Ransomware Slams Westrock & Other Industrial Networks

Earlier this week, the operations at $17 billion packaging firm WestRock were disrupted by a ransomware attack that impacted both its IT and OT (operational technology) networks. Two days later, a massive $27 billion chain operator Dairy Farm Group was also attacked by ransomware, with the attackers demanding a $30 million ransom. Those are just a sample of successful ransomware attacks from this week alone. 

Since the outbreaks of Wannacry & NotPetya ransomware attacks in 2017, we've been witnessing daily occurrences of attacks affecting OT networks that originated on the IT side. The U.S. National Security Agency (NSA) also highlighted this issue for this very simple reason. It works.

 

Ransomware Works

That’s the simplest way to explain why incidents of ransomware attacks have sharply increased over the last year — with no end in sight. The number of ransomware attacks has jumped by 350 percent since 2018, the average ransom payment increased by more than 100 percent this year, downtime is up by 200 percent and the average cost per incident is on the rise, according to a recent report from PurpleSec.

Threat actor groups with names such as Ryuk, Egregor, Conti, Ragnar Locker, and many others are ruthless, well-funded, and are willing to target anyone; from COVID-19 vaccine manufacturers, automotive manufacturers, critical infrastructure, governments, and hospitals to get their payday. In fact, the first ransomware-related death happened this past September, when a German hospital was infected with ransomware and couldn't treat patients during the Covid-19 outbreak. 

As part of SCADAfence’s mission to protect the lives and safety of civilians, we’ve put together this guide to help you prevent ransomware in your industrial organization. 

 

The Ransomware Encryption Process

Let’s go back to the beginning, and discuss how these attacks encrypt systems in the first place.

From the previous ransomware attacks we’ve researched, we learned that from the minute the attackers get initial access, they can encrypt the entire network in a matter of hours. In other cases, attackers would spend more time in assessing which assets they want to encrypt and they’d make sure they get to key servers such as storage and application servers.

Most of the recent ransomware attacks you’re reading about in the news try to terminate antivirus processes to make sure that their encryption process will go uninterrupted. Recent ransomware variants such as SNAKE, DoppelPaymer, and LockerGoga even went further by terminating OT-related processes like Siemens SIMATIC WinCC, Beckhoff TwinCAT, Kepware KEPServerEX, and the OPC communications protocol. This made sure the industrial process was interrupted, and this increased the chances that the victims paid the ransom. These types of ransomware attacks were seen in the recent attacks of Honda and ExecuPharm.

 

OT Security Challenges with Ransomware

Diagram #1 - An OT Security Challenge: Industrial Components Exposed to Encryption

 

From what we’ve seen, ransomware generally encrypts Windows and Linux machines. We still haven’t seen any PLCs being encrypted. However, many industrial services are run on Windows / Linux machines - such as historians, HMIs, storage, application servers, management portals, and OPC client/servers.

In many cases, ransomware operations would not stop in the IT network, and will also attack OT segments. More encrypted devices mean a higher monetary ransom demand from the attackers.

Organizations must be able to monitor & detect threats across the IT/OT boundary to effectively identify risks before reaching process-critical endpoints, such as the Freeport LNG plant explosion.

 

Ransomware Prevention in Industrial Networks

Diagram #2 - Ransomware Prevention: How You Can Prevent Ransomware Attacks On Your Industrial Networks 

 

Some of the tools and techniques that ransomware operators are using are on the same level that nation-state threat actors are using on targeted espionage campaigns.

 

TTPs in Ransomware Slide-1
Diagram #3 - Tactics, Techniques & Procedures Most Commonly Used in Ransomware Attacks

 

We recommend that organizations practice these common security procedures to minimize their risk of ransomware infection on each step of the kill chain:

Initial Access:

    1. RDP

      1. If possible, replace RDP with a remote access solution that requires two-factor authentication, many VPNs now support that. This will require attackers to be verified by, for example, a code sent via SMS.

      2. If you choose to still use RDP, make sure its Windows Update is enabled and is working.

    2. Email Phishing

      1. Educate the organization’s employees about phishing attacks. Employees should be suspicious of emails that don’t seem right and not click on suspicious links.

      2. Install an anti-phishing solution.

    3. Software Vulnerabilities of Internet-Facing Servers

      1. Scan your organization’s IP range from outside the network. Verify that all exposed IP/ports are what you expect them to be.

      2. Make sure that automatic security updates are enabled for your exposed services. If one of your services (such as web servers, for example) does not have that feature, consider changing it to a similar one that has this feature.

Protect Your OT Network

Lateral Movement:

1. Firewalls & Windows Update

Enable firewalls on all of your workstations and servers.

Make sure that Windows Update is enabled. This will ensure that your machines will be patched for the latest vulnerabilities and will also be less prone to lateral movement techniques. Microsoft constantly updates their security policies and their firewall rules.

One good example is that they disabled the remote creation of processes using the task scheduler ‘at’ command.

2. Endpoint Protection

Endpoint protection works. Beyond blocking classic hackers’ techniques, some also have defenses against ransomware and will protect your assets from encryption.

 3. OT Network Segmentation

Ideally, you would want to minimize the risk of your industrial network being impacted  when suffering a ransomware attack.

       a. To the possible extent, separate the IT network from the OT network segment. Monitor and limit the access between the segments.

        b. Use different management servers to the OT and IT networks (Windows domains, etc). By doing so, compromising the IT domain will not compromise the OT domain.

4. Constant Network Monitoring

A constant network monitoring platform (we happen to know a really good one), will help you identify threats while analyzing network traffic and will help you see the bigger picture of what’s happening in your network.

5. Data Exfiltration

Monitor your network for unusual outbound traffic. Everyday user activity should not generate uplink activity higher than about 200MB/daily per user. With network security monitoring in place, your assets are better protected from a cyber attack.

 

The SCADAfence Ransomware Attack Solution

We provide a comprehensive solution - The SCADAfence’s platform which was built to protect industrial organizations like yours from industrial cyberattacks (including ransomware). It also helps you implement better security practices amongst its built-in features. Some of these include:

Asset Management 
Network Maps
Traffic Analyzers

These tools will help your organization to implement better network segmentation, to make sure that your firewalls are functioning properly, and that every device in the OT network is communicating only with the ones that they should be communicating with. You will also be able to spot assets that are not where they're supposed to be, for example, forgotten assets in the DMZ.

The platform, which is also the highest-rated OT & IoT security platform, also monitors the network traffic for any threats, including ones that are found in typical ransomware attacks; such as:

Security exploits being sent across the network.
Lateral movement attempts using the latest techniques.
Network scanning and network reconnaissance.

In an event of a security breach, SCADAfence’s detailed alerts will help you to contain these threats as quickly as possible. Ultimately, we built this tool to help industrial organizations to understand their attack surface, to implement effective segmentation and constant network monitoring for any malicious or anomalous activity.

 

Video: The Anatomy of a Targeted Ransomware Attack:

We’d like to share with you a true story of our recent incident response to an industrial ransomware cyberattack. SCADAfence’s incident response team assists companies in cybersecurity emergencies. In this video, we will review a recent incident response activity in which we took part. This research has been published with the goal of assist organizations to plan for such events and reduce the impact of targeted industrial ransomware in their networks.

For more detailed information on this story, we prepared a full whitepaper here.

Additional credits: Yossi Reuven and Michael Yehoshua have also contributed to this comprehensive guide.

 

Related resources: