to other PLCs on the network. The ransomware with worm capabilities was written in Structured Text, which is one of the five native languages of PLCs specified by the IEC 61131-3 standard. Once we were able to control the PLC, we leveraged the limited security mechanisms on the PLCs to lock the asset owner out. Using the email client on one of the PLCs, we were able to communicate with the asset owner to demand the ransom.
The simulated ransomware attack didn’t end well. We ultimately poisoned the city’s drinking water with high doses of chlorine, which would have tremendous consequences were it real life.
One could argue that the removal and replacement of the infected PLCs would resolve the issue. This may be true if one could guarantee that only a few PLCs are affected by an attack. However, given the homogeneity and lack of security systems monitoring in many industrial networks, it is very likely that all of the PLCs will be compromised. Accordingly, the remedy then would require shutting down the entire plant or factory, which could be catastrophic.
Our proof of concept PLC ransomware made it clear that ransomware in ICSs is feasible. To minimize the likelihood of such attacks, we offer several recommendations.
- First, we must demand that vendors provide common sense security on all their devices as well as prompt remediation of flaws found by researchers. I’m a strict believer in ethical disclosure of vulnerabilities. However, some vendors are better than others with prioritizing fixes. At the time of this writing, I’ve waited 10 months for a major PLC vendor to merely provide a timeline for when they will patch a privilege escalation vulnerability discovered by my group.
- Second, asset owners cannot solely rely on vendors for security of ICSs, even though following standard best practices can substantially improve the security of their systems. Since true air gaps rarely exist, defense-in-depth strategies should always be implemented. This includes:
- Standard endpoint security: Includes changing all default passwords, using access control lists and role-based authentication where possible, disabling remote programming, and keeping device firmware up to date.
- Network security: Includes network segmentation, monitoring of both the IT network and the control network, protocol whitelisting implemented in firewalls, and automated backups of PLC programs to help expedite recovery if the facility is compromised.
- Policy: At the end user level, all employees should be trained to identify phishing emails and prohibited from using their own personal USB drives.
- Third, facilities should have an incident response plan in place to put into action when a compromise does happen.
Ransomware has evolved through the years and could be poised to affect the vast majority of our critical infrastructures. The good news is that this threat will be minimized as asset owners monitor their ICS networks and use best practices when securing their systems while vendors provide common sense security solutions on their devices.
Dr. Raheem Beyah, a native of Atlanta, Ga., is the Motorola Foundation Professor and Associate Chair for Strategic Initiatives and Innovation in the School of Electrical and Computer Engineering at Georgia Tech where he leads the Communications Assurance and Performance Group (CAP) and is a member of the Institute for Information Security & Privacy (IISP) and the Communications Systems Center (CSC). He is also a co-founder of Fortiphyd Logic, which provides security solutions for industrial control systems.