With recent world events, ransomware is a foremost concern in cybersecurity.    RagnarLocker has made headlines after compromising 52 critical infrastructure entities.  Additive manufacturing equipment, while not a traditional target of ransomware, is not immune from these threats. Here we demonstrate simple ransomware that is easily implemented by abusing a built-in function of Marlin and substituting a graphical menu.  Last week we demonstrated an attack on additive manufacturing file integrity.  This post pertains to the availability category.

A mocked up ransom note was created using a Google Slide and the link turned into a QR code.  Marlin has a utility to assist developers in creating custom menus for the types of graphical displays most commonly used (non touch screen, encoder wheel navigation).  This is how the ransomware note QR image is converted into the C code needed to replace the Lulzbot logo in the boot sequence.

What makes Marlin so ubiquitous is the fact that multiple Hardware Access Layers (HAL’s) are supported once a configuration has been created in an IDE.  This means that Marlin is able to be run on many different physical hardware components – AVR, STM32 and Arduino to name a few.  In this thought experiment we are using Visual Studio to configure the C code blocks to match our physical hardware and enable locking a user out of their own device via misuse of a “dormant” library containing locking functionality meant to be used for access control.  Once configured – which is just a few steps more difficult than uncommenting that block, we will use the Marlin AutoBuild VSCode Extension to compile our compromised firmware.  This process is simple, removing the need for specific AM knowledge.

A slight modification of this would make the QR code stay on the screen and not change to the password input.  Users would assume this is a built-in diagnostics message and not think twice about scanning the QR code.  This is a problem as the machine maintainer has now accessed an untrusted third-party site where further exploitation could occur.

Ransomware attacks diminish trust in the environment. Regardless of whether or not a ransom is paid, at some point an intrusion occurred and significant labor costs are associated with tracking down the ingress that allowed exploitation to occur via computer forensics. Once located patches need to be applied or created. All of this causes significant disruption in the manufacturing processes reliant on the now compromised devices.  Interested in protecting your manufacturing operations against OT targeted ransomware?  Want to avoid missing delivery of critical client deadlines due to cyber intrusion?  Contact BreakPoint Labs for more information about how BISON can secure your manufacturing networks!

If you are interested in learning more about securing AM or a demonstration of the BISON capability, please contact us at info@breakpoint-labs.com.