In Out of Control: Ransomware for Industrial Control Systems, three Georgia Tech computer scientists describe their work to develop LogicLocker, a piece of proof-of-concept ransomware that infects the programmable logic controllers that are used to control industrial systems like those in power plants.
The researchers attacked two common PLC models (they found over 1,500 of these models, unprotected and available for attack online), and showed that they could create a "cross-vendor worm" that hopped from one kind of PLC to another. PLCs are notoriously insecure (they are known to fail to "properly authenticate programming log-ins"), so they had good reason to think they could penetrate the devices.
They argue that ransomware perpetrators stand to earn big returns by targeting PLCs, and recommend some pretty basic security countermeasures: changing default passwords, using a firewall, and running an intrusion-detection system.
The proof of concept attack developed here for the testbed
illustrated in Figure 2 takes the simpler approaches to the steps
in the ransomware cycle. First, it is assumed that an attacker
has either brute forced a weak password on an Internet facing
Modicon M241 or stolen legitimate credentials, and
has loaded it with LogicLocker. LogicLocker then scans the
internal network for vulnerable PLCs to infect further. The
primary locking aspects of LogicLocker are achieved when the
vulnerable PLCs, Modicon M221 and MicroLogix 1400, are
reprogrammed with new passwords, locking legitimate users
out of the official programming software. For the encryption
stage, the attacker manually encrypts the stolen program on his
own machine using standard encryption and a key generated
for this victim. In the negotiation stage the attacker using
LogicLocker sends an email from his own computer to the
victim notifying them of the compromise. If the ransom is
paid by the ultimatum, the attacker gives the victim a program
that will reload the original programs, but if it is not paid he
threatens to dump harmful amounts of chlorine into the water
supply. To maximize chances of success, before notifying the
victim of compromise LogicLocker first allows the level of
the water in the storage tank get low while sending false
level readings to the operators. Therefore, given the choice
between paying and attempting a recovery, the victim also
has to consider the effects of waiting too long and running
completely out of clean water. Future versions of LogicLocker
will use the PLC's own email client to send this ransom note.
Finally, once the victim pays, the attacker sends the victim
a tool that decrypts the original PLC program and reloads it
on to the victim PLC. Table VIII summarizes the pieces of
LogicLocker, describing each of the general steps in an ICS
ransomware attack. Video demonstrations explaining the setup
[2] and the attack [1] can also be found online.
Out of Control: Ransomware for Industrial Control Systems [David Formby, Srikar Durbha and Raheem Beyah/Georgia Tech]
A New Type of Malware Can Lock Power Plant Computers For Ransom
[Lorenzo Franceschi-Bicchierai/Motherboard]
