Beware, More OT-Aware Ransomware – Recent Research Discovers Financially Motivated Threat Actors Dying to Kill More OT Processes

Prior reporting in multiple Security & Resilience Updates, most recently on June 18, 2020, has covered OT-aware ransomware families, notably EKANS, MegaCortex, and LockerGoga. Newly published research from FireEye suggests additional families are now incorporating common OT processes in their kill list. According to FireEye, three other families share the same process kill list as EKANS, MegaCortex, and LockerGoga (DoppelPaymer, Maze, and Nefilim), but a seventh family, CLOP seems to be exercising its independence. The former are known to currently target only a couple dozen OT processes. However, CLOP reportedly overachieves with more than 150 OT processes, including Siemens SIMATIC WinCC, Beckhoff TwinCAT, National Instruments data acquisition software, Kepware KEPServerEX, and the OPC communications protocols. FireEye links CLOP to activity associated with the financially motivated Russian-linked threat group TA505. While EKANS and its ilk are able to kill OT processes, they have not yet demonstrated the capability to manipulate industrial processes otherwise, thus operators have not loss control of physical processes. But the overachieving cousin appears to be more of a bully. According to FireEye, “While it is likely the physical processes this software controls would continue to operate even if the software processes were terminated unexpectedly, stopping the software processes included in the CLOP sample’s kill list could result in the loss of view/control over those physical processes due to the inability of operators to interact with the equipment.” Read more about the OT process kill lists at FireEye