Ransomware has taken the world by storm, and informational technology (IT) is not the only technology affected. Operational technology (OT), which is increasingly blending with IT, is also susceptible to ransomware tactics, techniques and procedures (TTPs). When ransomware strikes OT, the effects have the potential to be devastating. Here, we will look at a Conti ransomware attack that spread from IT to OT systems.
This threat find demonstrates a use case of Darktrace’s technology that works to spot and stop ransomware at its early stages. This is particularly helpful for organizations with interconnected enterprise and industrial environments, as it means:
- Emerging attacks can be contained in IT before they spread laterally into OT, and even before they spread from device to device in IT.
- Organizations gain granular visibility into their industrial environments, detecting deviations from normal activity, and quick identification of remediating actions.
Threat: Conti ransomware and crypto-mining hijack affecting IT and OT systems
An aggressive attack targeting an OT R&D investment firm in EMEA was recently identified. The attack originally started as a crypto-mining campaign and later evolved into ransomware. This organization deployed Darktrace in a digital estate containing both IT and OT assets that spanned over 3,000 devices.
Human attention could have stopped this attack’s progression. Darktrace gave indications of an ongoing compromise in the month prior to the detonation of the Conti ransomware. In this case, however, the security team was not monitoring Darktrace’s interface, and so the attack was allowed to proceed.
Compromised OT devices
This threat find will focus on the attack techniques used to take over two OT devices, specifically a HMI (human machine interface), and an ICS Historian used to collect and log industrial data. These OT devices were both VMware virtual machines running Windows OS and were compromised as part of a wider Conti ransomware infection. Both devices were being used primarily within an industrial control system (ICS), running a popular ICS software package and making regular connections to an industrial cloud platform.
These devices were thus part of an ICSaaS (ICS-as-a-Service) environment, using virtualized and cloud platforms to run analytics, update threat intelligence and control the industrial process. As previously highlighted by Darktrace, the convergence of cloud and ICS increases a network’s attack surface and amplifies cyber risk.
The initial infection of the OT devices occurred when a compromised Domain Controller (DC) made unusual Active Directory requests. The devices made subsequent DCE-RPC binds for epmapper, often used by attackers for network reconnaissance to map services to ports, and lsarpc, used by attackers to abuse authentication policies and escalate privileges.
The payload was delivered when the OT devices used SMB to connect to a folder and read a malicious executable file.
Device encryption and lateral spread
The malicious payload remained dormant on the OT devices for three weeks. It seems the attacker used the time to install crypto-mining malware elsewhere on the network and consolidate their foothold.
On the day the Conti ransomware detonated, the attacker used remote management tools to initiate encryption on the compromised OT devices.
The devices then attempted to make command and control (C2) connections to rare external endpoints using suspicious ports. Like in many ICS networks, sufficient network segregation had been implemented to prevent the HMI device from making successful connections to the Internet and the C2 communications failed. But worryingly, the failed C2 did not prevent the attack from proceeding or the ransomware from detonating.
The Historian device made successful C2 connections to around 40 unique external endpoints. Darktrace detected beaconing-type behavior. The connections were made to rare destination IP addresses that did not specify the Server Name Indication (SNI) extension hostname and used self-signed and/or expired SSL certificates.
Both devices enumerated network SMB shares and wrote suspicious shell scripts to network servers. Finally, the devices used SMB to encrypt files stored in network shares, adding a file extension which is likely to be unique to this victim Most encrypted files were uploaded to the folder in which the file was originally located, but in some instances were moved to the images folder.
During the encryption, the device was using the machine account to authenticate SMB sessions. This is in contrast to other ransomware incidents that have been observed, in which admin or service accounts are compromised and abused by the attacker. It is possible that in this instance the attacker was able to use ‘Living off the Land’ techniques to give the machine account admin privileges.
Detonation of ransomware
Upon detonation, a ransomware note was written by the ICS to targeted devices as part of the encryption activity.
The final model breached by the device was “Unresponsive ICS Device” as the device either stopped working because of the ransomware or was removed from the network.
How the attack bypassed the rest of the security stack
In this threat find, there were many factors which resulted in the OT devices becoming compromised.
The first is IT/OT convergence. The ICS network was insufficiently segregated from the corporate network. This means that devices could be accessed by the compromised DC during the lateral movement stage of the attack. As OT becomes more reliant on IT, ensuring sufficient segregation is in place — or that an attacker cannot circumvent such segregation — is becoming an ever-increasing challenge for security teams.
Another reason is that the attacker used attack methods which leverage living off the Land techniques to compromise devices with no discrimination as to whether they were part of an IT or OT network. Many of the machines used to operate ICS networks, including the devices highlighted here, rely on operating systems vulnerable to the kinds of TTPs observed here and that are regularly employed by ransomware groups.
In total, the attacker’s dwell time within the digital estate was 25 days. Unfortunately, it led to a disruption in operational technology, file encryption and financial loss. Altogether, 36 devices were crypto-mining for over 20 days – followed by nearly 100 devices (IT and OT) becoming encrypted following the detonation of the ransomware.
Ransomware and interconnected IT/OT systems
ICS networks are often operated by machines that rely on operating systems, which can be affected by TTPs regularly employed by ransomware groups — that is, TTPs such as Living off the Land, which do not discriminate between IT and OT.
The threat that ransomware poses to organizations with OT, including critical infrastructure, is so severe that the Cyber Infrastructure and Security Agency (CISA) released a fact sheet concerning these threats in the summer of 2021, noting the risk that IT attacks pose to OT networks:
“OT components are often connected to information technology (IT) networks, providing a path for cyber actors to pivot from IT to OT networks… As demonstrated by recent cyber incidents, intrusions affecting IT networks can also affect critical operational processes even if the intrusion does not directly impact an OT network.”
Major ransomware attacks against the Colonial Pipeline and JBS Foods demonstrate the potential for ransomware affecting OT to cause severe economic disruption on a national and international scale. Ransomware can wreak havoc on OT systems, regardless of whether they directly target OT systems.
– This originally appeared on Darktrace’s website. Darktrace is a CFE Media and Technology content partner.