Operational technology (OT) is a highly attractive target for malicious agents. In charge of controlling and monitoring highly complex systems at industrial facilities, OT processes can make or break entire operations. The loss can easily be in the millions.
That’s why there is always a race to develop powerful cybersecurity platforms such as Julie Security. Industrial facilities demand the best protection possible, something that’s easy to understand if we take into consideration the many, evolving threats out there.
In more recent news, the cybersecurity industry has witnessed how ransomware operations are notably trying to hit OT systems. Experts have found that seven different ransomware families include instructions to kill around 2,500 processes, a notable share of them related to OT.
By ransomware, we are referring to the type of malware that threatens to encrypt, block, steal, delete, and, sometimes, publish the victim’s data unless a determined ransom is paid. The malicious agent delivers, along with the successful attack, a ransom note specifying the amount to be paid and how, most of the type relying on cryptocurrency to complete the extortion.
At Julie Security, we take threats to OT seriously. Our experts keep up with the latest developments in cybersecurity and, as a result, we want our readers to understand their implications as well.
The Evidence
The seven ransomware families recently observed showed two process-kill lists that included close to 2,500 targeted processes in total.
The first process-kill list includes a few dozen processes directly linked to ICS, particularly affecting GE Proficy solutions. Now, the second list is resolute in affecting OT, including around 150 processes related to multiple ICS products.
What does this mean? The fact that multiple families of ransomware are including these processes at their kill lists is a red flag to all of us working with industrial facilities. It may mean that ransomware operators are consciously targeting OT systems in a more conscious, organized way.
It is also being said that the fact that these ICS-related processes come up when studying ransomware may be purely coincidental, the result of asset scanning. However, even if this is true, it continues to be a sounding alarm of the threat we are facing.
CLOP Ransomware
CLOP ransomware, a high-profile cybersecurity threat that we have addressed before on our blog, is also linked to this story.
The second process-kill list found, the one including around 150 OT-related processes, is being only used by CLOP ransomware. This piece of malicious software, linked to Russian operators, poses a bigger problem to industrial facilities.
The processes found in the first list are somehow “harmless”, unable to affect or put a halt to critical activities within OT. However, the second list indicates to be more harmful. The processes included in this second list, if killed, have the potential to generate more serious troubles: partial or full loss in production visualization and control.
Protecting Our Industries
By blocking ineffective security software from doing its job and killing key processes, ransomware often finds its way into complex systems, disrupting operations, and encrypting valuable data for profit.
Ransomware, like much other malicious software out there, continues to develop further. The cybersecurity firms and platforms, as Julie Security, are part of a restless race that never ends. Malicious agents will continue to invest in their destructive tools to inflict damage and collect benefits.
Understanding how the known threats are evolving is an essential step towards creating and implementing robust security layers for our industrial facilities. In this case, ransomware operators are telling us to be ready.
