Ransomware is a big problem.
Home users and organisations around the world have
found themselves at the sharp end of high profile attacks that have encrypted
their files, and demanded substantial amounts of money for their data’s safe
recovery.
The extortionists are earning themselves a fortune,
as computer users and businesses feel compelled to pay up if they hadn’t taken adequate
preventative steps before the attack took place.
This is the present we’re living in. But what might
the future of ransomware looks like?
Researchers at Georgia Institute of Technology
painted one picture this week, presenting their exploration of how ransomware
could potentially attack industrial control systems (ICS), and demonstrating
how new malware threats might target core infrastructure, holding entire cities
hostage.
In their paper, “Out of Control: Ransomware for Industrial Control
Systems”, the researchers describe how they developed their own
proof-of-concept ransomware that was able to hijack control of a simulated
water treatment plant, and poison the water supply.
“We were able to simulate a hacker who had gained
access to this part of the system and is holding it hostage by threatening to
dump large amounts of chlorine into the water unless the operator pays a
ransom. In the right amount, chlorine disinfects the water and makes it safe to
drink. But too much chlorine can create a bad reaction that would make the
water unsafe.”
The threat of such an attack which would, of
course, put the public’s safety at risk could merit the demand for a much
higher ransom to be paid than those typically requested from businesses and
home users.
Even if there is little prospect of danger to human
life, the risk of an industrial ransomware attack causing downtime, and putting
equipment health and worker safety at risk could make them an attractive target
for some criminals.
History suggests that ICS networks, like schools
and hospitals, have struggled to keep pace with modern security practices to
combat digital attacks. In the case of educational and medical facilities that
has often been because of a lack of funding, but with industrial control system
networks it is more likely due to the relative rarity of real-world attacks and
the perception that there are few threats out there.
But if criminals perceive that ICS systems could be
a big cash cow then that could change very quickly, and key services may wake
up to the fact that it may not be only state-sponsored attackers from another
country who are interested in hacking into their networks.
As ESET security specialist Mark James explains,
the right response is not to panic but to take sensible steps to reduce threat
exposure by adopting a layered defence:
“Usually targeted malware
is configured and aimed at a particular industry or sector. With so much of our
industry digitally operated or maintained this could prove in its worst case
scenario very bad indeed. But the same rules apply to any area that may be the
target of ransomware, it has to be installed and it has to be able to gain
complete control. With the right levels of security we can limit its attack
vector and have mechanical failsafes to override anything software can
instigate.”
“All environments in our digital world are
susceptible to attack and need to be protected. Making sure operating systems,
applications and security programs are kept up-to-date is one of the first
lines of defence and one that often is overlooked or just not possible on
bespoke systems designed to do a single task or job.”
Ransomware attacks against water treatment systems
aren’t happening yet. It’s important to note that what the researchers achieved
was just a simulation, not a real world exercise. But by painting a worrying
picture of a potential future, they may have helped raise awareness amongst
those who protect critical infrastructure to take the threat seriously.