Ryuk Ransomware in Industrial Control System Networks

all right it looks like it's two o'clock so i'm gonna go ahead and get started my name is camille jackson singleton i am the strategic cyber threat lead for ibm security x-force's threat intelligence team and i'm very excited to be here today to speak with you and i i live right here in utah and north salt lake so especially excited to rub shoulders with others in utah and hear about the security issues you are grappling with and how you are addressing them and even more to do this in real life right face to face which is such a treat especially after the pandemic that we've all been enjoying for so long so to be at a conference and actually see

people face to face is so rare and it's very delightful and some of my colleagues also from ibm security exports are at this conference we listened to them earlier today snow and grifter are on the penetration testing and incident response side of the house and i'm on the threat intel side of the house for ibm security export as force so i'm looking specifically at threat actors their tactics techniques and procedures how these ttps are evolving over time and what we can do as organizations to better defend against them and against these ttps and one thing that has definitely been at the top of our list the past couple years probably for all fret intel teams

is ransomware we see tons and tons of ransomware every year this year is no different even as uh ransomware groups are coming and going and shutting down and their arrests their activity and tempo is still very high and the profits they make are very high as well which which makes it very attractive for cyber criminals so one ransomware group i've been looking at in particular is called ryuk and one reason this group is so interesting to me is because reich is the group that x-force has seen most commonly get on industrial control system networks and ics networks are of course networks software and hardware that control industrial processes so this is like huge manufacturing machinery

and energy generation plants and so when this equipment is affected the effects can be really significant potentially things explode there could potentially be loss of life or at least operations go down and those critical processes can't function for a little bit of time so that's why we care so much about this so um so i wanted to look a little about how ryuk has gotten on to ics networks and and how that has happened and what the implications might be so i wanted to start off by first discussing the ransomware landscape for industrial control system networks overall and exports data shows that so far this year in 2021 32 of all attacks we have seen on

industrial control systems have been from ransomware this is a greater percentage than any other attack type it's almost one-third of all of the incidents we remediate so it's pretty significant and admittedly even when you look at non-ics organizations ransomware does again emerge as the top attack type so this isn't necessarily unique to industrial control systems but arguably the effect of ransomware on organizations with industrial control systems does have a unique effect and to get into that a little more um i feel like you know fairly commonly i will hear the argument that yeah well we're seeing a lot of ransomware attacks and yeah a lot of these ransomware attacks affect organizations that have ics networks but often the ransomware

doesn't actually get onto the ics portion of the network there's the it network that has email and you know all the other enterprise functions that a normal organization will have and then you want to have segmentation and then there's the ot network right so so it is true that um more often than not ransomware doesn't get on the ics or operational technology portion of the network but the assumption that there are no operational effects i would definitely counter that so our reach our research has shown that in cases where there's a ransomware attack against an organization with ics networks 56 of the time the attack does affect operations and admittedly often these effects happen colonial pipeline style so

perhaps the ransomware doesn't actually get onto operational portions of the network but those operational portions are still shut down as a precaution to ensure that the ransomware doesn't migrate over there that the ransomware doesn't have the potential to get into those most sensitive most critical portions of the network but even with colonial pipeline it was clear you know the attack caused the company to shut down uh delivery of critical gasoline supplies for days and it caused fluctuations in the gasoline market i was actually in florida on vacation when this attack hit and we had to go to three different gas stations before we could actually find gas we and after that we had to wait in line for

about 25 minutes so for the normal average person this attack definitely had real world physical effects so so that's something to keep in mind and and some of you might be thinking well i thought this talk was going to talk about when ransomware does actually get onto ics networks and and yes it does but this point about ransomware attacks they don't get on ics portions of the network still having operational impact is important and one i wanted to be sure to make so looking at the ransomware attack landscape overall for a minute this graph shows most of the ransomware types the x-force incident response team has remediated since 2018 and admittedly this includes both ics and non-ics

companies but i wanted to show this full picture just because there's some interesting trends i wanted to pull out one thing you'll notice is that ryuk ransomware is the highest percentage holds the highest percentage of attacks we've seen at 15 18 of all the ransomware attacks we've seen since 2018 so more than any other soda no kibi or rival ransomware comes in at a close second at 15 percent of tax and it's worth noting that this year in 2021 that percentage is actually much higher it's uh it was close to 40. we'll see if it goes down closer to the end of the year because they have gone out of business hopefully for good um

