Meet LogicLocker: Boffin-built SCADA ransomware

Pay the ransom, or restore from backup. Choose wisely!

Robot looks into magnifying glass, human eye displayed. Photo by Shutterstock

Let's start with the “calm down” part of the article: yes, LogicLocker is ransomware designed for programmable logic controllers, but no, the cyber-geddon isn't upon us.

LogicLocker is a proof-of-concept written by David Formby, Srikar Durbha and Raheem Beyah of Georgia Tech (Formby and Beyah also disclose an affiliation with a low-profile startup called Fortiphy Technology).

The software's scope, as described in the researchers' paper (PDF), is limited for now: “LogicLocker uses the native sockets API on a Schneider Modicon M241 to scan the network for known vulnerable targets, namely Allen Bradley MicroLogix 1400 PLCs [programmable logic controls - Ed] and Schneider Modicon M221 PLCs”.

If it finds those two specific devices, it bypasses their “weak authentication mechanisms”, locks out legitimate users, and plants a logic bomb to “dangerously operate physical outputs”.

In other words: the work paradoxically highlights how fragmented APIs confine attackers to specific devices. The authors note this is “the first” cross-vendor worm targeting PLCs.

In a nod to the world's "first cyber-attack” on industrial control infrastructure (a Queensland water treatment plant attacked by an insider with admin rights), the researchers posted this demonstration video to YouTube:

Youtube Video

We note that the Georgia Tech researchers' targets have a record of problems:

  • Some Schneider Electric Modicon units were pinged for remote file inclusion and reflected cross-site scripting vulnerabilities in 2015, and Modicon units have been the subject of a number of ICS-CERT advisories since 2012;
  • Last year, Cisco Talos researchers found the Rockwell MicroLogix 1400 had an SNMP authentication vulnerability that let remote attackers replace its firmware;
  • In January, various MicroLogix units were called out for handling credentials in cleartext.

Only a relatively low number of users turned up in the authors' Shodan scan: 1,429 MicroLogix 1400 systems and 250 Schneider Modicon M221s.

The Register notes that while sending dangerous commands to industrial kit is a terrifying thought at first sight, a factory operator has the option to shut the plant down and restore the original firmware. The paper says a response plan “could involve keeping backups of critical programs on the premise and having personnel trained in how to reflash and restore PLC programs quickly.”

As for the company affiliation in the paper: Fortiphyd Logic seems new, with only a placeholder web presence, and a Twitter account with nothing to say except that Fortiphyd “secures industrial control system networks against nation-state level attackers”.

We've asked the researchers for more detail on the company, and will update this story when we get a response. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017