11-12-2020 | | By Robin Mitchell
Advantech, an industrial processor and hardware specialist, has been hit by ransomware. Who is Advantech? What is the ransomware that has attacked them, and how is the malware landscape changing?
Advantech is an industrial technology company established in 1983 and initially worked on utilising PC architecture in industrial environments. In 1990, Advantech introduced their first industrial PC, the IPC-600, and since then, have continued to develop industrial PCs as well as other technologies surrounding automation.
Fast forward to 2020, and Advantech have offices around the world, over 7,000 employees, and one of the biggest market shares in industrial PCs. However, their focus in automation is now heading towards big data and IoT for use in advanced AI and ML systems that can improve processes over time as well as provide predictive maintenance and scheduling.
One of the biggest concerns in IoT and IIoT applications is security; cybercriminals can use sensitive data for their own purposes, and the ability to control devices remotely allows for co-ordinated DoS attacks, crypto mining, and password cracking. Therefore, any company producing IoT and IIoT devices and systems, such as Advantech, would recognise the importance of strong security practices.
However, Advantech themselves has just been reported as being the latest victim to ransomware. According to bleeping computer, hackers attacked Advantech’s corporate network and has retrieved confidential information with commercial value. The hackers have already published 3GB of this sensitive data to prove their capability, and have even allowed Advantech to decrypt two files to prove that their decryption systems work.
The group that has claimed the attack is Conti, and have asked for a total ransom of 750 bitcoins, or approximately $12 million (December 2020). The use of bitcoins allows the attackers to hide their identity and personal information while being able to receive a currency that can be easily exchanged for cash (such as USD and GBP).
The ransomware used by Conti shares some common code with the very infamous Ryuk ransomware, a ransomware program developed by a Russian group who was able to obtain more than $34 million from a single victim, and more than $150 million in total in 2018. The Conti system has the ability to perform fast encryption, anti-analysis, and direct execution while also being able to operate up to 32 concurrent CPU threads. This makes the ransomware extremely fast and difficult to spot before the malware does damage.
Once on a system, Conti can delete the Windows Shadow Volume copy, shutdowns applications that lock files disables Windows services, and then encrypt entire hard drives. From there it is also able to attack and encrypt other devices on the same network, use AES-256 encryption keys for each file, and then bundle all keys which are then encrypted with an RSA-4096 public key.
While malware has been around for as long as computers became accessible to those who are disgruntled, the nature of malware is now changing to create a more threatening environment. Historically, the malware was generally used to either cause havoc by deleting files and corrupting systems, or provide a backdoor so that attackers can steal personal information.
The use of ransomware, however, shows how cybercriminals can take advantage of the very technology that stops them from obtaining personal information; encryption. When any message is sent via the internet, it is more times than not encrypted, and this prevents a man-in-the-middle attack. However, since encryption can make it near impossible to recover a message without the key, attackers are now exploiting this property to encrypt valuable data.
But instead of simply targeting individual users, the use of Conti against Advantech shows that attackers are now targeting large cooperation’s. This, combined with the introduction of cryptocurrencies, provides attackers with a more streamlined attack that can be properly planned, managed, and have risk minimisation. Furthermore, attacking large companies provides potentially larger gains. If the size of the ransom is carefully chosen, an attacker can almost guarantee a successful attack with a large reward compared to the effort and time needed.