Cesar Chavez of the Rafael Ravard Refinery in Baton Rouge,
LA announced this morning that the refinery was still shut down from last
month’s ransomware attack. “We initially decided not to pay the ransom
since we had off sit backups for our major control system components, but after
determining that the ransomware had encrypted device level software for which
we had no backups, we decided that we had to pay the ransom” Chavez told
reporters.
Chavez explained that the owners of the WannaControl malware
added additional penalties for the delay in paying the ransomware and were now
releasing the control system devices on a unit-by-unit basis with a separate,
smaller ransom being required for each unit. So far, the refinery has
reportedly paid out $1.9 million in bitcoin ransom payments.
Johnathan Quest, spokesman for the Federal Bureau of
Inquiry, told reporters that the Bureau was still investigating the attack, but
were unable to trace the ransom ware payments. “Bitcoin transactions are very
difficult to trace, but we are working with a number of international law enforcement
agencies and various intelligence agencies to crack the Bitcoin network.
Immanuel C. Securitage, spokesman for the ECS-CERT, told
reporters that his agency was working closely with the refinery and Robotron on
the security issues related to this attack. “The agency has not been notified of
other facilities that may have experienced a WannaControl attack, but we suspect
that some attacks have taken place and that the owners quickly paid the ransom
to avoid the results that the refinery has experienced,” he explained.
ECS-CERT strongly recommends that anyone facility that had
purchased Robotron
pumps in the last half of 2019 immediately take them out of service until a
Robotron representative can reload the motor control software. Facilities with
such pumps in service should have their control system immediately checked for
possible compromise. “ECS-CERT has noted that the refinery attackers apparently
had access to the control system for at least a month before the attack was
initiated,” Securitage reported.
In response to a reporter’s question about ECS-CERT support
for finding apparently affected systems, Securitage said: “ECS-CERT does not
have enough investigators to help everyone affected by the Robotron
vulnerability, nor apparently does Robotron.” ECS-CERT is not allowed to
recommend private sector companies that could do this work, but Securitage
noted that: “Any major ICS security organization could probably do the
assessment.”
Erich Mielke from Robotron released a statement that said
the company was deploying as many of their security engineers as it had
available to look at potentially affected Robotron control systems, but
facilities that used Robotron pumps with other vendor control systems should
probably reach out to the system vendor for assistance. Robotron has published
a report on the malware that was loaded on their pump controllers that includes
indicators of possible compromise that could be looked for on other products.
Rep. Harvey Milk (D,CA) announced that his subcommittee will
be holding a hearing this week looking at the refinery attack. “We need to ensure
that these types of ransomware attacks on critical infrastructure cannot
happen,” he told reporters. He went on to criticize ECS-CERT’s inability to
effectively support critical infrastructure owners in preventing further occurrences
of this particular attack, saying: “Congress expects ECS-CERT to be proactive
in responding to attacks like this; we want answers now.”