but they are second and then wannacry is 13 and we have seen quite a bit of wannacry ransomware affect ics portions actually get onto ics portions of the network and this is in part because it's inherently difficult to patch ics networks and so it's hard to avoid that eternal blue exploit so whereas the rest of the world has kind of moved on from wannacry it's kind of a non-issue everyone has patched against it that's not true for all ics environments so i wanted to point that out and then um diving a little more into specifically so the riot ransomware group first appeared in august 2018 and assuming they have not shut down we don't have clear indication of that but

i'm i'm pretty sure they haven't this makes them the longest one of the longest running ransomware groups most ransomware groups survive about 18 months before they fear law enforcement activity and will shut down so they've been around for a long time and they also operate under a ransomware as a service model where central contractors or central administrators contract out to affiliates the task of gaining initial access to victims of interest and actually deploying the ransomware and those central administrators are often the ones who actually develop the ransomware code as well they take a portion of the proceeds so this is how their business operates and even the affiliates themselves will sometimes contract out gaining initial access so it's a huge

business model lots of cyber criminals working together huge networks of activity and we're seeing this become fairly sophisticated and at least one of the groups x4 successes assesses that at least one of the groups that has affiliated with ryuk is a group we track as itg08 also known as fin6 one of those cyber criminal groups early campaigns for wright focus very heavily on using phishing emails deploying trick bot and sometimes times emate malware to gain initial access to targets of interest and more recently reik actors have used again phishing emails but things such as the boo or loader bizarre loader so they've kind of moved away from using trick bot access there was a role in ryuk activity from

spring to fall 2020 and admittedly we are in another lull right now but it's it's possible that low will end but once they started up again in fall 2020 their campaigns shifted to cobalt strike bizarre loader brewer loader and also with post 2020 they are known to act very swiftly and deploy ransomware sometimes within hours of gaining initial access to an environment so that's extremely fast faster than most other ransomware groups were aware of and then also earlier this year the french government released some analysis indicating that newer ryuk variants have worm-like capabilities and we're going to get into that a little more in the next few slides and talk about those implications in terms of industries reich prefers to

go after this group loves hospitals and whereas some ransomware groups especially during the pandemic have kind of stood down on attacking hospitals and medical facilities this is definitely not the case for reik and if anything they seem to prefer this as a target and in october 2020 it attacked a u.s hospital chain with 100 more than 250 facilities and crippling all of these facilities and leading to some chaos impeding some care for patients so so that's something to keep in mind this group doesn't seem to hold back in this regard and in addition ryuk ransomware attackers have demonstrated a particular affinity for attacking organized large organizations that rely heavily on ics networks and within x-force we've seen them

especially go after manufacturing and transportation both of which rely on ics networks and we know they also affect industrial distribution oil and gas companies we'll talk about some examples there and energy and utilities as well but most importantly about reik as i stated at the beginning this is the ransomware strain the x-force has most commonly seen get onto ics networks and of course not just on organizations that have ics networks but actually on the ics networks themselves and so um so that's definitely concerning and it's not clear whether reich actors are doing this intentionally or whether it has just happened by happenstance if they just got lucky on multiple occasions but what we can say for sure

is that it has happened and the fact that ryu tends to target organizations with ics networks so heavily might automatically increase their chances for migrating into those more sensitive environments every now and then so in one major example of ryuk on ics networks in early 2020 it became public that ryuk ransomware attackers had targeted at least five oil and gas organizations and potentially more than this and these flurries of reich attacks on similar organizations is fairly common we've seen them do this against hospitals as well and it's possible that we'll see a flurry of riot attacks against a cluster of similar ics organizations at some point again in the future as well comments by some observers close to

these victims these oil and gas victims suggest that riot ransomware actually got onto ics portions of the network in multiple of these incidents so at least two maybe all five the ryuk ransomware did migrate over into the ics portion and one of these incidents was explained in greater detail in a bulletin put out by the us coast guard the u.s coast guard bulletin detailed that the threat actors first gained initial access to the environment through a phishing email and this makes a lot of sense since we know ryu actors especially in 2018 and 2020 early 2020 were relying heavily on trick bot phishing emails to gain initial access and from here based on what x-force has

