{"id":25751,"date":"2021-02-02T12:15:48","date_gmt":"2021-02-02T04:15:48","guid":{"rendered":"https:\/\/version-2.com\/?p=25751"},"modified":"2022-03-07T12:20:07","modified_gmt":"2022-03-07T04:20:07","slug":"how-you-should-prevent-ransomware-attacks-on-your-industrial-networks","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2021\/02\/how-you-should-prevent-ransomware-attacks-on-your-industrial-networks\/","title":{"rendered":"How You Should Prevent Ransomware Attacks On Your Industrial Networks"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

This Week, Ransomware Slams Westrock & Other industrial Organizations<\/strong><\/p>

Earlier this week, the operations at $17 billion packaging firm WestRock<\/a> were disrupted by a ransomware attack that impacted both its IT and OT (operational technology) networks. Two days later, a massive $27 billion chain operator Dairy Farm Group<\/a> was also attacked by ransomware, with the attackers demanding a $30 million ransom. Those are just a sample of successful ransomware attacks from this week alone.<\/p>

Since the outbreaks of Wannacry & NotPetya<\/a> ransomware attacks in 2017, we’ve been witnessing daily occurrences of attacks affecting OT networks that originated in the IT side. The U.S. National Security Agency (NSA) also highlighted this issue<\/a> for this very simple reason. It works.<\/p>

Ransomware Works<\/strong><\/p>

That\u2019s the simplest way to explain why incidents of ransomware attacks have sharply increased over the last year \u2014 with no end in sight. The number of ransomware attacks has jumped by 350 percent since 2018, the average ransom payment increased by more than 100 percent this year, downtime is up by 200 percent and the average cost per incident is on the rise, according to a recent report<\/a> from PurpleSec.<\/p>

Threat actor groups with names such as Ryuk<\/a>, Egregor, Conti, Ragnar Locker, and many others are ruthless, well-funded and are willing to target anyone; from COVID-19 vaccine manufacturers, automotive manufacturers<\/a>, critical infrastructure, governments and hospitals to get their payday. In fact, the first ransomware related death<\/a> happened this past September, when a German hospital was infected with ransomware and couldn’t treat patients during the Covid-19 outbreak.<\/p>

As part of SCADAfence\u2019s mission to protect the lives and safety of civilians, we\u2019ve put together this guide to help you prevent ransomware in your industrial organization.<\/p>

The Ransomware Encryption Process<\/strong><\/p>

Let\u2019s go back to the beginning, and discuss how these attacks encrypt systems in the first place.<\/p>

From the previous ransomware attacks we\u2019ve researched, we learned that from the minute the attackers get initial access, they can encrypt the entire network in a matter of hours. In other cases attackers would spend more time in assessing which assets they want to encrypt and they\u2019d make sure they get to key servers such as storage and application servers.<\/p>

Most of the recent ransomware attacks you\u2019re reading about in the news try to terminate antivirus processes to make sure that their encryption process will go uninterrupted. Recent ransomware variants such as SNAKE<\/a>, DoppelPaymer and LockerGoga<\/a> even went further by terminating OT related processes like Siemens SIMATIC WinCC, Beckhoff TwinCAT, Kepware KEPServerEX, and the OPC communications protocol. This made sure the industrial process was interrupted, and this increased the chances that the victims paid the ransom. These types of ransomware attacks were seen in the recent attacks of Honda and ExecuPharm<\/a>.<\/p>

\"OT<\/span><\/p>

Diagram #1 – An OT Security Challenge: Industrial Components Exposed to Encryption<\/strong><\/p>

From what we\u2019ve seen, ransomware generally encrypts Windows and Linux machines. We still haven\u2019t seen any PLCs being encrypted. However, many industrial services are run on Windows \/ Linux machines – such as Historians, HMIs, Storage, Application Servers, Management Portals and OPC Client\/Servers.<\/p>

In many cases, ransomware operations would not stop in the IT network, and will also attack OT segments. More encrypted devices means a higher monetary ransom demand from the attackers.<\/p>

Organizations must be able to monitor & detect threats across the IT\/OT boundary in order to effectively identify risks before reaching process-critical end-points.<\/p>

\"Ransomware<\/p>

Diagram #2 – Ransomware Prevention: How You Can Prevent Ransomware Attacks On Your Industrial Networks\u00a0<\/strong><\/p>

Some of the tools and techniques that ransomware operators are using are on the same level that nation-state threat actors are using on targeted espionage campaigns.<\/p>