WannaCry ransomware variants are already reported in the wild impacting individuals and organizations around the globe. The main infection vector appears to be phishing e-mails. Once a computer is infected it will attempt to infect other machines on the same network using a recently patched Windows vulnerability.
While WannaCry is not specifically targeting control systems, there are reports indicating that a number of industrial facilities have also suffered, and had to stop production at multiple sites.
From investigations and analysis performed to date, we know that the malware encrypts files, provides the user with a prompt, which includes; a ransom demand, a countdown timer and bitcoin wallet to pay the ransom into.
The malware uses the vulnerability MS17-010 to propagate through a network using the SMBv1 protocol. This enables the malware to infect additional devices connected to the same network.
Although proper network segmentation of industrial assets, patch management and system hardening should be effective enough to protect OT environment from this debilitating kind of attack.
Applied Risk recommends the following tactical countermeasures to asset owners and operators in order to contain the propagation of this malware:
- Remain vigilant and do not open any files from unknown sources
- Deploy patch MS17-010
- A new patch has been made available for legacy systems
- Disable the outdated protocol SMBv1
- Do not allow connections to the RDP or SMB protocol directly from the internet
- Isolate unpatched or unsupported systems from the internal network
- Make back-ups and verify that they can be restored
Visit Applied Risk’s Industrial Security Services to find out what steps you can take today to secure your critical assets from emerging cyber threats.