Proof-of-concept ransomware to poison the water supply

Ransomware is a big problem.

Home users and organisations around the world have found themselves at the sharp end of high profile attacks that have encrypted their files, and demanded substantial amounts of money for their data’s safe recovery.

The extortionists are earning themselves a fortune, as computer users and businesses feel compelled to pay up if they hadn’t taken adequate preventative steps before the attack took place.

This is the present we’re living in. But what might the future of ransomware looks like?

Researchers at Georgia Institute of Technology painted one picture this week, presenting their exploration of how ransomware could potentially attack industrial control systems (ICS), and demonstrating how new malware threats might target core infrastructure, holding entire cities hostage.

In their paper, “Out of Control: Ransomware for Industrial Control Systems”, the researchers describe how they developed their own proof-of-concept ransomware that was able to hijack control of a simulated water treatment plant, and poison the water supply.

“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom. In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine can create a bad reaction that would make the water unsafe.”

The threat of such an attack which would, of course, put the public’s safety at risk could merit the demand for a much higher ransom to be paid than those typically requested from businesses and home users.

Even if there is little prospect of danger to human life, the risk of an industrial ransomware attack causing downtime, and putting equipment health and worker safety at risk could make them an attractive target for some criminals.

History suggests that ICS networks, like schools and hospitals, have struggled to keep pace with modern security practices to combat digital attacks. In the case of educational and medical facilities that has often been because of a lack of funding, but with industrial control system networks it is more likely due to the relative rarity of real-world attacks and the perception that there are few threats out there.

But if criminals perceive that ICS systems could be a big cash cow then that could change very quickly, and key services may wake up to the fact that it may not be only state-sponsored attackers from another country who are interested in hacking into their networks.

As ESET security specialist Mark James explains, the right response is not to panic but to take sensible steps to reduce threat exposure by adopting a layered defence:

“Usually targeted malware is configured and aimed at a particular industry or sector. With so much of our industry digitally operated or maintained this could prove in its worst case scenario very bad indeed. But the same rules apply to any area that may be the target of ransomware, it has to be installed and it has to be able to gain complete control. With the right levels of security we can limit its attack vector and have mechanical failsafes to override anything software can instigate.”

“All environments in our digital world are susceptible to attack and need to be protected. Making sure operating systems, applications and security programs are kept up-to-date is one of the first lines of defence and one that often is overlooked or just not possible on bespoke systems designed to do a single task or job.”

Ransomware attacks against water treatment systems aren’t happening yet. It’s important to note that what the researchers achieved was just a simulation, not a real world exercise. But by painting a worrying picture of a potential future, they may have helped raise awareness amongst those who protect critical infrastructure to take the threat seriously.

As ever, being prepared and taking steps to reduce the risk now is a lot easier than trying to mop up the mess later.

Author Graham Cluley, We Live Security

  • Big Mac

    Well …like I’ve been telling my sister for the last 10-15 YEARS, there isnt enough time,space, or other that will protect ANY computerized system….no matter how much you pay. Can YOU, or businesses really ‘afford’ to keep ahead of the curve? Can you afford not to when your money is online and exposed to threats daily? No one is hack proof. Not an expert, but I rather suspect with the ‘tens of thousand’ of computer literates out there, that tens of thousands of computer systems are being breached at whim or will…and nobody the wiser. That being said, I dont buy into ‘simulation’ as easily as some might. I mean, if your going to preach it, sell it, then DO IT…and lets go from there. Just b/c joe blow can ‘simulate’ ‘how to’ ‘anything’, doesnt mean HE CAN do it. I maintain, there isnt enough time or space to protect against threats when they are online, or computerized. Like my money, and bank accounts, they are NOT EVER online, or computerized from my end for the sole reason I dont want to worry about it being hacked from my end. The greatest protection for water companies is to do, what needs to be done, manually; and have serveral people who know how to do it manually. Computers are not error free, they have their glitches. A computerized ‘glitch’ could reek havoc and poison the water supply by adding too many chemicals etc; it doesnt take a hack to do it. It could even shut down, and just stop working. What you have above is a school project designed to do what it did, by the people who did it. I’m sure what (you/they) are selling is (an idea) thats not ever going to be tamper proof not even if you sign up for 25 years of ongoing protection services. Once its ‘layered’, its get too complicated, then it wont be fixable by man/manually…then you really have a problem. Its been 2yrs or so when a patient in a hospital overdosed when his morphine machine didnt shut off. Cars still break down. Tires still go flat. And, needless to say, I’ve lost 2 computers to virus’s when covered by the Symantec Nortons anti-virus software. I’ve had 5 companies contact me to inform me that their computer systems have been hacked. Can we even talk the wikileaks or the White House. Russia? So in closing, and with all due respect, I dont know what your selling. Just sayin.

    • Nigel Tolley

      It isn’t that hard to eliminate the vast majority of threats from “cyber cyber cyber” – just stop trying to save a few dollars by putting the devices into the Internet!
      Either stick with sending staff to site, or implement proper LAN/WAN secure networking. But simply sticking a simple PLC on the intent through VNC? That’s a disaster in the making once it is listed on Shodan.

Follow us

Copyright © 2018 ESET, All Rights Reserved.