How dangerous is Snake/Ekans for industrial plants?

Posted on 2020-02-19 by guenni

[English]How dangerous is the recently discovered Ransomware Snake/Ekans, which targets industrial plants? Although the malware does not directly attack ICS processes, it is still dangerous for critical infrastructures and OT systems.

Advertising

At the end of January, a new type of ransomware snake was identified, which allegedly contained a kill list to paralyze certain ICS processes. I had reported about this ransomware in the German blog post Snake/EKANS-Ransomware Werk von Cyber-Kriminellen. According to current knowledge, ransomware is designed to disrupt industrial processes by directly targeting the industrial control system (ICS) equipment.

However, security researchers at Claroty , a specialist in industrial cyber security, have now discovered that this is not the case. So is there reason to relax? Unfortunately not, because the increasing convergence between IT and industrial networks means that there is also a risk of massive disruption if attacks on IT systems also spill over to production facilities (spillover effect). Such "collateral damage" was observed by Claroty security researchers at NotPetya and WannaCry.

No communication with ICS devices

Unlike ICS-specific malware such as Triton and Industroyer, Snake does not communicate with Industrial Control Systems (ICS) devices and is unable to change the logic or tag values of such devices. This is because it does not (currently) use the necessary industrial communication protocols. However, the strong presence of ICS processes in the snake kill list (see my blog post above) indicates that the targets of the ransom demand are indeed ICS processes.

The main difference, according to Claroty's security analysts, is that Snake does not attempt to disrupt such processes by targeting ICS devices directly. Rather, ransomware ejects a much wider net, targeting the entire IT networks of companies. Many of these networks are connected to ICS networks and therefore processes. Consequently, any damage to ICS processes that occurs is likely to be a by-product of the ransomware's encryption of the human machine interface (HMI) configuration and/or other types of IT files that are critical to ICS processes.

In this view, Snake/Ekans should be taken as a serious warning that serious security risks have arisen from the convergence of IT and ICS or OT, write the security researchers. Even though this malware is not able to communicate with ICS devices via OT protocols, it can still affect the availability, security and reliability of ICS processes due to the architecture of many IT and ICS/OT networks in industrial companies and critical infrastructures.

Advertising

And it may be a sign of future developments in industrial cyber security: "While most ransomware campaigns have so far focused on IT systems, we believe that systems of industrial engineering (OT) are increasingly at risk as corporate networks converge with industrial networks and attackers look for alternative means of blackmailing companies. Rather than endangering data, new types of this malware are designed to disrupt the operation of systems and, in the worst case, to compromise human safety," said Dave Weinstein, CSO of OT security specialist Claroty.

Recommendations for risk minimization

The Claroty research team recommends the following steps to proactively reduce the risk from snake, other ransomware or destructive malware:

  • Network segmentation: Network segmentation is a critical element in protecting an ICS network. Security researchers recommend restricting communication between different network segments depending on criticality and usability. This approach helps to minimize the extent to which malware and attackers can spread within your ICS network.
  • Data security: Frequent backups of data are essential and should always be kept offline in a safe place. It can also be beneficial to keep multiple backups of particularly sensitive data in different locations and to test backups by simulating different attack scenarios.
  • Software- and Firmware-Updates: Since ransomware is often distributed via exploit kits, it is essential to ensure that all operating systems, software versions, plug-ins and browsers on the network are routinely patched and updated.
  • User guidelines: User privileges should be urgently restricted by using a least-privilege approach, whereby only selected, trusted users can access, install and modify applications. In this way, the execution and/or spread of malware within the network can be significantly limited. It is also advisable to implement a user access control (UAC) to prevent unauthorized changes to user rights.
  • Network management: It is important to ensure that firewalls are properly configured and updated, that unused ports are monitored and closed, and that unused protocols are blocked.

Tips for the case of a ransomware infection

In the case of an infection, there is a need to minimize the damage that occurs. The following measures can contribute to this:

  • Identify, quarantine and remove infected assets: Immediate disconnection from the network can help prevent ransomware from spreading to shared drives and connected systems.
  • Determine the infection vector: To ensure a clean recovery of backups, it is important to know which backups need to be restored from which time period. This usually depends on when the ransomware attacker entered the network. Attackers have been known to infiltrate networks in order to create the widest possible attack surface, days or even weeks before the ransom demand is executed and the encryption phase begins.
  • Notify employees: Make sure that employees know that a ransomware attack has occurred or is in progress. Each employee must act according to the incident response plan to ensure that the security of data and assets is maintained or restored.

In addition, the data encrypted by the ransomware must be restored:

  • Determine a safe time: Determine when the ransom demand infected your ICS network. Restore the last clean files from a backup just before the infection date.
  • Restore infected systems: If a production database or industrial application has been infected, use backup solutions to boot an image or virtual machine in minutes while taking precautions to minimize the impact on business processes.

Some more background information on Claroty, from which I have received the above statements and assessments. Claroty closes the gap in industrial cyber security between IT and OT. This is particularly important for companies with highly automated production facilities and factories that are exposed to significant security and financial risks.

Claroty's integrated IT/OT solutions enable companies and critical infrastructure operators to leverage their existing IT security processes and technologies to improve the availability, security and reliability of their OT assets and networks seamlessly and without downtime or dedicated teams. The results are higher availability and greater efficiency in all business and production processes.

Claroty is supported by leading industrial automation suppliers and used worldwide. The company is headquartered in New York and has received $100 million in financing since its inception in 2015 through its renowned start-up platform Team8.

Cookies helps to fund this blog: Cookie settings
Advertising

This entry was posted in computer, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *