- After infiltrating a network, the malware attempts to encrypt all connected computers.
- The malware mainly targets SCADA systems.
- Researchers believe that the malware is part of the ongoing financial war in the region.
There is a new ransomware Trojan on the loose that is reportedly capable of disabling industrial control systems. Security researchers at Otorio, a Tel Aviv-based cybersecurity company, report that the origin of the malware, dubbed Snake, is most likely Iran. The new ransomware has caused havoc in the past two weeks and led to a spike in the number of reported cases.
This is how the malware works, according to the Otorio team. After infiltrating a network, the malware attempts to encrypt all connected computers. It, however, primarily attacks Supervisory Control and Data Acquisition (SCADA) systems, which control and monitor technical processes. Such systems are used in power plants, refineries, gas, and water plants, among others.
“Deleting or locking targeted ICS processes would prohibit manufacturing teams from accessing vital production-related processes including analytics, configuration, and control. This is the equivalent of both blindfolding a driver and then taking away the steering wheel,” the team says. Most of the equipment that it targets is related to virtual machines, remote management tools, industrial control systems, and network management software. The Israeli researchers believe that the ransomware programmers are not really concerned with extortion but industrial sabotage.
The Snake malware code is also allegedly designed to attack processes utilized by General Electric equipment. A spokesperson for General Electric has, however, denied this assumption, stating, “GE is aware of reports of a ransomware family with an industrial control system-specific functionality. Based on our understanding, the ransomware is not exclusively targeting GE’s ICS products, and it does not target a specific vulnerability in GE’s ICS products.”
Otorio began to investigate the malware in mid-December. After further examination of the code, the researchers found Bahrain Petroleum Co. (Bapco) to be among the primary targets. The oil company, however, uses a diverse assortment of equipment from different companies and not just GE.
According to SentinelOne, another cybersecurity company, the malware is programmed in Golang, a programming language. It is heavily obfuscated, which makes it hard to detect. It is also designed to blitz through a whole network of computers rather than just one.
Once it gets hold of a system, it works to encrypt all files, except Windows files, and then adds a five-character extension to them. After the encryption is complete, a ransom note appears instructing the victim to contact an email address to send payment.
Otorio boss Danny Bren believes that Bapco was deliberately chosen as the target by the creators of the malware. In his view, the Iranians want to manipulate oil prices. He attributes the latest cybersecurity threat to the ongoing financial war that is threatening to cripple the Iranian economy. He says that Iran is looking to exert the same kind of pressure on its enemies, hence the new malware development.