Researchers at Forescout’s Verede Labs released a proof of concept for industrial systems that damages systems deeper embedded in industrial processes than any seen before.
One of the recent projects at Verede Labs has been “Project Memoria,” an audit for vulnerabilities in popular TCP/IP stacks — including many commonly used in Internet of Things devices. The “R4IIoT” ransomware concept they debuted Wednesday weaponizes that research, exploiting a denial of service bug in Nucleus the group discovered in 2021 to disable industrial processes.
Other ransomware has attacked industrial systems in the past.
Ransomware in Colonial Pipeline attack reportedly disabled billing systems on the IT networks, resulting in the company shutting down OT systems until it could properly charge for service.
The Snake/Ekans ransomware disrupted the Windows systems that gave commands to PLCs and other industrial equipment connected directly to the industrial processes.
But R4IIoT works differently, harming the PLCs and similar systems directly.
That is a big deal, because that level of IIoT system can often be remote. For all the difficulty of remediating an encryption-based attack on a system in a central office, an attacker that shuts down a geographically distributed grid of devices one at a time until demands are met presents staffing problems that have not been seen before.
“When you’re talking about OT, it could be a ship in the ocean. It could be things that are really geographically dispersed, like manufacturing plant that on another side of the planet or a substation that is remotely in some desert, and that you may not have a team there ready to do any sort of forensics or to understand what’s going on. And honestly, when you see the OT side going down, it’s not often it’s not a matter of rebooting everything,” said Daniel Dos Santos, head of security research at Verede Labs.
Verede proposes that this kind of IIoT attack could become the next mechanism in play for ransomware gangs.
Ransomware operators have tried several layered forms of extortion in the past, including adding threats of leaks and DDoS attacks as a way of incentivizing enterprises with good backups to pay. IIoT shutdowns could create an entirely new layer of extortion organizations focused on encryption may not be prepared for.
“One thing that we have noticed is that people still think very much of ransomware as encrypting data, which is not just the case anymore,” said Dos Sanos “The case is really that ransomware is about getting ransom is about getting a payout of out of an attack.”