Conti Strain! Are we up the creek?

the_msp said:
Don't do it, there is a high risk it will spread to the new laptop as soon as it is connected to the network.

Stop the machines and connect directly to the PLC with them being removed from the network temporarily.
Click to expand...


Concur. Don't trust any Windows machine on a network shared with compromised machines.


Get outside help to set up trusted networking (possibly with remote access) to your machinery.
 
PLC Pie Guy said:
Hey folks.
Are any of you familiar with something called Conti Strain?
Our entire corporate structure has been taken hostage by it.
All my PLC files now have the extension.QEBEN instead of .ACD, .RSS as well as just about every other type of file on the network. In each folder is a read me.txt file that has instructions on how to pay them in order to return the files to us.

It’s completely over my head and the IT folks I’m sure are pulling their hair out now. This is day 2. All I can do now is on my IPhone. This stinks!

My regal question is….. zI do have backups of my PLC files. However, I’m worried that the backups are corrupted as we have no idea how long the offensive file has been with us. Does anyone know of a way I can scan this backup stick somehow before using them? Technically, I’m not even supposed to have this backups on a stick as per company policy, however, it could very well pull us from the flames.

I’m to scared to even put it into my computer!

I’m guessing that it’s not going to be a simple solution or IT would have fixed it already. This is the first time in 10 years I’ve seen their systems down.
Click to expand...


PLC Pie Guy said:
This still has us crippled.

Our IT department is fumbling and useless. They are in over their heads and not going to rectify the situation. Everything remains encrypted and missing. Nothing works.
I'm going today to purchase a new laptop, it will be forever free from IT.
I'm going to buy all new software, free of corporate ownership.
Ill go around and pull backups as I'm not sure if the backups that I do have on a stick are infected or not. I'm considering them garbage at this point. I did put it in an old sacrificial computer and they look ok, but what lies beneath is what scares me, I don't know much about how this works.

Here is the issue. Our machines are all tied to the corporate IT controlled switches. I'm guessing its risky action to give my new computer a static IP address and tether it to the network to do uploads. Is there a risk that in connecting my new computer to the network that I will catch this virus so long as I don't upload any files from the network, simply create communication to each PLC and upload?
Does anybody have an opinion on this? Networking isn't my strong suit.

Aside from loosing plant to plant comms by going the IT free route (we have two neighboring plants) The other downside to all this is I will loose my outside access to the plant. I finally, after years of waiting for internet at home just got connected, thanks to Musk. Now because of this, I'm loosing my outside connection before I even get to use it. Iv mentioned getting a second internet connection here free of corporate once again but it might not fly.


Unfortunately this has cast into the stone ages and it seems that there is nobody on our team trying to help. Now its all my problem. They want me to start panicking about it and create a magic solution when its their stupid policies that got us here in the first place... Funny how this works. . Yes I'm a bit sour. I cant believe, I cant conceive how they didn't have a contingency plan. I cant understand why we cant roll our network back to an earlier date. But then again, they cant even keep the office printers reliably on the network.
Click to expand...



Stay out of it, Colonial Pipeline paid because they couldn't take the cost hit of unscrewing it by going waaaay back in backups. Either your company will pay.. or it will die if loss of those files can ruin it.

Any ransomware worth its weight will wait Weeks to Months to fire and arrest control of the system, encrypting everything. This ensures its DEEP into the backups and cannot be gotten rid off. If it infects and fires that day.. whats the point? Just restore from a few days ago. Yes a real pain in the rear for data loss, etc. But it won't generally destroy a business. Weeks.. yes. Months.. Totally.

If you really want to try and see.. Get a Raspberry PI. IT runs off a SD card. If your sticks can be tested with some scanner software from linux and is cleared.. you are PROBABLY okay.. Not 110% sure. And if its infected and gets ahold of the Pi's OS files and locks them up.. 5 dollar MicroSD card shot. No big loss.

DO NOT get a laptop and connect it to the network, It'll get hit more than likely. The way it propagates across a network is using known and unknown vulnerabilities. You're best defense is keep the windows firewalls on, Tell it your on a public network when you connect. This will disable file sharing so that avenue should be closed... should.

TO encrypt something like this it has to be tailored for the general OS type. Windows OS cannot infect a Linux OS easily. You'd have to write it that way to do it. documents that are a stored on a linux server but used by Windows clients are readily infectible by a windows tailored attack program.

I've looked and read on this stuff.. and I am SOOOOOOO glad I abandoned the IT field... I do NOT want to deal with this stuff.


Ken Moore said:
We have the same thing, after you are "hooked" a couple of times, you become extremely cautious. I have marked valid emails as phishy, better safe than sorry.
Click to expand...

I roll my eyes and delete them. Don't even hit the Report Phishing deal in the email system. They tailor that stuff to the average user to snag them. I did mark one early on ABOUT the training.. It looked sketchy as all get out. and was signed.. IT Team.

IT dept manager responded to that report with Nope, its legit.

Training took me all of 10 minutes... click through everything not reading a thing.. answer the questions. Got 1 wrong because I took the slightly more paranoid option than was wanted(There should'a been two right answers, wanted and extra paranoid). passed easy.
 
BTW your HMI's are not necessarily safe either. Windows CE which runs on Panelviews and some other stuff is likely vulnerable as well it may not get crippled but I wonder if it can host and keep a its infection unknown and ready to strike back out? Of course any full fledged windows HMI is to be considered a thread. If you have backup systems are a purely based of a thumb drive in someones drawer. you can probably restore from those without to much worry.. But until every system is individually isolated and then restored. Only reconnected when EVERY SINGLE SOURCE of possible reinfection is purged and cleared.. can you consider it safe to start reconnecting stuff.

How critical is the link to the corporate network? Do they have you on separate switches or VLANed into our own network but on the same switches as the corp network? If separate you might be able to just disconnect from the corp network.. Purge all windows systems, restore from secure clean backups. and probably get manf up and running. I could rewire my network here to escape that and get things cleaned up. But I've only got like a dozen devices, and one switch under IT's control.
 
Nova5 said:
BTW your HMI's are not necessarily safe either. Windows CE which runs on Panelviews and some other stuff is likely vulnerable as well it may not get crippled but I wonder if it can host and keep a its infection unknown and ready to strike back out? Of course any full fledged windows HMI is to be considered a thread. If you have backup systems are a purely based of a thumb drive in someones drawer. you can probably restore from those without to much worry.. But until every system is individually isolated and then restored. Only reconnected when EVERY SINGLE SOURCE of possible reinfection is purged and cleared.. can you consider it safe to start reconnecting stuff.

How critical is the link to the corporate network? Do they have you on separate switches or VLANed into our own network but on the same switches as the corp network? If separate you might be able to just disconnect from the corp network.. Purge all windows systems, restore from secure clean backups. and probably get manf up and running. I could rewire my network here to escape that and get things cleaned up. But I've only got like a dozen devices, and one switch under IT's control.
Click to expand...





The switches are all shared. we have several switch racks, each contains several switches that have sections dedicated to different things. How its all mapped out is a mystery to me.

I'm hoping to install a switch dedicated to the PLC network in each rack. However, with so many processors talking back and fourth, I'm assuming it will take me 6 months or more of Saturdays mornings to get this all switched over and during that time I will still need to have my new segregated switches connected to the old to keep machine to machine comms working. Its basically a start to finish process with many PLCs all working as one large machine. I cant just move one machine to the new switch, I have to do them all, but only have a few hours a week for such activity. Even in those few hours, the machines are supposed to be running to a point for cleaning, then we start up again. It never ends, there is no break to shut stuff off. We haven't even had a maintenance shut down in a couple of years now.


This is crazy. I hadn't even thought about the PanelViews being infected. I only have 50 of or so of them out there running. Ughh This is to much man! I just want to program machines. This is taking the fun out of it all real quick. My new computer should be ready tomorrow, now I'm not sure how to go about this with the possibility of having infected HMIs though. Ill probably bring it back, set it up, then be to scared to connect it to anything. I cant believe, I just cant fathom how our IT dept. didn't have a contingency plan for this. I just cant wrap my head around it.
 
If I were in your shoes, I'd install Linux as the host OS, then your automation software as the guest. The risk of infecting a Linux OS will be lower than Windows, if your VM gets buggered, you can restore it quickly. Down the road when things are back to normal, you can reinstall Windows as your host and copy your VM back onto it.
 
PLC Pie Guy said:
The switches are all shared. we have several switch racks, each contains several switches that have sections dedicated to different things. How its all mapped out is a mystery to me.

I'm hoping to install a switch dedicated to the PLC network in each rack. However, with so many processors talking back and fourth, I'm assuming it will take me 6 months or more of Saturdays mornings to get this all switched over and during that time I will still need to have my new segregated switches connected to the old to keep machine to machine comms working. Its basically a start to finish process with many PLCs all working as one large machine. I cant just move one machine to the new switch, I have to do them all, but only have a few hours a week for such activity. Even in those few hours, the machines are supposed to be running to a point for cleaning, then we start up again. It never ends, there is no break to shut stuff off. We haven't even had a maintenance shut down in a couple of years now.


This is crazy. I hadn't even thought about the PanelViews being infected. I only have 50 of or so of them out there running. Ughh This is to much man! I just want to program machines. This is taking the fun out of it all real quick. My new computer should be ready tomorrow, now I'm not sure how to go about this with the possibility of having infected HMIs though. Ill probably bring it back, set it up, then be to scared to connect it to anything. I cant believe, I just cant fathom how our IT dept. didn't have a contingency plan for this. I just cant wrap my head around it.
Click to expand...


Its your fellow users fault that this occured.. someone clicked something they aren't supposed to in a email or website and brought in the nasty ransomwhere. IT cannot 100% prevent Stupid User Tricks. The Phishing email tests/training done can help fight that by constantly testing your users. Like I said, this stuff when its done "right" waits until its to ingrained in data backups to be gotten rid off. some places thats days, some weeks. Hell.. if Amazon had it happen.. a day could be too much. These things take advantage of various exploits in system security.

I don't know for sure it can infect the windows CE based ones. They are different.. but those that run on full fledged windows are absolutely at risk. So factorytalk SE, wonderware, etc.. be concerned and involve IT. You don't want that infection sitting there, waiting to nail the system again later.
 
Nova5 said:
Its your fellow users fault that this occured.. someone clicked something they aren't supposed to in a email or website and brought in the nasty ransomwhere. IT cannot 100% prevent Stupid User Tricks. The Phishing email tests/training done can help fight that by constantly testing your users. Like I said, this stuff when its done "right" waits until its to ingrained in data backups to be gotten rid off. some places thats days, some weeks. Hell.. if Amazon had it happen.. a day could be too much. These things take advantage of various exploits in system security.

I don't know for sure it can infect the windows CE based ones. They are different.. but those that run on full fledged windows are absolutely at risk. So factorytalk SE, wonderware, etc.. be concerned and involve IT. You don't want that infection sitting there, waiting to nail the system again later.
Click to expand...

I'd be a bit surprised if attackers actually went after CE. It would seem to me that going after Windows7/10/server would be the best bang for the buck. You don't have to attack them all, only enough to make it financial sense to get a payout.
 
dmroeder said:
If I were in your shoes, I'd install Linux as the host OS, then your automation software as the guest. The risk of infecting a Linux OS will be lower than Windows, if your VM gets buggered, you can restore it quickly. Down the road when things are back to normal, you can reinstall Windows as your host and copy your VM back onto it.
Click to expand...

