In Out of Control: Ransomware for Industrial Control Systems, three Georgia Tech computer scientists describe their work to develop LogicLocker, a piece of proof-of-concept ransomware that infects the programmable logic controllers that are used to control industrial systems like those in power plants.
The researchers attacked two common PLC models (they found over 1,500 of these models, unprotected and available for attack online), and showed that they could create a "cross-vendor worm" that hopped from one kind of PLC to another. PLCs are notoriously insecure (they are known to fail to "properly authenticate programming log-ins"), so they had good reason to think they could penetrate the devices.
They argue that ransomware perpetrators stand to earn big returns by targeting PLCs, and recommend some pretty basic security countermeasures: changing default passwords, using a firewall, and running an intrusion-detection system.
The proof of concept attack developed here for the testbed illustrated in Figure 2 takes the simpler approaches to the steps in the ransomware cycle. First, it is assumed that an attacker has either brute forced a weak password on an Internet facing Modicon M241 or stolen legitimate credentials, and has loaded it with LogicLocker. LogicLocker then scans the internal network for vulnerable PLCs to infect further. The primary locking aspects of LogicLocker are achieved when the vulnerable PLCs, Modicon M221 and MicroLogix 1400, are reprogrammed with new passwords, locking legitimate users out of the official programming software. For the encryption stage, the attacker manually encrypts the stolen program on his own machine using standard encryption and a key generated for this victim. In the negotiation stage the attacker using LogicLocker sends an email from his own computer to the victim notifying them of the compromise. If the ransom is paid by the ultimatum, the attacker gives the victim a program that will reload the original programs, but if it is not paid he threatens to dump harmful amounts of chlorine into the water supply. To maximize chances of success, before notifying the victim of compromise LogicLocker first allows the level of the water in the storage tank get low while sending false level readings to the operators. Therefore, given the choice between paying and attempting a recovery, the victim also has to consider the effects of waiting too long and running completely out of clean water. Future versions of LogicLocker will use the PLC’s own email client to send this ransom note. Finally, once the victim pays, the attacker sends the victim a tool that decrypts the original PLC program and reloads it on to the victim PLC. Table VIII summarizes the pieces of LogicLocker, describing each of the general steps in an ICS ransomware attack. Video demonstrations explaining the setup  and the attack  can also be found online.
Out of Control: Ransomware for Industrial Control Systems [David Formby, Srikar Durbha and Raheem Beyah/Georgia Tech]
A New Type of Malware Can Lock Power Plant Computers For Ransom [Lorenzo Franceschi-Bicchierai/Motherboard]