seen in other incidents extrapolating from what we've seen it's possible that the ryuk actors deployed a powershell loader and then a cobalt strike beacon or potentially the empire post exploitation framework to gain an initial foothold in the environment and then the actors probably used smb or wmi exec as well as credential harvesting techniques to move laterally throughout the network and eventually gain access to domain controllers and this point is really important because from what x-force has seen this domain controller access is in some cases what has allowed ryuk to gain access into ics portions of the network the coast guard bulletin didn't make clear exactly what they saw in in the case they examined but it's possible

that domain controllers were also the crossover point um in in that particular case but the coast guard did indicate the poor segmentation played a role in the attack and x-force has seen the same the poor segmentation tends to play a role in rio actors getting access to ics networks in the vast majority of ransomware attacks today attackers are looking to gain access to domain controllers and from here deploy the ransomware and in some cases it appears they can use domain administrator accounts when used with nat flat network designs to also move into ics portions of a network in the case of the attack on the natural gas compression facility that the us coast guard bulletin talked about access

to domain administrator um well the attack created a disruption to the entire it or enterprise portion of the network and i assume this to mean the attackers gained sufficient access to domain administrator accounts to deploy ransomware on nearly every device on the it network in addition because the actors did gain access to to ics portions of the network they were able to affect they were able to disrupt physical access and security cameras they were also able to encrypt files that were critical to cargo pro transfer process control so for this facility that was really really critical and a report from cisa further indicated that the natural gas compression facility suffered loss of availability to human machine interfaces or hmis as

well as data historians and polling servers and loss of view because impacted assets could not receive or aggregate data from some of those lower level operational technology devices the attack did not affect programmable logic controllers or plcs so the facility didn't actually lose control of operations but they still decided to shut down uh conduct a controlled shutdown of operations and as i said before this is relatively common you know whether ransomware gets on the ics network or not we often see this this avenue chosen and simply is a precaution although in this case it was it was more than just a precaution so primary facility operations were down for over 30 hours while the attack was investigated and

remediated and full remediation especially of the i.t network i'm sure took even longer so obviously this attack led to some pretty significant physical real world effects for this particular organization so i mentioned previously that new versions of ryuk ransomware now have worm-like capabilities and i would like to return to that idea because it's possible that this could have implications for organizations with ics networks the french government and specifically the agency on sea first originally made this discovery of ryuk's worm-like capabilities so it's really to them to which this credit for this discovery is due but x-force malware reverse engineers have also taken a look at recent reich samples and our analysis has shown that right

extremes tend to use the address resolution protocol or arp cache and internet control message protocol or icmp to enumerate network shares and then copy itself to accessible shares using rpc or remote procedure call and executes remotely using scheduled tasks so that's the mechanism by which this worm happens but even beyond that the fact that ryuk might have worm-like capabilities is concerning because of the precedent we have for other worms that have gotten onto ics networks so x-force analysis of rio maliware showed that discovered samples were packed in loaders that were similar to those used in emetet and trickbot campaigns and emitteth has been known to worm into ics networks in the past in some cases forcing manufacturers to

reduce operations for weeks and therefore decreasing their revenue and really causing quite a bit of damage and concern for those environments another worm that has made its way onto ics networks is configure this is an old worm it was first discovered in 2008 but it is still around and x-force just recently has found this worm on ics networks as well and so so that's a worm that's also concerning and then the wannacry ransomware worm has also wrecked havoc in ics environments in some cases costing corporations more than 170 million dollars in damages and requiring quite a bit of cleanup and remediation so worms have been bad news for ics environments in the past and this new

development of ryuk ransomware having worm like capabilities could potentially give reich a higher likelihood of worming into ics environments in the future especially if that is a goal that the ransomware group members happen to have or something they're aiming to do so these developments are a little concerning right getting on to ics networks ransomware adopting worm-like capabilities but delving into these instances and looking at specific case studies can be powerful because it can provide insight on what organizations can do to decrease the chances that these types of attacks might happen to them in the future so this next slide will delve into just a few risk mitigation techniques that we see organizations can take to assist with the tax types we've been

