National Critical Infrastructure Under Attack: Clop Ransomware

On August 15, 2022, a UK water supplier experienced disruptions to essential services within their corporate IT systems. The hackers used a remote access software platform that had been dormant for months.

This is another NCI nation-state ransomware attack.

AppSec/API Security 2022

Recent criminal cyber activity on IT infrastructure on Monday caused a UK water supplier to disrupt its business IT systems. The company insists its water supply has not been affected. The UK water company has confirmed that it has activated its business continuity plan and cybersecurity response plan, while notifying UK law enforcement authorities.

According to a report on ringing computer, the Clop ransomware gang has claimed responsibility for an attack on a British water company. The cybercriminals claim that the water of the Thames and not South Staffordshire was the target. The fallout from the cyberattack on the UK’s water supply system

SCADA systems were allegedly breached by Clop ransomware, which threatened to harm consumers of the UK’s water supply. Although it did not encrypt its victims’ PCs, the gang claims to have accessed 5 terabytes of data during the attack. Even with multiple layers of critical infrastructure control, this type of activity continues to be a global problem, not just in the UK.

Clop is a ransomware variant of CryptoMix developed in Russia. Clop uses several strategies to evade discovery and prevent analysis. To prevent the file from running if it detects that it is running in an emulated environment, the virus uses anti-scanning and anti-virtual machine (VM) tactics. Additionally, the ransomware tries to disable Windows Defender and remove Microsoft Security Essentials.

As industrial systems connect to the internet to take advantage of cloud analytics, devices have become more vulnerable to cyberattacks. Industrial control systems (ICS) and the Internet of Things (IoT) are particularly vulnerable to cyber threats due to inappropriate OT security systems and vulnerabilities within the product.

During production, critical infrastructure equipment such as intelligent building control systems, fire and security systems, traffic control systems, smart lighting, telematics devices, industrial controllers, medical devices and sensor systems are prone to attack because they are not patched frequently.

The majority of Operational Technology (OT), Internet of Things (IoT), and Industrial IoT (IIoT) devices are not designed to align with cybersecurity.

Cybercriminals target OT because of their protective security weaknesses. According to a Ransomware Before Crypto report, Clop’s average ransom amount is currently $40,000. Ransomware attacks like Clop often cause longer downtimes than typical ransomware attacks.

The costliest aspect of a ransomware event for many businesses is downtime. Phishing is the most commonly used vector for Clop Ransomware in the OT industry.

The goal of Clop ransomware is to corrupt all critical files that you place on your system and render them worthless. It does this by altering predetermined browser settings and exploiting several features. The ransom notice that appears when the victim attempts to access the corrupted file informs users about the encryption and provides instructions on how to pay the ransom, either in Bitcoin or another cryptocurrency.

In newer versions of Clop, victims are forced to include their employer’s name and address in email correspondence. While we can’t be sure of the cause, it may be an effort to improve the victim trail.

Unwanted attachments as well as download links found in the body of the email contained several harmful malware variants.

During post-attack analysis, it was identified that Clop ransomware mimics Ryuk ransomware and has similarities to BitPaymer. However, the code and functionality of this malware are very different from each other while sharing the TTP with other ransomware families.

The potential impact of Clop Ransomware in OT is not limited.

Many techniques including spam email attachments, Trojans, URLs, cracks, insecure Remote Desktop Protocol (RDP) connections, infected websites etc. can be used to install the ransomware clop on the system.

Airgap Networks provided the Secure agentless access solution that provides an additional layer of security with MFA and SSO for any device, management console or specific host internal to the customer’s network.

  • Airgap SAA provides legacy applications with modern MFA authentication and an HTML 5 experience specifically for RDP and SSH connections.
  • Airgap’s SAA provides a secure remote connection without the need to deploy a client agent on the terminal.

The rise of ransomware is not the only concern for large enterprises, but now small businesses are also demanding ransomware protection for their organizations.

  • Airgap Zero Trust Segmentation provides an incident response mechanism that centralizes monitoring of all devices and stops ransomware attacks with Ransomware Kill switch technology.
  • A zero-trust approach is required for these environments while ensuring their secure connectivity to the Internet. Airgap Zero Trust Segmentation provides complete asset visibility and zero-trust policy enforcement across the entire traffic flow.

Airgap Networks is the industry’s first Zero Trust agentless segmentation solution that works at the intersection of IT and OT to ensure your organization stays safe from external and internal threats. Based on Zero Trust principles.

Airgap’s comprehensive zero trust offerings are a formidable defense against adversaries. Airgap’s Secure Asset Access (SAA) solution ensures that only authenticated and multi-factor authorized (MFA) users can access contained assets. Airgap’s Zero Trust Isolation (ZTI) solution ensures that all your current or legacy assets are protected against lateral movement of threats.

Based in San Jose, CA, Airgap Networks offers an agentless, trustless segmentation platform that blocks fences at every endpoint and prevents the spread of ransomware. Airgap’s unique and patented Ransomware Kill Switch™ is the most powerful answer to ransomware threats. And Airgap offers a scalable solution for remote access using Zero Trust principles.

Source link