Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Contextualizing the Ransomware Threat Confronting OT Environments
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware

Contextualizing the Ransomware Threat Confronting OT Environments

4 years ago Richard Springer
Contextualizing the Ransomware Threat Confronting OT Environments

Back in early June, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published a fact sheet discussing the rising threat of ransomware to operational technology (OT) assets. This development raises several questions. Why is ransomware a threat to OT environments? And what can organizations do to protect their OT assets against ransomware?

To find out, I sat down for a chat with three Tripwire experts: Britney Palmer, account executive here with Tripwire; Lamar Bailey, senior director of cybersecurity for Tripwire; and Zane Blomgren, security senior engineer at Tripwire. Here’s what they had to say.

A Quick Overview of Ransomware and the Colonial Pipeline Attack

Richard Springer: Lamar, could you help level-set the audience and introduce ransomware?

Lamar Bailey: Ransomware is a subset of what we call “malware.” Malware is basically anything that you don’t want on your system that can come through various means. That said, ransomware is a little bit different. When it gets onto a system, the purpose of it is to basically hold that system and that data for ransom. The attackers will oftentimes steal the data on the system, encrypt the drives, encrypt all the data, and then charge you money to unencrypt it.

A couple of things to think about with ransomware. First, it costs you downtime plus the money you pay to get your data back. Second, just because you pay the ransom does not mean that the attackers will give you back your data and not come back to re-encrypt everything a week later.

RS: Thank you, Lamar. Britney, I’m going to turn to you about the oil and gas side and all things Colonial. Could you paint a picture of pre-Colonial and post-Colonial with regards to how ransomware has affected your customers?

Britney Palmer: I think the biggest thing is that the Colonial Pipeline incident has brought a lot of awareness. The mindset of “It won’t happen to me” is now shifting to “It might happen to me, and if it does, what are my next steps?” A lot of our customers are saying, “Well, I want to mitigate the risk.” That’s what we’re here to help them with.

With the Colonial Pipeline attack, the breach was on the information technology (IT) side, but it really affected OT. And so now they’re saying, “Okay, I need to get more visibility. I need to become aware of what’s on my network, of what’s vulnerable, so that this doesn’t happen to me.”

The Impact on OT Environments

RS: Shifting gears now. Lamar, using what we just discussed with ransomware and OT, could you talk specifically about how ransomware is a threat in the OT space?

LB: A lot of the systems in OT are running IT systems, Windows, or embedded Linux. These are OSes (operating systems) and applications that attackers know very well. They’ve been going after these for years, and all of a sudden, they’re like, “Wait a minute. These also exist in this other realm over here.”

When you attack one company that’s just producing software, then you’re shutting them down for a period. When you attack something that’s in critical infrastructure, then you’re not only shutting down that company, you’re hurting their customers. You’re hurting that area of the country.

Acknowledging that, there’s been a lot more interest from ransomware actors when it comes to OT environments. If you’re delivering gas to half the United States, you’re going to be more inclined to pay a ransom quickly than someone who’s writing software for customers and users.

There’s a couple of other interesting points there, too. First, the industrial piece of it is we’ve got a twofold risk portfolio: the cyber risk of an attack and the production risk of experiencing an outage. Second, there’s the question of who’s behind all of this. Ransomware is a legitimate business, after all. There are franchises. There are shared tactics, and there’s customer service in individual ransomware operations. It’s a lucrative business for those who engage in it.

How Tripwire Could Have Helped Detect the Colonial Pipeline Attack

RS: Let’s get Zane in here. Talking from the Tripwire lens, how could we have helped Colonial from an anti-ransomware standpoint?

Zane Blomgren: When you go back and look at a lot of security events, there’s typically multiple stages where you could have captured or detected malicious activity. So, you want to have multiple layers where you can detect or respond or do things.

Looking at the Colonial situation specifically, the initial breach came through a SonicWall VPN using a SQL injection. Through either credential theft or creation, something they created elevated privilege. This would have been something that Tripwire IP360, as an example, would have been able to detect.

Maybe you don’t have IP360 but are a Tripwire Enterprise customer. In that case, you can look at the MITRE ATT&CK Framework. That’s content you can pull down and leverage for security purposes. Indeed, our MITRE ATT&CK policy would have detected some of the infections to directories, the modifications to the registry and other types of events.

If we go along a little bit further, we can say there were directories that were created, information that was downloaded, and/or files that were sent or copied over. Tripwire can detect changes such as those. We can take that feed into something like Tripwire File Analyzer, a tool which can look at that file and alert on it. Those are just some of the places where detection should have occurred in the Colonial example and where Tripwire could have helped.

RS: Interesting. So, Britney, is there a rush-to-buy situation among your customers, or is the regulatory piece causing some confusion?

BP: It’s a mix of all of that. You’re going to have some that are a little bit more aggressive and going, “Okay, this is an issue. I don’t know what is on my network. I don’t know what’s vulnerable? I’m nervous. I need to get help.” Others are sitting back and seeing what’s going to happen.

Overall, a lot of what I’m seeing is that customers are starting to look at what the long-term effect is on their business. They’re reaching out and asking for help, and they’re starting to put money aside for this part of their business. We’re starting to see that become a big shift, with some even asking for pricing for budgeting reasons. “I need to understand the value behind this,” they say. “I need to see how it works on my network.”

Responding to Ransomware

RS: Lamar, could you briefly talk about a response plan in regards to ransomware?

LB: Yes. Ransomware accords with old adage, “An ounce of prevention is worth a pound of cure.” It’s probably an ounce of prevention is worth a $30 million of cure, in this case. Once you’ve got ransomware, it’s very hard to get it cleaned up.

The thing that I try to suggest that people do is run scenarios within their company at least quarterly to see how they would respond to ransomware if it happened. So, get your response plan made out. Figure out which assets are the most critical to you and what the consequence of a ransomware attack would be on them. If those assets go down, do you have a plan for bringing them back up? Do you have a spare that you can bring up that you’ve kept locked in a closet?

RS: Thanks for your answer, Lamar. I want to thank our panelists here for their excellent insights and advice.

Tripwire and the Ransomware Threat

For more insights on how Tripwire can help organizations keep their OT assets safe against ransomware, check out this blog post.

The post ” Contextualizing the Ransomware Threat Confronting OT Environments” appeared first on TripWire

Source:TripWire – Richard Springer

Tags: Critical Severity, Finance, Goverment, Linux, Malware, Ransomware, TripWire

Continue Reading

Previous Apple Releases Urgent iPhone and iPad Updates to Patch New Zero-Day Vulnerability
Next Ukraine Arrests Operator of DDoS Botnet with 100,000 Compromised Devices

More Stories

  • Cyber Attacks
  • Data Breach

AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack

14 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

18 hours ago [email protected] (The Hacker News)
  • Data Breach

The Buyer’s Guide to AI Usage Control

19 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

21 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

1 day ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

1 day ago [email protected] (The Hacker News)

Recent Posts

  • AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack
  • ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories
  • The Buyer’s Guide to AI Usage Control
  • Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends
  • Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT