Fake Rockwell Automation System Update installs ransomware!

Industrial CyberSecurity
Spread the love

July 4, 2016– Industrial Cybersecurity suddenly became very important last week when it was reported that there are fake Rockwell automation files floating around on the internet, that attempt to install ransomware to unsuspecting users of Rockwell Control Systems (Allen Bradley series of PLCs). Among malware infections, ransom ware is the worst kind to infect a control or automation system because it encrypts all files on the system and demands a ransom (to be paid anonymously via Bitcoins to the malicious actors). There is no known cure for this unless the encryption can be broken, which is hard to do. Many users simply shut up and pay. However thankfully there have been no known infections of Control Systems by this particular series of malware so far. But people should be aware and take necessary precautions to prevent these kind of attacks.

An Allen Bradley PLC Panel (for representational purpose only)

Here’s a report from the ISS Source website

A ransomware attack is hitting the manufacturing automation industry posing as an Allen-Bradley update.

In an email obtained by, Rockwell Automation is aware of the attack and issued a response warning its users of the issue.

The note from Rockwell said:

“Rockwell Automation has learned about the existence of a malicious file called ‘’ that is being distributed on the Internet. This file is NOT an official update from Rockwell Automation, and we have been informed that this file contains a type of ransomware malware that, if successfully installed and launched, may compromise the victim’s computer. This advisory is intended to raise awareness to control system owners and operators of reports of the file’s existence as a result of reports Rockwell Automation received from the Electricity Information Sharing and Analysis Center (‘E-ISAC’).”

The release went on to say, according to the September/October 2015 issue of the ICS-CERT Monitor, “Ransomware, such as Cryptolocker or TeslaCrypt, is currently one of the most prolific categories of malware growth, rising 165 percent in varieties seen between the fourth quarter of 2014 and the first quarter of 2015?.

Rockwell reiterated this was not a vulnerability that affected Rockwell Automation products.

The E-IAC report briefly mentioned the presence of malware disguised as an A-B updated file. The Rockwell Automation Industrial Security group isn’t aware of any company websites and/or product downloads that suffered infection or contained this malware. They also had not received any notice of any users who have downloaded the malware from the internet.

Rockwell also reached out to ICS-CERT for assistance following the publishing of the report. ICS-CERT did investigate, but declined to publish any type of advisory related to it.

Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below are recommended. When possible, multiple strategies should be employed simultaneously.
• Obtain product software and firmware from Rockwell Automation’s official download portal.
• Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions.
• Analyze outbound network traffic against the known indicators of compromise (IoC), available from the US-CERT portal, to identify and assess the risk of any unusual network activity.
• Develop, and then deploy, backup and disaster recovery policies and procedures. Test backups on a regular schedule.
• Implement a change management system to archive network, controller and computer assets (e.g., clients, servers and applications).
• Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack, which can also serve as a vehicle for malware infection.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
• Locate control system networks and devices behind firewalls, and isolate them from the business network.

To get excellent Industrial Cyber Security training, you can click here.