discussing today the first is segmentation segmentation segmentation and i probably can't emphasize that enough in every case where x-force has observed reich migrate over into ics portions of a network poor segmentation always played a role and there's a lot of theories about how to most effectively segment ics networks from their counterpart enterprise or it networks one thing that x-force recommends is creating an industrial demilitarized zone between the two of them to create a buffer also if you use domain controllers in your ics network be sure to disable any kind of internet access to them since of course we have seen domain controllers as that critical access point and ideally it should be possible to unplug the ics network from the it

network and so that the enterprise i.t network or the ics network can maintain full operations without one another and that there aren't those dependencies second when it comes to preventing ransomware attacks exports has been working with our clients to really focus on guarding domain controllers and domain administrator accounts in almost every ransomware attack we see today ransomware attackers are going after domain controllers and domain administrator accounts so reducing the number of these accounts in a network to the absolute minimum and locking domain administrator accounts to domain controllers and so that they can't be accessed in any other way disabling local administrator rights for all accounts and then closely monitoring and auditing any domain administrator accounts that you do have

can help assist in making it more difficult for ransomware attackers to gain access to those networks and third we recommend working ics networks into your incident response plan for ransomware so having and drilling a response plan for ransomware is imperative because especially these days is often not a question of if but when and and sometimes organizations even if they have ics networks are not considering the ics ramifications so if ransomware did get onto a ics network or even if it didn't you know what would be the proper procedures to respond when would an ics network have to be shut down and should it be shut down even if there's not ransomware on that network so these are worth thinking through and

cisa has provided guidance that can be helpful in establishing an ics relevant ransomware plan and also recommends considering the full range of impacts to ics environments that a cyber attack might have so from there i don't know if we have any time left for questions i'd be happy to take questions or you are welcome to come up to me afterwards or contact me afterwards and i would be happy to continue the discussion from there how are we doing on time four minutes okay do we have a microphone for questions or no you can yes just be really loud

okay yeah so the question was just about the phishing email to the powershell loader were there any additional steps in there um and i was just saying that yes there there were a couple more steps that did take place in there and specifically it was a microsoft office document that it appears dropped that particular powershell loader so and i should specify there is even before the powershell loader they it dropped trick bot so it would be a trick bot and sometimes emittette and then a powershell loader so but they're they're using a lot of different tools especially in that um stage where they're gaining uh persistence on the network uh so i was just curious why your slides

were labeled top amber just out of curiosity yeah so and that's just because um there is information in here that comes from x-force incident response from work with our clients um and so i would just ask that you you know you keep this information here i'm i'm happy to to share it but um but we do want to be careful about how we're sharing information about our clients is ryok one of those ransomwares where you can actually get your files back if you pay me the money or do they not implement the decryption part of the ransomware so you're asked scheme do reik decryptors work yes yes so we have seen the decrypter work so we

have seen people pay the ransom and then they do actually get their files back there's a lot of you know ins and outs on how that happens some organizations have trouble using the decrypter even if they pay for it and get it and even if it does technically work some you know sometimes it can take a couple tries to figure out exactly how to make it work correctly and some ransomware groups provide services to assist organizations through that process we have seen instances where people buy the decrypter and then the ransomware group disappears and they can't give the decrypter rework so they've paid the ransom they have the decrypter but they're not able to get it to work

so um so there's a lot of caveats there but bottom line yes we have seen ryuk's decrypter work i will say we have seen other ransomware groups these are usually smaller less sophisticated groups where the decrypter does not work and it's it's broken and there are some um mistakes that the malware developers created and so even if you use the decrypter it wouldn't be able to work but as our malware reverse engineers have picked apart the ransomware and have tried to figure out how the decryption mechanism works we've actually been able to build a decrypter ourselves to decrypt the ransomware that's happened twice now so you can go read about those two instances on our blog one is thanos

ransomware is the other was just ransomware so um so sometimes that happens but the larger groups like reich their decrypters do tend to work and their encryption encryption mechanisms do tend to be very sophisticated all right i think that's all the questions we have time for but thank you very much for your attention [Applause]