Bryan Owen

Retrospective: Disruptive vs Destructive Malware

Blog Post created by Bryan Owen on Apr 21, 2020

Ransomware affecting the industrial community is in the news once again. Criminals are trying blackmail to extort the victim company for millions of dollars.


Screenshots of private data were posted along with claims that 10TB have been copied from the victim’s servers. Along with proof of possession, the victim is being pressured to pay the ransom now to keep details private.


Leaking of confidential information is damaging… but is it really?  In retrospect for industrial operators supporting critical infrastructure services, ransomware is more disruptive than destructive.  No one wants to be a victim of either kind of malware.  Some may want to argue ransomware as being destructive as data are destroyed and devices may be ‘bricked’. However, in context of industrial operations, ransomware destruction of cyber systems tends to result in short term losses from delays or curtailed production.


Healthy industrial companies will recover from disruption. However, industrial sabotage is a much bigger concern for survival – no production means no revenue. Sabotage techniques where malware could destroy process equipment or generate faulty product are continuing to emerge and is why Stuxnet, Crashoverride and Trisis have been studied in detail.


My upcoming PI World 2020 presentation on May 5th discusses trends from the decade past in more detail and offers suggestions on what’s to come and what you can expect with the PI System.



Meanwhile if you don’t believe sabotage is advancing, take 5 minutes to view this clip from the S4x20 Highway ‘Cyber Physical’ training by Jason Larsen of IOActive.  The engineer in me found his techniques for compromise of cyber-physical systems both realistic and motivating as a defender.


Returning to current day ransomware, success stories about the industrial operators capability to ride out temporary disruption are emerging.  Such heroic efforts deserve acknowledgment and sharing of lessons learned.


The final chapter hasn’t been written for ransomware and the industrial community. Let’s stand in support of victims.  Public support for resisting extortion is in the community interest as is sharing of TTPs and forensic evidence - even for near misses.


In closing, I’m optimistic that ransomware will soon be dismissed as enterprise and cloud systems adapt to manage losses due to cyber-crime caused disruption. Countering truly destructive industrial malware deserves our attention.  Miscreants have already shown willingness to target society during a pandemic. They must be denied. Let’s also commit to deterrence through relentless pursuit of justice.