A total of seven ransomware families have been found to target processes associated with operational technology (OT) software, and FireEye this week published an analysis of these pieces of malware.
Many ransomware families are designed to kill certain types of running processes. They might target security products to prevent them from blocking the attack and they can also terminate critical system processes so that they can encrypt files associated with these applications in an effort to cause disruption, which can increase the cybercriminals’ chances of getting paid by the victim.
According to FireEye, there are two main “process kill lists” that include industrial software. One of them, which targets over 1,000 processes, is used by six ransomware families, including SNAKE (SNAKEHOSE, EKANS), DoppelPaymer, LockerGoga, Maze, MegaCortex and Nefilim. The second list, which targets 1,425 processes, has only been found to be used by the CLOP ransomware.
While the first list targets only a couple dozen ICS processes, mainly associated with the GE Proficy solution, the second list targets over 150 processes related to industrial products, including Siemens SIMATIC WinCC, Beckhoff TwinCAT, National Instruments data acquisition software, Kepware KEPServerEX, and the OPC communications protocol.
“We think it is likely that these lists were the result of coincidental asset scanning in victim organizations and not specific targeting of OT,” FireEye explained. “While this judgement may initially seem like good news to defenders, this activity still indicates that multiple, very prolific, financially motivated threat actors are active inside organizations’ OT—based on the contents of these process kill lists—with the intent of profiting from the ransom of stolen information and disrupted services.”
In the case of the first li ..
Support the originator by clicking the read the rest link below.
