Ransomware is not new but has been a growing tool of choice of the cybercrime community in the last few years, capturing headlines for the widespread and brazen way they are able to be installed and holds the victim's data hostage. But little is being said about the business model behind these types of attacks. Ransomware and its larger family of distributed cybercrime have evolved, giving cybercriminals a more organized, sophisticated way to wreak havoc and make money. This business model is a way in which cybercriminals attack many victims in the same campaign. It is proving to be costly, and a lethal nuisance in the right situation.
What is Distributed Cybercrime and Why Does it Matter?
This commercialization of cybercrime is due to the lower barrier of entry, you don't need massive computational power for brute force attacks or deep knowledge of cybersecurity or cryptography to be effective. Easy–to–use tools are readily available on the dark web and have the ability to generate a substantial revenue stream with little skill or effort. This has driven professional cybercriminals to develop malware that runs on professional platforms and distribution services to attack the world. They don’t know who their victims are nor do they care. It is the perfect, automated, money-making machine for criminals, creating an ease of use and ROI that is too good to pass up.
- They are low-effort attacks targeting individuals or organizations with sub-par security
- They are low-skill attacks as little knowledge or experience is required compared to techniques such as spear-phishing — just plain phishing works for weak targets
- Highly sought-after zero–day vulnerabilities are no longer required for lucrative attacks — mainstream CVE vulnerabilities with known exploits and existing patches will do because many victims don't patch regularly
- Any standard endpoint is a potential source of revenue, making complicated lateral movement toward the crown jewels irrelevant
- When you attack the world, the sky is the limit — the amount of potential profit is endless
How exactly does would this type of cybercrime impact a manufacturing plant or other critical infrastructure? It doesn't take much to dupe an unsuspecting victim and install the malware. An innocuous looking email or website visited by a staff member can be all it takes to compromise a facility in seconds. From consumers to critical operations like hospitals — nobody seems immune from the ransomware threat. Cyber events of the last few years have shown what used to be thought of as a problem facing individuals should now be a concern for security programs at enterprises and critical infrastructure organizations alike.
Critical Infrastructure is Not Immune
Recently a trio of researchers demonstrated that ransomware can be used to take over industrial control systems (ICSs). A proof of concept (PoC) study conducted by a team at Georgia Tech examined an attack on hypothetical systems of a water treatment plant, but the lessons learned apply to any facility that uses ICSs.
The researchers went after programmable logic controllers (PLCs) with weak authentication using a cross-vendor worm dubbed “LogicLocker,” as it was able to take over different kinds of PLCs, jumping from one to its networked neighbor. They could take control of the compromised device, lock out legitimate users and make their demands — with the threat of dumping chlorine into the water supply if the terms of the ransom weren’t met.
Thankfully, LogicLocker was developed by academics for a PoC to alert organizations and the public about a looming threat. But it could just as easily have been a team of professional hackers out for a big payday. Beyond the ransom, the potential costs involved in having critical services disrupted — not to mention public safety — could have been significant with wide-spread ramifications.
In another recent, similar example researchers at the Politecnico di Milano demonstrated the ability of hackers to successfully execute an attack on an IRB 140 industrial robot arm manufactured by ABB, a Swedish-Swiss company that sells products for the utility, transportation and infrastructure industries. While the effect they caused was small — causing the robot to draw a very wiggly line instead of a straight one — it could result in serious damage if the robot were wielding a welding instead of a stylus. The researchers reported that there are 83,673 of this make of robot exposed to this kind of attack with an entire class of like machines presumably representing a much larger number in use around the world.
Preparing for Distributed Cyberattacks
Networked systems are complex and attackers have all the time in the world to study and understand them. Plant management doesn’t. Don’t assume the state–of–the–art security system in place for IT networks has visibility into operational technology that nonetheless is connected to it.
To safeguard against distributed, as well as targeted attack, you need to have visibility of your entire attack surface, including IT, ICS and SCADA networks and know that baseline security standards are met throughout your organization. From that fundamental visibility, you can start to see your network like an attacker would, finding paths of least resistance so you can harden their defenses.
In the meantime, you might want to check the authentication strength on any internet-connected programmable logic controllers you have lying around, just in case the next attack isn’t by three do-gooders from Georgia or Italian polytechnic researchers.
Tal Sheffer is the Chief Technology Officer of Skybox Security.