Interesante nota sobre mailing ransomware en nombre de Allen-Bradley.
(https://rockwellautomation.custhelp.com/app/answers/detail/a_id/799091)
Claims of ransomware masquerading as an Allen-Bradley Update
799091 | Date Created: 04/11/2016 | Last Updated: 04/14/2016
Access Level: Everyone Email this page Print Subscribe to Updates
Version 1.0 - April 12th 2016
Rockwell Automation has learned about the existence of a malicious file called "Allenbradleyupdate.zip" that is being distributed on the internet. This file is NOT an official update from Rockwell Automation, and we have been informed that this file contains a type of ransomware malware that, if successfully installed and launched, may compromise the victim's computer. This advisory is intended to raise awareness to control system owners and operators of reports of the file's existence as a result of reports Rockwell Automation received from the Electricity Information Sharing and Analysis Center ("E-ISAC").
BACKGROUND
Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary ransom in order to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications. Typically the user is required to pay the ransom in some form of untraceable currency, and must do so before the deadline expires and the decryption key is destroyed.
According to the September/October 2015 issue of the ICS-CERT Monitor, "Ransomware, such as Cryptolocker or TeslaCrypt, is currently one of the most prolific categories of malware growth, rising 165 percent in varieties seen between the fourth quarter of 2014 and the first quarter of 2015".
CUSTOMER RISK MITIGATIONS
Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below are recommended. When possible, multiple strategies should be employed simultaneously.
Obtain product software and firmware from Rockwell Automation’s official download portal, available at http://www.rockwellautomation.com/global/support/drivers-software-downloads.page.
Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in KB546987.
Analyze outbound network traffic against the known indicators of compromise (IoC), available from the US-CERT portal, to identify and assess the risk of any unusual network activity.
Develop, and then deploy, backup and disaster recovery policies and procedures. Test backups on a regular schedule.
Implement a change management system to archive network, controller and computer assets (e.g., clients, servers and applications).
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack, which can also serve as a vehicle for malware infection.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
Locate control system networks and devices behind firewalls, and isolate them from the business network.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation's Security Advisory Index at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
