Ransomware attacks are the number one cyber risk for utilities and critical infrastructure worldwide. Detecting malicious activities during the preparation phase of an attack to prevent disruption and spreading is at the heart of any cybersecurity strategy.
The recent ESXiArgs ransomware attack on VMware servers has shaken companies worldwide. Not only does this newest widespread cyber incident underscore the risk every company is facing through supply chain compromise. It also proves that the concept of “100% security” is long past.
One reason is that the increasing reliance on 3rd party services and vendors will always leave a security gap because their security shield lies outside the scope of the company deploying it. In fact, companies can never be sure what security level a software or hardware component has - or if it has any at all. This is particularly true in critical infrastructure and industrial environments where components and systems of the operational technology (OT) networks continue to lack security features or are built on insecure-by-design frameworks with still-to-be-discovered zero-day vulnerabilities. At the same time, they face a threat landscape of more than 247 million malware-type threats per year.1
Isn’t ransomware just for IT?
System integration, (I)IoT applications and the connection of the OT to IT networks expose those insecure industrial systems and components to the entire threat landscape known from the IT. This overlap makes OT as vulnerable, if not more than IT.
Given the reality outlined above, when a ransomware attack hits an industrial company there is a good chance that industrial processes will be affected. In particular for critical infrastructure this can trigger disastrous (i.e. societal, political) fallout. Furthermore, in January 2023 the Anonymous sub-chapter GhostSec announced that they were able to encrypt a remote terminal unit (RTU) that runs in industrial networks. These new developments make targeted ransomware attacks on OT networks a very real risk.
Aren’t ransomware attacks too fast to detect?
Ransomware attacks are perceived as an almost instantaneous attack. Suddenly, all computers are encrypted and all data is lost. That perception might have been true in the past when the malware was delivered to a computer through a booby trapped email attachment and would start encrypting the computer right away.
Nowadays, ransomware attacks are more sophisticated and go a long way. There can be crypto malware that is packaged as worms (i.e. with replication capabilities) and which communicates with a command and control server hosted on a public IP address. This strategy allows attackers to carefully plan their attack and optimize return on investment. They:
- upload additional cracking tools,
- download and analyze company data to assess its value, use it for blackmail or sell it on the black market (if negotiations fail),
- explore the network for further threat propagation, and
- infect as many devices as possible before triggering the encryption.
This process of preparation can run over days or months.
It is during that period, a network intrusion detection system (NIDS) has its chances at detecting the attacker's preparatory activities, particularly at the early stages of the cyber kill chain, during internal reconnaissance and lateral movement. This early detection which is built on the paradigma of OT visibility enables operators to stop the attack before it disrupts systems and services.
We'll explain how an OT monitoring with anomaly detection helps to identify these ransomware attack activities in part 2 of this blog post, coming soon.