The problem there is its still a windows OS that gets jacked into the network. VMs and Host OS's can both exist in the network simultaneously. Its a really vicious spot he's in. But yes.. to backup the individual PLCs as long as he pulls the cable from the PLC and hooks direct.. or direct through a separate simple $20 switch he carries with him. with just the controller and PC hooked to it, infection chance is none. The PLC is impossible to infect with this stuff.

Then NEVER plug that USB stick into ANY corporate system until IT can assure you its safe.

Now.. you don't necessarily need to buy your own software.. buying your own automation software is insanely expensive. Could use the corp licenses IF you have access to that info and permission, etc. Just download it from the internet at home..

Your in for a wild time.
 
dmroeder said:
I'd be a bit surprised if attackers actually went after CE. It would seem to me that going after Windows7/10/server would be the best bang for the buck. You don't have to attack them all, only enough to make it financial sense to get a payout.
Click to expand...

Yes but since those devices can create shares.. At least the old windows CE handtop PCs I had at one time could.. the threat of it getting there and idling is possible. Will it harm it? Doubtful. Could it be a source to come back from? Why risk it, if you have the original program.. wipe/reset/reload.
 
As a note.. where your thumbdrive is at risk of restarting a infection is the AutoPlay feature of windows. Ransomware is software that installed or executed and encrypted data, uses vulnerablities to self execute on other machines. It doesn't infect actual files like virii of old days. So if you turn off Autoplay functions in the windows OS on a new isolated(network and Internet isolated) machine, then stick the thumb drive it, you're pretty safe and can pull the needed files off.. if you see a Autorun.ini (which you may only see if you have the system set to show all files/folders) Delete it. You wont harm a thumb drive doing that. Delete any AutoRun.* stuff. if this drive is purely for your PLC program backups and was bought from a store, there is no reason a autorun.ini or autorun.exe needs to exist. Those just pop up a pretty menu so you can select what you want to install from the provided software on a CDrom, ISO image burned to the thumb drive, etc. You can still manually start those installs.
 
Yikes, so sorry to hear.

Keep your backup away from IT backup, if they want a backup, fine. But still keep your own backup close to the action (in the plant).
 
Nova5 said:
Yes but since those devices can create shares.. At least the old windows CE handtop PCs I had at one time could.. the threat of it getting there and idling is possible. Will it harm it? Doubtful. Could it be a source to come back from? Why risk it, if you have the original program.. wipe/reset/reload.
Click to expand...

Good points.
 
Nova5 said:
Yes but since those devices can create shares.. At least the old windows CE handtop PCs I had at one time could.. the threat of it getting there and idling is possible. Will it harm it? Doubtful. Could it be a source to come back from? Why risk it, if you have the original program.. wipe/reset/reload.
Click to expand...

I don't have the originals! I was counting on being able to upload all the PV files in the plants!
 

Similar Topics

JaxGTO
Strain gauge for silo level recommendations.
Customer does not want any silo penetrations. Hates level sensors on top of silos. No capacitance sensors either. Would be great if it had...
Replies
6
Views
1,508
drbitboy
drbitboy
V
Mitsubishi FX5 Strain Gauge Problems
Hello, I'm currently working on a project where I need to read values off my 0-3kg Strain Gauge and display them on my HMI display. I've...
Replies
9
Views
1,833
drbitboy
drbitboy
M
Phoenix Connector Strain Relief
Hey all, Another weird one. Long story short, I need to find a way to strain relief a phoenix/euroblock connector that will be getting a lot of...
Replies
2
Views
1,092
tdoa
T
T
Strain gauge calibration and force distribution.
This is 99% a structural design flaw, but most people here have the capacity to manage this. First, some R&D background. I have a strain gauge...
Replies
5
Views
1,480
Peter Nachtwey
Peter Nachtwey
B
Thermocouple Plug with Strain Relief?
Hi Guys, We have a press that has about 30 inches of travel, and in that press goes a mold. There are different molds for different parts. The...
Replies
4
Views
2,199
danw
danw
Back
Top Bottom