By Gregory Hale
No one can deny ransomware is a problem hitting the manufacturing automation sector, so much so that companies are getting stopped in their tracks after suffering an attack. Just ask Maersk, FedEx and Merck to name a few.

Over the 2016-2017 time frame it appeared more factories were suffering from ransomware attacks, so Stephen Hilt, senior threat researcher at Trend Micro, and his team decided to put together a realistic virtual factory, or honeypot, to understand why these companies were being held for ransom.

“We wanted to see what was being held for ransom,” said Hilt during his presentation at the S4x20 conference in Miami last week. “We learned more about the process.”

The honeypot went live May 6 last year and they shut it down right before Christmas. He said at first, they had a little activity, but not any full-fledged attacks.

Schneider Bold

“Between May 6 to July 24 we had very little activity,” he said. “But in late June and early July we opened it up and it showed more activity; then we started to see more action. An actor came in an installed a python installer. Someone came in an installed a backdoor and we were pretty excited. We had a ransomware attack.”

The resulting attack on the virtual factory was on and it shut down the facility.

“The ransomware attack had us down for four days,” Hilt said. “We tried to look like a real victim. They were asking for $10,000, but we negotiated and dropped it down to $6,000. We interfaced with the actor to gauge their knowledge.”

The virtual company officials sent an email to the attackers asking them to decrypt a file as an example, to make sure that they did in fact have the decryption key.

“During this part of our exchange, we acted the part of a disgruntled company representative asking why the threat actor was doing this in the first place,” Hilt said. “They answered succinctly and obliged us by decrypting a sample file. We sent them the conveyor belt PLC programing file (Omron CXP file), which they decrypted accordingly, suggesting they were unaware we had in fact sent them an important file.”

That exchange was very telling for the Trend Micro team.

“Their knowledge of control systems was minimal,” Hilt said.

While it was a virtual environment and not a real factory, Hilt said the “factory was down for four days while we negotiated. If we didn’t have that backed up, it would have been a very costly attack.”

After the initial attack, the virtual company suffered other attacks which varied in terms of severity.

One attack came from what they said was a “good guy attacker. The person wrote a note saying we had an open port and you should create a password.”

Hilt and his team learned a great deal about attacks and how a solid honeypot should work. They even found on white hat attacker found the virtual company on the Internet and reported it to the proper authorities. Hilt and his team then reached out to the researcher to let him know it was a honeypot and not to worry about it. Hilt said the researcher said that was one of the most realistic fake companies he has ever seen.

The researchers concluded if you want to run a high-functioning honeypot, daily interactions are needed. In addition, you have to deal with incidents as they happen. Do not wait, otherwise you will see your honeypot collapse. Also, Hilt said, “don’t put control systems on the Internet, ever.”

“Our findings from this honeypot experiment should serve as cautionary examples for organizations, particularly those that run ICSs and smart factories, to ensure that adequate security measures are in place on their systems,” Hilt said.

Click here to view the paper on the honeypot research project.


Pin It on Pinterest

Share This