Monday, January 2, 2017

ECS-CERT Confirms Ransomware Attack

The Chemical Safety Bored (CSB) and the Electronic Control System CERT (ECS-CERT) issue a joint statement today confirming that the recent spate of fires at the Rafael Ravard Refinery south of Baton Rouge were a result of a ransomware attack on the electronic control systems at the refinery. According to the statement, the attack was caused by a new variant of the GUMMI BAREN worm associated with the Stasi Ehemalige, a German criminal syndicate.

Immanuel C. Securitage, the ECS-CERT lead for the refinery investigation, stated that the new variant of GUMMI BAREN has been modified specifically to attack electronic control systems that use the programmable logic controllers manufactured by Robotron, a German electronics company. The Robotron update system has apparently been hacked by Stasi Ehemalige and the GUMMI BAREN launcher included in their latest PLC updates.

Robotron has issued a statement that they are working closely with ECS-CERT to identify the source of the problem with their updater and currently recommend that their customers do not apply the most recent update to their PLC firmware.

Securitage explained that the GUMMI BARREN variant was specifically designed to infect multiple PLCs at a facility through infection via an engineering lap top. The worm includes a delay mechanism so that the encryption of the PLC firmware takes simultaneously across an organization.


Cesar Chavez, a spokesman for the Rafael Ravard Refinery, confirms that a ransom of 1000 bitcoin was demanded by Stasi Ehemalige. They have refused to pay the ransom. Chavez notes that the facility has backups for all firmware for their electronic control system. As soon as the facility has recovered from the uncontrolled shutdown caused by this ransomware attack, they expect that only a short turnaround will be needed to get the facility back into production.