Ransomware as a Service
Today we are seeing an emergence of several different ransomwares as a service (RaaS) affecting industrial control systems, and specifically critical manufacturing. These RaaS ride the backs of other popular commercially available adversary products, such as Cobalt Strike, which provide difficult to detect persistence mechanisms (beacons) that give command and control (C2) of a victim host. Once persistence is gained and C2 is established, RaaS will delete credential files, bypass or disable Windows Defender, and attempt to encrypt the files used by services in order to hold hostage host machines. The eventual cost comes via messages on the host machine. The user must provide money, usually in the form of crypto currency, to get a key to unlock the system. If the user does not pay or attempts to tamper with the malware the files will be lost forever.
There are many variants of ransomware including non RaaS. In March 2022 CISA released advisories regarding two specific threat groups: Conti and AvosLocker.
Conti has been observed since 2020. All versions of Microsoft Windows are known to be affected. Recent Conti leaks have given a glimpse into the inner workings of the group. More of a business than a band of hackers, they structure themselves with a CEO, manager, and around 60 programmers/operatives performing actions on the hostage box and negotiating ransoms.
Their methods are aggressive in their attempts to brute force hashes and passwords, yet they are well equipped with methods of evading antivirus software. Conti actors are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence. The leaked “playbook” the Conti actors employ provided a glimpse into their methodologies. They use tools already available on the victim network, but their persistence means they are able to add tools as necessary: Mimikatz, Windows SysInternals, and even the Trickbot malware variant have all been observed in Conti operations and corroborated by the playbook.
The AvosLocker variant has been known to target the Financial Services, Critical Manufacturing, and Government Facilities sectors. Similar to Conti, this RaaS group handles the transactions for the affiliates who have contracted their services. They also prefer to use already available tools on a victim network, but have employed: Cobalt Strike, Encoded PowerShell scripts,
PuTTY, rclone, WinLister, and many other tools which can be downloaded through persistence mechanisms.
Recently this variant has added Linux to its Windows infection catalog. This means that Linux devices are now in scope for attack. It can often be identified by the file extension “.avos”, “.avos2”, or “AvosLinux” and presents the message seen below.
As of March 2022 the US Department of Justice (DoJ) has released indictments on 4 Russian threat actors running 2 campaigns which directly attacked US critical infrastructure. The first count attributes an employee of an institute affiliated with the Russian Ministry of Defense with staging a campaign spanning several years in which the threat actors gained access to a foreign government’s oil refinery and installed Triton malware in order to disable safety systems. They then pivoted to a US company at which point they tried, and were ultimately unsuccessful in, hacking.
The Second indictment charges 3 computer hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Military Unit 71330 or “Center 16” of the Federal Security Service (FSB) with violating U.S. laws related to computer fraud and abuse, wire fraud, aggravated identity theft and causing damage to the property of an energy facility. The attacks came in two phases, first targeting supply chains in the US energy sector by compromising the networks of providers of Industrial control system/Supervisory control and data acquisition (ICS/SCADA) systems then hiding their malware in software updates distributed by the companies. In the second phase they transitioned to more targeted compromises that focused on specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems. These attacks targeted US companies and 135 other countries.
How RaaS affects manufacturing
Efficient manufacturing facilities are often complex. This complexity presents problems when it comes to security. Complex operations require many silos within an organization, each with their own automation, including shop floor, personnel scheduling, supplier relations, purchasing, engineering, product planning, sales forecasting and more. As a rule, all these automation systems are interconnected. Timely, reliable data has become the lifeblood of efficient manufacturing and many business functions are using and interconnected with cloud-based systems.
As a result, in many IEC 62443- compliant businesses, the distinction between Internet-based, business critical, and manufacturing-critical systems has blurred. The issue begins with Internet-based and Internet-connected networks (often dubbed the “enterprise network”) are much more exposed to targeted ransomware and other cyber attacks than manufacturing networks should be exposed.
What Can Be Done?
Blurring the lines between Internet, business and manufacturing systems can be a major source of attack exposure. This problem is often inherent to IT/OT integration and cloud connectivity initiatives. IT/OT integration, digital transformation, and the Industrial Internet of Things are all happening at an increased pace. These terms, however, fail to capture the complexity of the ecosystem of a factory or the complexity of that ecosystem’s data exchanges.
An understanding of factory operations is critical to better securing manufacturing networks. That understanding requires visibility and monitoring of those interconnected devices and the points at which they connect to Internet connected systems.