When Ransomware Meets IoT: What’s Next?

In 2022, according to research from Forescout’s Vedere Labs, two of the biggest threats of the past few years are converging: Ransomware and IoT attacks. This new converged threat is known as R4IoT. It’s obvious that ransomware is a menace. According to the Identity Theft Resource Center, ransomware attacks doubled in 2020 and again in 2021. In 2016, the Mirai botnet compromised more than 145,000 IoT devices to launch an unprecedented 1Tbps distributed denial of service (DDoS) attack.

Ransomware attacks have grown more sophisticated during the past few years, coupling data exfiltration with encryption to maximize their payouts. Sophisticated ransomware families operate like corporations. Ransomware-as-a-service has commodified these attacks, such that ransomware gangs can target any organization. Meanwhile, digital transformation trends have been driving the rapid adoption of IoT devices and the convergence of IT and OT networks.

IT/OT convergence also represents a serious vulnerability as ransomware and IoT attacks also converge. R4IoT demonstrates a “ransomware for IoT” proof-of-concept. If an IoT device is compromised, an attacker could pivot into IT or OT devices, which could impact physical systems. Vulnerable IoT devices, such as IP video cameras, serve as an initial access point, but it is IT/OT convergence that enables this lateral movement.

R4IoT demonstrates how these attacks can exfiltrate data and install cryptomining software in IT environments. Attacks on OT environments target widespread TCP/IP stack vulnerabilities, so they do not require a specific operating system or device type, nor do they need to modify firmware on these devices.

Since the publication of R4IoT, there have been several incidents showing threat actors leveraging IoT devices for initial access. For instance, researchers uncovered the multiple extortion methods of DeadBolt, ransomware that targeted internet-exposed QNAP and Asustor network attached storage (NAS) devices and provides ransom payment options both for victims and for the vendors themselves. Other ransomware groups were found to exploit 0-day remote code execution vulnerabilities in VoIP appliances. Finally, the sophisticated remote access Trojan ZuoRAT was found to target initially routers to then enumerate and move laterally to workstations in the victim’s network. Beyond that, we spoke directly with security leaders at financial organizations, who confirmed that IP cameras are among their riskiest devices according to their own internal security assessments.

R4IoT Control

There are multiple ways to mitigate the impact of ransomware for IoT to minimize the risk of this threat. For example, here are three mitigation steps based on the NIST Cybersecurity Framework that could be applied to ransomware attacks:

Identification and Protection – Ransomware families tend to be very active with numerous simultaneous attacks. For example, Conti launched more than 400 attacks in 2021. Analyzing such a high volume of attacks can reveal which vulnerabilities are being exploited so that they can be remediated or mitigated.
Detection – Most tactics, techniques and procedures (TTPs) that ransomware threat actors use are well-known and can be detected on the network. For example, tools such as Cobalt Strike and malicious PowerShell scripts are among the favorites for these attacks.
Response and Recovery – According to FireEye, the average dwell time for ransomware attacks is five days. Although ransomware attacks are incredibly efficient, they are not fully automated, which often leaves time for incident response and recovery before data encryption.

Here are some other pragmatic and foundational steps to pursue to mitigate R4IoT:
Create a Device Inventory – Discover your connected devices, and classify and assess them against company policies.
Network Monitoring and Threat Hunting – Obtain visibility into assets and communications inventory to monitor for threat and vulnerability indicators.
Network Segmentation – Apply context-aware segmentation policies to minimize the blast radius of initial access.
Automate Policy Enforcement – Integrate across solutions to enable automated mitigation of risks.
The conclusion is clear: The attack surface of organizations is increasing with IoT devices being targeted routinely by cybercriminals. Therefore, we recommend that beyond the traditional cyberhygiene practices mentioned above, mitigation should prioritize this increased attack surface based on up-to-date threat intelligence showing what types of devices are currently targeted. A good way to start is by focusing on your IP cameras and NAS, the exact device types used in the R4IoT proof-of-concept and that are now being exploited by threat actors.

Avatar photo

Daniel dos Santos

Daniel dos Santos is the Head of Security Research at Forescout's Vedere Labs, where he leads a team of researchers that identifies new vulnerabilities and monitors active threats. He holds a PhD in computer science, has published over 30 journal and conference papers on cybersecurity and has spoken at conferences such as Black Hat, Hack In The Box, and x33fcon.

daniel-dos-santos has 11 posts and counting.See all posts by daniel-dos-santos