PoC: Ransomware attacks targeting SCADA devices

As part of the information sharing during our Member Meeting in May, Applied Risk has briefed its fellow EE-ISAC members about a PoC they undertook determining that target field devices could be compromised and turned to a black-box development environment to develop and spread ransomware. They shared the implications of this vulnerability and practical countermeasures to mitigate the risk.

The information sharing resulted in a new EE-ISAC initiative: Applied Risk and Security Matters will jointly prepare a white paper to address emerging cyber threat targeting in particular the power sector.

Mission-critical control systems that don’t pose an obvious risk can be hijacked and leveraged for attacks

Cybercriminals have been increasingly relying on ransomware to make a profit by taking hostage personal and business files. Experts have also started issuing warnings regarding the possibility of ransomware attacks targeting industrial systems. Proof-of-concept (PoC) ransomware designed to target industrial control systems (ICS) was described recently by security firm CRITIFENCE and researchers at the Georgia Institute of Technology.

These attacks focused on programmable logic controllers (PLCs), which are often critical for operations and can represent a tempting and easy target for malicious actors. However, Alexandru Ariciu, an ICS security consultant at Applied Risk, disclosed another potential target on Thursday at SecurityWeek’s 2017 Singapore ICS Cyber Security Conference.

PoC: ransomware attacks targeting SCADA devices

Ariciu showed that ransomware attacks, which he has dubbed “Scythe,” can also target SCADA devices that are inconspicuous and which may be considered less risky. Applied Risk undertook a PoC determined that target field devices can be compromised and turned to a black-box development environment to develop and spread ransomware:

  1. Find target field device
  2. Infect the target device and load the ransomware
  3. Send the Ransomware Note
  4. Collect the Ransom

If you are interested to hear more, contact Jalal Bouhdada or read more:



Leave a Reply

Contact us

Registered Address
Avenue de la Toison d’Or 22 b1, 1050 Brussels

Operational Address
Avenue Marnix 30 b14, 1000 Brussels

Belgian VAT number