Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • The Next Disruptive ICS Attacker: A Ransomware Gang?
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

The Next Disruptive ICS Attacker: A Ransomware Gang?

4 years ago Craig Young
The Next Disruptive ICS Attacker: A Ransomware Gang?

OT networks often rely on Windows systems for various ICS applications including HMIs, historians, and data gateways. Beyond that, they also commonly rely on Windows systems to run associated IT-networks.

A successful ransomware deployment into either of these networks may prevent engineers from controlling plant operations and lead to an unplanned shutdown. This creates an immediate cost on the organization due to lost productivity. In the worst case, unplanned shutdowns may lead to physical failures that can damage equipment, potentially endangering lives in the process. The downtime from such an event could also span many months depending on the system. Specialized industrial equipment often cannot be replaced with existing components and take months to produce.

How THE MALWARE is Deployed

Ransomware may find its way onto an ICS network through a variety of sources. As with any other organization, it may start with phishing attacks targeting employees. Phishing will typically attempt to either install malware or steal remote access credentials. Another common technique is for an attacker to compromise an industry website and implant malware or exploits. When unsuspecting engineers browse to or load software from this site, the attacker gains access to their system in what is known as a watering hole attack. The attacker can move laterally from a point of infection and deliver ransomware to critical targets.

Exploits targeting VPN portals or other externally exposed IT infrastructure may also provide a beachhead for a ransomware deployment. This is what happened at a manufacturing plant in Italy earlier this year when it was infiltrated through a vulnerable FortiGate VPN server. The attackers exploited CVE-2018-13379 to obtain credentials and then accessed a Windows system through the VPN. Next, Mimikatz was used to obtain other credentials and move laterally through the network until a Domain Admin account was compromised. The Domain Admin privileges were then used to disseminate Cobalt Strike malware. Once sufficient access was obtained, the ransomware itself was deployed to the compromised hosts. In addition to encrypting files, the malware disabled services to disrupt backups and remote maintenance. With the encryption complete, the malware left a note demanding two bitcoin as a ransom to restore data access.

How to Avoid Ransomware Attacks

The best way to avoid this scenario is to employ security best practices including vulnerability management. Attackers often scan the Internet for targets rather than identify a target and scan its network space. Considering this reality, low-hanging fruit vulnerabilities will likely attract unwanted attention. Network admins especially need to stay on top of vulnerabilities in externally exposed systems such as VPN portals and mail gateways. It is also important to strengthen internal security by limiting VPN access and restricting access between unrelated servers. A good practice is to make sure that users have the minimum permissions needed to do their job. Users should not have access to systems unless there is a business need.

Perhaps in response to organizations getting better at recovery, several prominent ransomware gangs have adjusted their strategy to include data theft as a second opportunity for extortion. Stolen data may be sold to the highest bidder or used in a private shakedown. This attack strategy has been tested on traditional IT networks and is now increasingly making its way into the ICS space. For an industrial or manufacturing plant, stolen data may include confidential manufacturing specifications, bid details, or personnel records.

The evolving threat posed by ransomware gangs requires organizations to step up their game or else risk catastrophe.

Read more in The Next Disruptive ICS Attacker Series:

The Next Disruptive ICS Attack: 3 Likely Sources for Major Disruptions

The Next Disruptive ICS Attacker: A Disgruntled Insider?

The post ” The Next Disruptive ICS Attacker: A Ransomware Gang?” appeared first on TripWire

Source:TripWire – Craig Young

Tags: Critical Severity, Goverment, Low Severity, Malware, Phishing, Ransomware, TripWire

Continue Reading

Previous Accenture Confirms LockBit Ransomware Attack
Next How to Secure Hybrid Teams Against Insider Threats

More Stories

  • Cyber Attacks
  • Data Breach

AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack

9 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

13 hours ago [email protected] (The Hacker News)
  • Data Breach

The Buyer’s Guide to AI Usage Control

15 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

16 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

20 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

21 hours ago [email protected] (The Hacker News)

Recent Posts

  • AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack
  • ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories
  • The Buyer’s Guide to AI Usage Control
  • Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends
  • Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT