News

Trend Micro Baits Ransomware Attackers in Honeypot Scheme

• By Kurt Mackie
• 01/21/2020

A new report from security solutions provider Trend Micro documents the company's lessons after baiting attackers with an industrial control system (ICS) "honeypot."

The ICS honeypot used bad security practices to attract attackers, showing the kinds of methods that get used. The honeypot consisted of a fake ICS company constructed by Trend Micro, with its network going live in May. It attracted attackers that installed coin miner software and ransomware within a few months' time.

A cryptocurrency miner was installed in July, and Crysis ransomware was added in September. In November, another attack on the network occurred, disguising itself as ransomware. As time passed, the number of attacks grew.

To encourage these attacks, Trend Micro mimicked an ICS network, creating a fictitious company called MeTech with fake personnel. The company supposedly worked in the industrial design sector and had big clients in the "military, avionic and manufacturing sectors." The notion that MeTech had been attacked was also spread by Trend Micro to attract attention.

Trend Micro also did "everything wrong" in terms of security to draw the attacks. MeTech's virtual network was open with no password control for remote access. Least-privilege network access practices were not followed. Trust between routers wasn't enforced. Trend Micro even reused the same password across the network, although the attackers didn't appear to exploit that lapse.

The report noted that those sorts of bad IT practices are "not uncommon" with small businesses that have few or no IT personnel.

Trend Micro took care to make MeTech seem real, so it used AI-generated photos of nonexistent company officials on MeTech's Web site. The effort apparently fooled the attackers. At one point, Trend Micro was involved in negotiating the price of decrypting its files following a ransomware attack.

"Organizations should ensure that their equipment and the components of their ICSs are not exposed online, as we purposely did with our various 'misconfigurations,'" Trend Micro commented in the report.

Another recommendation is to avoid using the same admin passwords across the network. In addition, "strict authentication policies" in the network should be used to deter intruders, Trend Micro advised.