ICS Systems Targeted by Seven Different Families of Ransomware

FireEye has published the results of a rather interesting study, according to which financially motivated attackers (commonly referred to as cybercriminals) are increasingly beginning to extend their attacks to systems important in industrial process control after home users and enterprise IT systems.

The researchers divided the ransomware targeting ICS systems into two groups according to what industrial processes the ransomware is trying to shut down before the files are encrypted. The six extortion viruses in the first group try to stop the processes of about a thousand types of industrial software. This group includes SNAKE (aka SNAKEHOSE, EKANS), DoppelPaymer, LockerGoga, Maze, MegaCortex and ransomware known as Nefilim. The second group consists of the CLOP ransomware specialized in 1425 industrial processes.

Processes targeted by ICS ransomware include products from the following vendors: GE Proficy, Siemens (SIMATIC WinCC product family), Beckhoff TwinCAT, National Instruments data acquisition solutions, Kepware KEPServerEX, and systems using the OPC communication protocol.

Although previous ransomware attacks have raised the theory of deploying ransomware specifically to target ICS systems, FireEye researchers have found no evidence of this, saying ICS systems were identified by attackers by accident during the mapping of the systems of the victim organizations.

Be that as it may, it has now become clear that extortion virus attacks against ICS systems are not unique, isolated cases, but are increasingly becoming a trend, so, after recognizing in the 2010s that ICS systems are not immune to cyber attacks, it must be accepted that extortion viruses have entered the world of ICS systems and not only will they not stay out of process control systems, but are expected to attack these systems more and more frequently, exploiting known security vulnerabilities. Why? Obviously the sheer amount of money that can be extorted by compromising the availability of systems that are essential for operations and business continuity, or simply the safety aspects of specific ICS systems, is a strong enough motivator.