Authored by: Galina Antova, Co-Founder and Chief Business Development Officer of Claroty

As information technology (IT) and operational technology (OT) converge, ransomware becomes a growing concern for those tasked with defending industrial control systems (ICS), who must now understand the current ransomware landscape from an OT-centric perspective.

More than three years into the aftermath of NotPetya, ransomware tactics have evolved substantially, and they will continue to evolve. This blog offers insight into this ongoing evolution, as well as the current state of ransomware threats to OT.

Ransomware Threats Have Grown Increasingly Targeted
Over the past several years, ransomware attacks have grown increasingly targeted, while the opportunistic “spray-and-pray” approach of arbitrarily infecting victims with self-propagating ransomware has largely fallen out of favour among threat actors. This strategic pivot may be a response to many organisations’ efforts to minimise attack surfaces following NotPetya and WannaCry, which epitomise the opportunistic approach to ransomware.

As noted by Claroty VP of Research Amir Preminger in a blog post earlier this year, a targeted approach to ransomware infection can significantly extend the shelf life of an exploitable vulnerability by making it more difficult to determine how the ransomware entered the victim’s network in the first place. Strategic targeting also enables attackers to focus on organisations with deep pockets and a low tolerance for operational disruption, thus increasing the likelihood of ransom demands being met. An apparent example of this approach in action was the highly disruptive ransomware attack against Honda in June, which is suspected to have involved the Snake ransomware, detailed in depth on The Claroty Blog earlier this year. The attack disrupted global operations, including manufacturing processes, thus demonstrating how a more deliberate infection strategy can culminate in highly damaging attacks.

Ransomware Threats are not Confined to your Organization’s IT Environment
In retrospect, the June 2017 NotPetya ransomware attack can be seen as a watershed moment for OT security. Widely regarded as the costliest and most destructive cyber attack in history, the global impact of NotPetya on OT environments across a broad range of industries served as a wake-up call for many CISOs and other decision makers who had mistakenly assumed ransomware threats were confined to the IT realm.

In reality, a successful ransomware attack can have devastating impacts on OT. Earlier this year, steel giant EVRAZ was hit hard by the Ryuk ransomware strain, bringing down plant operations at numerous sites across the U.S. and Canada. The ransomware attack halted manufacturing processes to such an extent that EVRAZ issued temporary layoffs to plant workers, and third-party trucking companies servicing the company’s facilities reported disruptions in freight flows.

Digitisation a Driving Force Behind OT Ransomware Risk
As digitisation becomes the new standard, cyber risk evolves in a manner specific to the operations of each sector, thus necessitating more stringent industry standards for security. To cite a specific example, the FBI issued an advisory to trucking companies in July, warning of the industry’s growing susceptibility to ransomware attacks. In recent years, the trucking industry has increased its potential exposure to cyber threats through the ongoing digitisation of its operations, including widespread adoption of tools such as GPS, AI-centric systems, and electronics logging devices (ELDs). The FBI advisory emphasised the potential for ELDs to serve as a means of lateral movement between trucking companies’ IT and OT environments for attackers, with plausible impacts ranging from data exfiltration to life-threatening manipulation of vehicular functions.

In August, less than a month after the FBI advisory was issued, Canadian courier Canpar Express became the latest trucking company to fall victim to a ransomware attack, resulting in disruptions to its shipping operations and moving services. In addition to causing operational disruptions, the attackers also leaked several internal documents with the threat of releasing additional material—exemplifying the ability of cyber attacks to span an organisation’s IT and OT systems.

ICS Vulnerability Research and OT Network Segmentation are Key to Preventing OT Ransomware Infections
Within the cybersecurity community, there is ongoing discourse speculating when another ransomware attack will match—or even exceed—the scale and impact of the havoc wrought by NotPetya in 2017. But it’s important to remember that NotPetya—along with its close predecessor, WannaCry—would not have been possible without the perfect storm created by the April 2017 leak of EternalBlue, a wormable exploit developed by the National Security Agency. This public disclosure placed a secret cyberweapon into the hands of malicious actors, thus enabling the widespread, opportunistic infection of targets when combined with a brute-force approach to compromising accessible IP addresses.

Given the fundamental role of vulnerabilities in enabling ransomware attacks against OT and other environments, Claroty has emerged as a leader in the broader effort to discover and help remediate security flaws present within ICS products—detailed in depth in our ICS Risk & Vulnerability Report for the first half of 2020. Just last week, six critical vulnerabilities in Wibu-Systems’ CodeMeter were disclosed after being uncovered by Claroty researchers. The discovered vulnerabilities could potentially be exploited by an attacker to remotely deploy ransomware within a targeted OT network.

More often than not, improper segmentation between once-separate IT and OT environments is a key enabler of OT ransomware infections. As such, initiatives to ensure your organisation’s OT network and assets are isolated from IT in a manner that aligns with the Purdue Model and other segmentation best practices can be a highly effective means of prohibiting the lateral spread of ransomware and other malware from IT to OT.

By bringing attention to OT vulnerabilities and helping to remediate them before attackers have the opportunity to exploit them, Claroty aims to help reduce the frequency with which disruptive ICS ransomware incidents make headlines.