Hsinchu, Taiwan – Nov 3, 2021 – It is very surprisingly that FBI, CISA (Cybersecurity and Infrastructure Security Agency), EPA (Environmental Protection Agency) and NSA (National Security Agency) of the United States of America issued a joint alert on October 14, 2021 - “Alert (AA21-287A) Ongoing Cyber Threats to U.S. Water and Wastewater Systems”. This joint alert mentioned that three previously unreported ransomware attacks that impacted ICS (industrial control systems) at water facilities. Precisely speaking, the SCADA (supervisory control and data acquisition) Systems were attacked by ransomware in these three water facilities.

The SCADA example picture. Retrieved Nov 3, 2021, from https://en.wikipedia.org/wiki/SCADA

For decades, we have referred to computers and data networks as IT (information technology); the operation and program control of ICS (industrial control system) is usually referred to as OT (operational technology). IT and OT have different focuses. The focus of OT is the stable and smooth operation in long time. OT was usually operated in an isolated network and thus is very safe.

However, IT and OT are usually integrated nowadays for convenience and efficiency. This exposes the OT network to the large amount of malicious content from IT network. Furthermore, there are some malware which is designed for targeting to industrial systems like nuclear power plant or other public facilities. The OT network is as dangerous as the IT network now.

The joint alert mentioned that Ghost and ZuCaNo variant ransomware are two of the three assassins which cyber-attacked the water facilities. The third assassin is an unknown ransomware. Actually the Ghost and ZuCaNo ransomware are quite old and have many variants. Ghost is also known as Farfli and ZuCaNo is derived from the Xorist virus.

Lionic has been watching out these Ghost/Farfli and ZuCaNo/Xorist families long time ago. So far, Lionic has collected roughly three thousands of Ghost/Farfli variant ransomware and roughly one thousand of ZuCaNo/Xorist variant ransomware. Their amounts are still keeping growing. Due to these large amounts, Lionic anti-virus technology based products should enable the cloud based scan to obtain the full protection against the Ghost/ZuCaNo families of ransomware.

Partial list of Cloud Anti-Virus rules for Ghost/Farfli variant ransomware:

Rule ID Virus Name Release Date
9048798840803219 Trojan.Win32.Farfli.m 2021-10-26
9022547998911384 Trojan.Win32.Farfli.m 2021-10-25
9146834145384677 Trojan.Win32.Farfli.m 2021-10-14
9042297924008237 Trojan.Win32.Farfli.m 2021-10-12
9061841733620148 Trojan.Win32.Farfli.m 2021-10-10
9089748810901273 Trojan.Win32.Farfli.m 2021-10-05
9094915515665661 Trojan.Win32.Farfli.m 2021-10-05
9152371980257502 Trojan.Win32.Farfli.m 2021-09-24
9166104037500258 Trojan.Win32.Farfli.m 2021-09-24
9013335721520404 Trojan.Win32.Farfli.m 2021-09-22
9165963568549027 Trojan.Win32.Farfli.m 2021-09-16
9039165032608294 Trojan.Win32.Farfli.m 2021-09-16
9170526783068062 Trojan.Win32.Farfli.m 2021-09-15
9003301358627921 Trojan.Win32.Farfli.m 2021-09-10
9123589396959496 Trojan.Win32.Farfli.m 2021-09-09
9083310299999579 Trojan.Win32.Farfli.m 2021-09-09

Partial list of Cloud Anti-Virus rules for ZuCaNo/Xorist variant ransomware:

Rule ID Virus Name Release Date
9166493005405686 Trojan.Win32.Xorist.j 2021-10-18
9067294339787712 Trojan.Win32.Xorist.j 2021-07-30
9048841483316589 Trojan.Win32.Xorist.j 2021-07-28
9052509818169155 Trojan.Win32.Xorist.j 2021-07-28
9086982631637724 Trojan.Win32.Xorist.j 2021-07-28
9070000048607928 Trojan.Win32.Xorist.j 2021-07-28
9080907590657780 Trojan.Win32.Xorist.j 2021-07-28
9054386581603980 Trojan.Win32.Xorist.j 2021-07-28
9059517299334413 Trojan.Win32.Xorist.j 2021-07-26
9149937347874699 Trojan.Win32.Xorist.j 2021-06-09
9014453044295455 Trojan.Win32.Xorist.j 2021-06-09
9105044353323474 Trojan.Win32.Xorist.j 2021-06-06
9130371382114136 Trojan.Win32.Xorist.j 2021-06-05
9138520880569470 Trojan.Win32.Xorist.j 2021-06-05
9250698163532743 Trojan.Win32.Xorist.j 2021-05-30
9122130342028587 Trojan.Win32.Xorist.j 2021-05-29
9068599240069620 Trojan.Win32.Xorist.j 2021-05-19
9014893740863258 Trojan.Win32.Xorist.j 2021-05-19
9171335746850719 Trojan.Win32.Xorist.j 2021-05-11
9118060765663779 Trojan.Win32.Xorist.j 2021-05-07

Once the OT network connected to IT network, the OT network should watch out the malware and cyber-intrusions both. Some OT network security devices have anti-intrusion ability only and no anti-virus ability. It is not enough for all the possible cyber-threats now.

This water facilities ransomware event serves as a powerful reminder of how important it is to install one Pico-UTM 100 for one important machine in OT network. Pico-UTM 100 has full protection including Anti-Virus, Anti-Intrusion, Anti-WebThreat and Firewall features. Also, the operating systems of equipment in OT network are very old Windows, Linux or other operating systems usually. There are many known vulnerabilities in these old operating systems. And these old operating systems are very hard to upgrade usually. Pico-UTM 100 also has anti-virus and anti-intrusion rules for protecting the old MS-Windows and other OS just like “Virtual Bug Fixes” or “Virtual Patch”.

It is highly possible that those water facilities can minimize the impact of the ransomware catastrophe if they deploy large amount of Pico-UTM 100 in their OT network. We recommend the managers of OT networks can think about deploying one Pico-UTM 100 for one important machine to block the ransomware and old vulnerabilities attacks in advance.



  1. Alert (AA21-287A) Ongoing Cyber Threats to U.S. Water and Wastewater Systems, https://us-cert.cisa.gov/ncas/alerts/aa21-287a
  2. Ransomware Hit SCADA Systems at 3 Water Facilities in U.S., https://www.securityweek.com/ransomware-hit-scada-systems-3-water-facilities-us
  3. SCADA, https://en.wikipedia.org/wiki/SCADA
  4. Stuxnet, https://en.wikipedia.org/wiki/Stuxnet


關於Lionic Corporation

Lionic Corporation是創新的「深層數據包檢測」解決方案的全球供應商。 Lionic的技術包括完整的基於DPI的軟件引擎和相關的管理軟件,這些軟件提供可解決防病毒,防入侵,防網絡威脅的「安全解決方案」。 以及「內容管理解決方案」,用於解決應用程序標識,設備標識,基於應用程序的QoS,Web內容過濾,家長控制。

Lionic的安全和內容管理解決方案,基於雲的掃描服務和簽名訂閱服務已經在世界範圍內廣泛部署, 他們幫助服務供應商,網絡設備製造商,半導體公司等,以實現下一代家用商業路由器網關,SD WAN邊緣和雲網關,高級防火牆,UTM,智慧網卡和移動設備。 那些由Lionic支持的產品可提供更好的網絡管理和保護全球網絡免受不斷增加的安全威脅。