CISA explained the First Ransomware of the Year 2020
James Scott once said “Ransomware is more about manipulating the vulnerabilities in human psychology than adversary’s technological sophistication” and as the world is witnessing the first Ransomware attack of the year these lines seem more meaningful than ever.
On 18 February 2020, the first Ransomware attack hit the natural gas facility in the U.S. As a result, the service was shut down for the next two days as an unknown professional was working hard to bring the system back online through the backups. Now the question is “how an attacker was able to penetrate the IT portion of the felicity network to access the control and communication assets on the operational technology?” The Cybersecurity and Infrastructure Security Agency (CISA) published an alert this weekend to highlight that the attacker gained access by spear-phishing an employee who has the initial access to the system. Whether you know it or not it is one of the most common ways to break into the system and the same technique was used in the Bangladesh bank heist where attacker transferred around 1 billion dollars from the bank.
How it actually happened?
For now, all we have found is that the attack took place due to the initial compromise with the IT network. This is how the attacker was able to deploy the “commodity Ransomware” to encrypt data on both OT and IT networks.
The known security firm Dragos came forward to share its opinion on this Ransomeware attack. Though their post on Wednesday, they highlighted that “Despite the limited details, previous ransomware attack provides the blueprint of the attack: “The current hacking trends leverage the initial access to the victim environment to take over the credentials or directly compromise the Windows Active Directory (AD) to gain the control over the victim’s entire network.” It further mentioned that “Once achieved the attacker can then use the malicious script and legitimate the remote execution tools such as PSExec to perform the Ransomware or can even push malicious software taking advantage of the AD policy objects. The result of such an attack is all domain-joined window machines are infected to create the entire- network encryption event. This is the strategy that has been used for years to deploy various Ransomware strains including- MegaCortex and Sodinokibi.
What other information is there?
CISA also noted that the attacker never gained the entire ability to control the physical processes of the plant. The attack didn’t make any serious impact on the programmable logic controller (PLCs) that is responsible for directly controlling and manipulating the processes in the industrial environments- this is because the attack was limited to the window-based systems.
Specific assets of the facility are currently experiencing the loss of availability of OT network including the Human-machine interfaces (HMI) which is responsible for the reading and controlling operations at facility” the agency further highlighted that” Impacted assets are no longer able to read and aggregate the real-time operational data from the low-level OT devices.”
The lack of preparedness
The facility accepted that their disaster recovery plan was designed in the first place to only protect the facility from physical emergency, not cyber-related attacks.
“Consequently, emergency plans failed to provide employees experience required for the quick decision making during the cyber-attacks.” here CISA noted, “The victim was lacking the cybersecurity knowledge of the wide area of possible scenarios as the reason behind the failure of incorporating the cybersecurity into the emergency-response plan”.
Who to blame?
In the end, the question remains the same “Who to blame for this loss?” Yet CISA didn’t reveal any name. However, Dragos revealed that it likely took place in 2019 and involved the Ryuk Malware.
In the end, the loss is a loss, you cannot just blame but yourself for not preparing in advance. As people say “Precaution is better than cure”, you need to prepare your staff with the right cyber security strategy to identify and mitigate the cyber-attacks.
Leave a Reply