Industrial manufacturers should beware: A KillDisk malware variant encrypts files and holds them for ransom instead of deleting them, researchers said.
Since KillDisk has seen action in attacks aimed at industrial control systems (ICS), researchers fear more ransomware will enter into the industrial domain.
Previous versions of KillDisk wiped hard drives in an effort to make systems inoperable, but a new variant observed by industrial cyber security firm CyberX encrypts files using a combination of RSA and AES algorithms. Each file ends up encrypted with an individual AES key and these keys are encrypted using an RSA 1028 key stored in the body of the malware.
The ransomware’s mission is to encrypt various types of files, including documents, databases, source code, disk images, emails and media files. Local partitions and network folders are the target of the attack.
By reverse-engineering the new malware variant, CyberX’s team, led by Vice President of Research David Atch found it displays a pop-up message requesting 222 Bitcoins or $206,000 in return for the decryption key.
The contact email address provided to affected users is associated with Lelantos, a privacy-focused email provider only accessible through the Tor network. The Bitcoin address to which victims are told to send the ransom has so far not made any transactions.
The malware requires elevated privileges and registers itself as a service, said researchers at CyberX. The threat terminates various processes, but it avoids critical system processes and ones associated with anti-malware applications, likely to avoid disrupting the system and triggering detection by security products.
This new variant of KillDisk ended up developed by the TeleBots gang, a group of Russian cybercriminals believed to have evolved from the Sandworm gang, said CyberX researchers. The Sandworm gang is responsible for a string of attacks in the United States during 2014 that compromised industrial control system (ICS) and SCADA networks using a variant of the BlackEnergy malware.
This “sophisticated malware campaign” compromised human-machine interfaces (HMIs) at a number of US companies, according to a December 2014 alert from the DHS.
CyberX researchers said the developers converted KillDisk into a piece of ransomware because, unlike cyber-sabotage, the new functionality enables them to directly monetize their attacks.
Industrial organizations, CyberX researchers said, are excellent targets for ransomware because:
1. When operational data upon which physical processes rely becomes unusable – such as HMI data — this can lead to significant consequences including catastrophic damage to production assets, production outages, and risks to physical safety.
2. Industrial organizations can’t easily shut down network operations to prevent malware from spreading, because industrial processes themselves can’t easily be shut down.
3. Enterprises are more likely to quietly pay the ransom because of concerns that going public with cyberattacks will invite greater scrutiny from regulators, and possibly fines (environmental, safety, etc.).
4. Operational Technology (OT) environments are often less mature than IT environments and, as a result their data backup processes may not be sufficient to restore all required data.
5. Employees are production workers who tend to have less security awareness training and are more likely to open malicious documents delivered via phishing emails.
6. Like healthcare’s focus on HIPAA compliance, the primary focus for industrial organizations has typically been on ensuring regulatory compliance (e.g., NERC-CIP) rather than strengthening cybersecurity controls.