ClearEnergy logo

A mini-controversy broke out this week in the infosec community after cyber-security firm CRITIFENCE led journalists and other security experts to believe that they've detected in-the-wild attacks with a new ransomware called ClearEnergy, specialized in targeting ICS/SCADA industrial equipment.

After the publication of an article in Security Affairs called "ClearEnergy ransomware aim to destroy process automation logics in critical infrastructure, SCADA and industrial control systems," security researchers used Twitter to bash the company for what they felt were lies about real world attacks, the company orchestrating a media stunt, and not releasing any research they could vet.

Company apologizes for miscommunication

Following this criticism, the company ended up apologizing, saying they forgot to mention it was only a proof-of-concept ransomware, and promised to release more details in the upcoming days.

According to a blog post published a day later, CRITIFENCE experts only revealed they discovered two issues in the Modicon Modbus protocol used in PLC (Programmable Logic Controllers), equipment that is often found in industrial facilities all over the world, and used to control and automate sensors and motors.

In their blog post, CRITIFENCE experts claimed to have developed a proof-of-concept ransomware that can use the two issues (CVE-2017-6032 and CVE-2017-6034) to delete a PLC's ladder logic diagram, if a ransom isn't paid in due time, effectively wiping the PLC's software.

At the time of writing, CRITIFENCE has not published the technical report they promised.

PLC vulnerabilities are real

Nevertheless, the two security flaws CRITIFENCE discovered are real and have resulted in a patch from Schneider Electric, the PLC vendor whose products are affected.

Earlier this year, researchers from the Georgia Institute of Technology (GIT) have created a proof-of-concept ransomware strain named LogicLocker that can alter programmable logic controller (PLC) parameters.

Related Articles:

The Week in Ransomware - June 22nd 2018 - Scarab Everywhere!

New SamSam Variant Requires Special Password Before Infection

DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks

The Week in Ransomware - June 15th 2018 - DBGer, Scarab, and More

New MysteryBot Android Malware Packs a Banking Trojan, Keylogger, and Ransomware