Organisations affected by ransomware should always be prepared that compromised files will be made public once the malware hits. The data contained in these files will resurface at some point, somewhere, someday. A novel example of this is the “Doppel Leaks” website, which has launched a ‘test mode’ that seeks to shame victim organisations of the DoppelPaymer ransomware attacks by publishing stolen files as proof. Although it’s the first website dedicated to publicly shaming victims, it’s not the first ransomware to leverage the shaming angle.
While some theories suggest ransomware attacks are used simply to cover the tracks of larger underlying operations, such as a supply-chain attack or financial fraud, encrypting data to extort money is the ultimate aim. Most industrial plants have limited ‘sensitive’ data that would be of value to adversaries, so ‘public shaming’ gives them the extra leverage they need to apply sufficient pressure to their victims in forcing them to pay up.
Such methods can prove highly effective because it is not about the type or sensitivity of the data, but the power of possessing and being able to expose it. Exposed data from a plant would be just as effective at influencing the victim as data from HQ. Its role isn’t too hack or defraud directly, but serve as proof someone was hacked, and is in a position of subsequent vulnerability.
Changing the IT vs OT paradigm
Primarily, these attacks are focused on file encryption, rather than worrying about the potential damage of shutting down or stopping systems connected to real world devices. In fact, attackers are often unaware they’re in an ICS environment. All they know – or all they’re concerned with – is shutting down OT/IoT systems. And it can be disastrous to passengers on the train they’ve caused to derail, or the inhabitants of the town next to a burning chemical plant. For the purposes of stealing money, attackers are ruthless. So much so, they’re willing to put lives at risk.
This paradigm causes corporate budgets to escalate the protection of sensitive IT data and exclude OT environments from their financial plans. They spend the big bucks on protecting data due to the sensitivity of it as measured by Confidentiality, Integrity, and Availability (the classic C-I-A Triad), but not necessarily safety. Also, this approach also undervalues the sensitivity of organisational data when considered within this new context of file leaking and public shaming. This thought process needs to change.
The ICS environment should be treated as being as critical to brand protection as the ‘sensitive’ data held at a “higher level.” At present however, the corporate budget is as much as 100 times higher for securing the latter. The sooner organisations acknowledge that attackers are willing to target the C-level or the plant to get data suitable for blackmail, extortion, and public shaming, the better for their security posture and operational continuity.
Moving towards IT/OT convergence
Large IT organisations, or anyone who has spent time in a SOC, will attest that there’s always an open security incident. Somewhere, somehow, something is in need of disinfection, or forensic analysis. It’s no longer a matter of preventing hacks, it’s about being cyber-resilient: a constant state of effective recovery. This change in perspective can inform a shift in strategy that reflects a new level of security awareness.
Rather than assuming the perimeter security is impenetrable, organisations would instead invest in technology to answer questions like:
- What tools will we need for our forensic investigation?
- What did the environment look like before the attack?
- Where did the attack start?
- What lateral movement did the attackers take?
- What machines were involved?
- Where might the attackers be hiding within my network?
- Were any other attacks or methods leveraged that could be other indicators of compromise?
- What can be done to harden the target?
(And most importantly):
- Did the attack affect the process, or is the process at risk?
Once you consider that ransomware doesn’t discriminate – that it can operate across IT, IoT and ICS environments - it’s critical you use a tool capable of working across the technology spectrum in order to effectively track attacks and the ransomware as it hops across heterogeneous environments.
Additionally, operators of ICS systems have the extra responsibility of considering real-world implications of a ransomware attack, so they need to quickly ensure that the OT systems are unscathed during an incident. Having the best possible tools in place before an incident happens will reduce the overall recovery time, recovery efforts, costs, minimise the blast radius, and could deny exfiltration of the data.
Due to the escalation of tactics used by the hacker, which elevates the criticality of otherwise benign plant-level data (as described above), the threat of ransomware from an IT standpoint is higher than it’s ever been. From an OT standpoint, it’s become a more common risk than in previous years, where incidents like Stuxnet were few and far between. Only three years ago, showing a presentation slide with the most common OT cyberattacks was brand new information to most plant engineers. Today however, ransomware is debilitating entire cities and making headlines across every major news outlet. There’s no way the conversation can continue to be ignored. If operators do continue to bury their head the sand, adversaries will continue to exploit their ignorance.
Chris Grove, product evangelist, Nozomi Networks