New KillDisk Malware brings Ransomware into the Industrial Domain

New KillDisk Malware brings Ransomware into the Industrial Domain.

According to Phil Neray, the VP, Industrial Cybersecurity & Marketing at CyberX – an ICS/SCADA security firm, CyberX’s threat intelligence research team uncovered new evidence that the KillDisk disk-wiping malware previously used in the cyber-attacks against the Ukrainian power grid has now evolved into a ransomware. The report, though concentrated on events and occurrences in the US industrial organizations, has relevance in the Nigerian cyberspace, especially for the attention of the Financial and Telecommunication industries that heavily rely on information technology (IT) and Operational Technology (OT) to drive their businesses.

OT is the use of computers to monitor or alter the physical state of a system. IT/OT convergence is the integration of information technology (IT) systems used for data-centric computing with operational technology (OT) systems used to monitor events, processes, and devices and make adjustments in enterprise and industrial operations.

By reverse-engineering the new malware variant, the CyberX’s team found that the KillDisk disk-wiping malware displays a pop-up message (as seen in Fig. 1 below) requesting 222 Bitcoins or approximately $206,000 in return for the decryption key. The new malware encrypts both local hard-drives and any network-mapped folders that are shared across the organization, using a combination of RSA 1028 public key and AES shared key algorithms, where each encrypted file has its own AES key. The contact email uses a secure, anonymous email service (lelantos.org) to hide the identity of the attackers. The CyberX team believes the malware was being distributed via malicious Office attachments.

This new variant of KillDisk was developed by the TeleBots gang, a group of Russian cybercriminals believed to have evolved from the Sandworm gang. The Sandworm gang is responsible for a string of attacks in the United States during 2014 that compromised industrial control system (ICS) and SCADA networks using a variant of the BlackEnergy malware.

Why Cybercriminals Are Now Targeting Industrial Networks

According to FBI estimates, ransomware is projected to be a $1B industry in 2016. The transition from destroying disks to encrypting them for ransomware makes a lot of economic sense for industrial cybercriminals because it enables them to monetize their attacks rather than simply performing cyber-sabotage. These concerns are also true in the Nigerian Financial and Telecommunication industries that are increasing their processes and operations.

Industrial organizations are excellent targets for ransomware because:

1. When operational data upon which physical processes rely becomes unusable, this can lead to significant consequences including catastrophic damage to data center operations, service disruption/outages, customer disaffection, and loss of revenue.
2. Industrial organizations can’t easily shut down network operations to prevent malware from spreading, because industrial processes themselves can’t easily be shut down.
3. Enterprises are more likely to quietly pay the ransom because of concerns that going public with cyber attacks will invite greater scrutiny from regulators, and possibly fines.
4. Operational Technology (OT) environments are often less mature than IT environments and, as a result, their data backup processes may not be sufficient to restore all required data.
5. Employees sometimes do not exhibit sufficient security awareness are more likely to open malicious documents delivered via phishing emails.
6. Like financial industries’ focus on compliance with CBN’s regulations, the primary focus for financial organizations has typically been on ensuring regulatory compliance (e.g., PCIDSS, ISO 27001, etc.) rather than strengthening cybersecurity controls.

How organizations can protect themselves

Protecting your networks from sophisticated cybercriminals and nation-states requires a serious commitment from management to ratchet up your security controls. This is especially true as IT and OT networks are converging to support new initiatives such as Smart Banking, and Smart Services, increasing the likelihood of cyber attackers accessing critical industrial systems via the Internet or via careless employees on the IT network.

The following are recommendations to address the concerns raised in the foregoing:

1. Ensure OT backup processes are monitored to make sure they’re functioning properly.
2. Invest in continuous security awareness training for all employees.
3. Segment OT networks as much as possible to prevent malware from spreading.
4. Perform continuous risk assessments on OT networks to identify vulnerabilities such as the unauthorized Internet and other remote connections, and unpatched devices and systems.
5. Continuously monitor all OT network activity in real-time to identify behavioral anomalies indicating the presence of targeted threats and industrial malware.

Culled from:

New KillDisk Malware Brings Ransomware Into Industrial Domain http://www.thesecurityblogger.com/new-killdisk-malware-brings-ransomware-into-industrial-domain/