Industrial environments, in addition to the wider business community, are under attack from a variety of ransomware threats - infecting networks in countries across the globe. The Petya.C/Petya.A ransomware uses vulnerabilities that were previously exploited by WannaCry.
Petya moves laterally over affected networks in search of other vulnerable systems. It uses dumped passwords from local computers and especially Domain Controller (DC) systems to authenticate to other Windows systems on the network. Once Petya takes control of a system, it starts downloading the necessary binaries from the internet. Once the system reboots, it begins the process of encrypting files - with some minor exclusions.
The main characteristic of the new Petya variant is its attempt to rewrite the Master Boot Record (MBR) bootloader before the actual encryption. A reboot is caused by using a scheduled task event to restart the system. Some versions, however, cause a Blue Screen of Death (BSOD) resulting in a forced restart.
A malicious MBR bootloader is then used to start the encryption process of the Master File Table (MFT) of NTFS partitions:
Once the malicious MBR loader is finished “repairing sectors”, the following black and orange ransomware note is shown to users, prompting payment with a decryption key available to purchase on the dark web.
Impact on ICS/SCADA components
With the Petya ransomware now in the wild, the impact on ICS/SCADA environments could have devastating ramifications. Mission-critical systems which require real-time control and monitoring over physical processes could face safety incidents and/or unexpected shutdown. The consequences of an attack could therefore include halted production, damage to assets and the environment, and even fatalities or injuries.
At the time of writing this article, there are no known mechanisms to restore affected systems to their original state.
Thorough segmentation of industrial networks, patch management and system hardening should provide effective protection against the threat in ICS/SCADA environments.
Applied Risk recommends the following safeguards for asset owners and operators to mitigate the risk posed by this type of malware:
• Deploy patch MS17-010 (Consult your SCADA vendor first)
• Disable the outdated protocol SMBv1
• Do not allow connections to the SMB protocol directly from the internet
• Isolate unpatched or unsupported systems from the internal network
• Make back-ups and verify that they can be restored
Learn more about how Applied Risk can help its customers in the drive towards a safe and reliable industrial internet.