Ransomware, ICS, SCADA, RansomHub

Ransomhub Targets SCADA of Spanish Bio Energy Plant 

The protection of Industrial Control Systems (ICS) has emerged as a significant concern across all sectors. The security challenges surrounding ICS environments and the essential measures needed to protect vital operations in every industry are undeniable. Since 2022, numerous cyberattacks exploiting loopholes in ICS environments have led to severe repercussions, impacting not just organizations but also critical national infrastructure. These incidents have disrupted public services and governance, underscoring the urgent need for robust security measures to safeguard against such threats. 

In a recent disclosure by a recently emerged ransomware group, Ransomhub, claimed an attack on the Spanish Abattoir, Matadero de Gijón. Considering the nature of business, the company depends on ICS for production and other operational requirements.  

Figure 1: Ransomhub posts on their DLS 

Ransomhub, besides making ambiguous claims to encrypt and exfiltrate over 400 GB of data in the detailed post and 15 GB in their initial description about the victim, claimed access to Gijón’s Supervisory Control and Data Acquisition (SCADA) system that controls the Bio-Energy Plant. Ransomhub posted two screenshots revealing that they gained access to the Digestor controls and the Heating system of the Biogas plant and demonstrated persistence on these systems as latest as till May 18, 2024.  

Figure 2: SCADA system allegedly controlling the Digestor Tank operations of Gijón’s Bio-Energy Plant 

Figure 3: SCADA system allegedly controlling the Heating Systems of Digestor Tank 

Ransomhub Infamous Beginnings  

Ransomhub Ransomware-as-a-Service (RaaS) first emerged in February 2024, following a post by TA koley on the cybercrime forum RAMP. Basis the post, the locker is written in Golang and C++ and obfuscated using an asymmetric algorithm based on x25519 and an encryption algorithm in aes256, chacha20, and xchacha20 to ensure faster encryption.  The RaaS restricts the ability to target organizations in CIS countries, Cuba, North Korea, and China, indicating ransomware groups’ pro-Russian ideology.  

Figure 4: TA koley’s RaaS advertisement thread on the RAMP forum 

Ransomhub since then has claimed attacks on 68 organizations thus far, with the majority of attacks targeted towards the IT & ITES sector and organizations in the United States  

Figure 5: Ransomhub threat profile 

Ransomhub has been quite active in hiring affiliates after its threat post on the RAMP forum and trying to poach ALPHV/BlackCat affiliates after their exit scam in March 2024. This was evident when it briefly started listing organizations earlier targeted by ALPHV/BlackCat on its DLS and subsequently deleted them. The same victims later emerged on LOCKBIT’s leak site, indicating that their RaaS has garnered little interest in the affiliate network.  

Ransomhub has made desperate attempts to gain visibility in the ransomware landscape by trying to take leverage from the Change Healthcare ransomware incident and is now claiming its attacks on SCADA systems.  

Figure 6: Ransomhub’s claims of possessing Change Healthcare data in a post that was deleted later 

Further, Cyble Research & Intelligence Labs (CRIL) has attributed Ransomhub’s association with prominent Initial Access Brokers (IABs) on Russian-language cybercrime forums for buying compromised access, thus indicating their primary attack vector for infiltrating victims’ networks.  

Conclusion 

The recent ransomware attack by RansomHub targeting SCADA systems serves as a stark warning for organizations exposing Industrial Control System (ICS) assets over the internet. This event highlights the increased interest of ransomware groups in compromising ICS environments, particularly in cases where numerous devices are linked through Virtual Network Computing (VNC). 

The risk of similar attacks is significantly amplified in such setups, a concern highlighted by CRIL time and again. Our warnings about the security weaknesses in internet-exposed ICS assets are now proving prescient, urging a critical reassessment of cybersecurity strategies to safeguard these crucial infrastructures from increasingly sophisticated cyber threats. Cyble researchers anticipate a potential increase in ransomware groups targeting OT environments and their components in the near future. This prediction aligns with the evolving landscape of cyber threats, especially in critical infrastructure sectors. 

Recommendations

  • Minimize network exposure for all control system devices and/or systems by implementing proper network segmentation and ensuring they are not accessible from the Internet. This strategy helps contain potential breaches and prevents lateral movement within the network, thereby enhancing overall security. 

  • Implement a robust patch management strategy to promptly address vulnerabilities in software and systems. Ensure that security patches are regularly applied to all devices and applications, prioritizing critical updates to mitigate potential risks effectively. OT asset patching and prioritization involve systematically updating operational technology systems to safeguard against vulnerabilities while ensuring minimal disruption to critical processes. 

  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

  • Organizations are encouraged to review logs to filter for any unknown, unexpected, or unauthorized access or changes to devices. Organizations should also monitor for unexpected activity, such as unexpected reboots, large transfers to unknown IP Addresses, and gaps in logging, which may indicate the disabling of logging services. 

  • Gaining granular visibility into OT/IT assets is vital for comprehensive security management. Detailed asset inventories, continuous network monitoring, and endpoint detection solutions provide insights into device statuses, configurations, and activities. This visibility helps in identifying vulnerabilities, detecting anomalies, and ensuring compliance with security policies, thereby enhancing overall security posture. 

  • Implement an incident response plan for ransomware attacks and prepare organizations to act swiftly and effectively in the event of an attack. This plan outlines steps for detection, containment, eradication, and recovery, minimizing downtime and data loss. Regular testing and updating of the plan ensure readiness, while post-incident reviews help refine strategies to prevent future incidents. 

 

The post Ransomware Menace Amplifies for Vulnerable Industrial Control Systems: Heightened Threats to Critical Infrastructure  appeared first on Cyble.