LogicLocker, is a cross-vendor ransomware worm that targets Programmable Logic Controllers (PLCs) used in Industrial Control Systems (ICS). First described in a research paper released by the Georgia Institute of Technology, the malware is capable of hijacking multiple PLCs from various popular vendors. The researchers, using a water treatment plant model, were able to demonstrate the ability to display false readings, shut valves and modify Chlorine release to poisonous levels using a Schneider Modicon M241, Schneider Modicon M221 and an Allen Bradley MicroLogix 1400 PLC. The ransomware is designed to bypass weak authentication mechanisms found in various PLCs and lock out legitimate users while planting a logicbomb into the PLC. As of 14 February 2017, it is noted that there are over 1,400 of the same PLCs used in the proof-of-concept attack that were accessible from the internet as found using Shodan.
The attack method used with LogicLocker employs five stages. Initial infection, Horizontal and Vertical movement, locking, encryption and negotiation. Initial infection can take place through various vulnerability exploits. As ICS devices are typically in an always on state, this gives Cyber-criminals ample time to attempt the compromise of the PLC. PLCs generally do not have strong authentication mechanisms in place to assist in protecting themselves from potential attack. Initial infection could take place through a users clicking of a potentially malicious email attachment. Upon initial infection of the PLC, horizontal or vertical movement can be achieved from the PLC to the corporate network depending on the capabilities of the PLC. The next stage of the attack is locking in which the attacker locks out legitimate users to inhibit or prevent restoration efforts. This can be done through password changes, OEM Locking, over-utilization of PLC resources or changing IP/Ports. These different locking methods offer varying degrees of success and strengths. To further ensure a successful attack Encryption is employed to follow traditional cryptoransomware practices for future negotiations. Lastly, negotiations are conducted between the attacker and victim for service restoration. Some PLCs contain an email capability that can be used to send the ransom message as was the case with the MicroLogix 1400 PLC used in the proof-of-concept attack.
To assist in defense and vulnerability mitigation efforts there are several strategies that can be employed.
Endpoint security techniques such as password changes, disabling of unused ports and protocols and implementation of Access Control Lists (ACL), maintaining proper backups and firmware updates should be used. This can significantly reduce the attack surface presented cyber-criminals.
Increased and vigilant network monitoring should be used to detect abnormalities. Protocol whitelisting on firewalls, network segmentation and automated backups can provide additional security and provide decreased restoration time provided the backups are not compromised in the attack.
The training of employees to properly identify phishing emails, prohibition of USB devices and incorporating a comprehensive incident response plan should be used to assist in countering this threat.
- Formby, D., Durbha, S., & Beyah, R. (n.d.). Out of Control : Ransomware for Industrial Control Systems. Retrieved from http://www.cap.gatech.edu/plcransomware.pdf
- "A Malware Experiment Foreshadows Factories Held for Ransom".
- 03:02, 15 Feb 2017 at; tweet_btn(), Richard Chirgwin. "Meet LogicLocker: Boffin-built SCADA ransomware". Retrieved 2017-02-20.
- "Proof-of-concept ransomware locks up the PLCs that control power plants". Boing Boing. 2017-02-14. Retrieved 2017-02-20.
- Khandelwal, Swati. "This Ransomware Malware Could Poison Your Water Supply If Not Paid". The Hacker News. Retrieved 2017-02-20.