IoT Ransomware

Jul 16, 2021 | breach, IoT Vendors, Security

As Internet of Things (IoT) devices are becoming more and more prevalent, they are also making it easier for hackers to infiltrate networks by providing more points of ingress. To date, IoT devices were typically just the entry point for attackers to then move laterally within the network to gain access to IT systems that housed data. A relatively new occurrence is the installation of ransomware actually on connected devices. While a compromised smart light bulb in your house – if indeed it can be established this is where the attack was singularly limited – may not be cause enough to part with a payment to hackers, that paradigm changes when dealing with more significant deployments at an organisational level.

With IoT as such an important part of our future – we need to be aware of how vulnerable these systems are, so we can protect ourselves from cyber-attacks. This article explains some of the more pressing implications of IoT related ransomware, and how you can protect against it.

How Does IoT Ransomware Work?

Traditionally, ransomware works by locking up files on affected devices, usually computers compromised by malware. The malware uses encryption algorithms to scramble sensitive documents and other types of data stored on the device, making them inaccessible unless you pay the hacker’s demands. To unlock the files, victims must send money, usually via Bitcoin wallets, controlled by the criminals. Victims who don’t comply risk losing valuable personal information, or having their businesses hobbled if critical systems fail to operate properly.

If you can’t, or won’t capitulate, then there may not be much you can do except wait for (unlikely) remediation from a cybersecurity services firm, or until you are willing to make funds available to meet their demands. This has reached a point where even the FBI have vacillated between recommending business pay the ransom if they’re able to meet the demands, or refusing to do so.

What makes IoT ransomware different from traditional forms of ransomware, is ransomware had until recently typically targeted individual users’ PCs or perhaps servers that were running unpatched. Now we’re seeing IoT ransomware attacks targeting entire fleets of device types within organisations instead, because if one IoT device is deployed by a business, there’s a good chance hundreds, or even thousands of identical devices have been deployed, and thus extremely likely to be also easily infected. That means that once a single device becomes infected, the whole organisation may well become compromised. This is culminating in a huge increase in the prevalence of ransomware as IoT explodes, with expectations that costs will spiral to USD$265 billion over the next decade with 2021 alone being projected at USD$20 billion – a nearly 600% increase since just 2015.

While IT systems infected with ransomware are typically encrypted, meaning you won’t have access to files. As their data lies external to the device, and often external to the local network, IoT devices have their functionality impinged as the catalyst for ransom.

Unlike IT systems, there aren’t any visual indicators possible with (the majority of) IoT devices due to lack of a screen or monitor, so there is a requirement to manually notify the victim that their devices are being held to ransom. So, in order for an IoT ransomware attack to take place, it is out of necessity going to be highly targeted, and thus more effort for an attacker to undertake. The end result is that attackers will tend to target high-value systems in sophisticated ways, rather than as a broad-sweeping and large volume malware campaign.

As there is no encryption (read, irreversibility) for these types of ransomware, it’s also likely that we’ll see these ransoms increasingly aimed at pivotal targets like critical infrastructure or the healthcare industry as they move from what are ostensibly proof-of-concept attacks. This is because seconds matter in these industries, and IoT devices can be reset in a relatively short period, so the ransoms will take advantage of this fact. We’ll see more IoT ransomware instances of public utilities being locked, and the ransom initiated immediately with a time for response to the ransom measured in hours, rather than days or even weeks, as attackers know the implications of these systems being offline for even minutes.

IoT ransomware has been around since at least 2014, when researchers first discovered that attackers were using botnets to infect IoT devices like cameras, printers, routers, and the like, and demanded payment before releasing decryption keys for the firmware. In 2016, security experts reported finding several new variants of IoT ransomware. This included a fork of “WannaCry” which previously spread rapidly through unpatched Windows XP machines, now being leveraged for use in targeting IoT devices. WannaCry was particularly effective because it exploited vulnerabilities in Microsoft’s SMB protocol, allowing it to propagate across multiple operating system platforms, and this fork in WannaCry contained payloads for both OT and IoT systems in one.

One particularly alarming instance of an infection that specifically targets IoT endpoints is a variant of the Mirai malware genus, named ‘OMG’, and identified as ELF_MIRAI.AUSX by researchers. It’s been observed that this new variant is being used against several different types of IoT devices, such as DVRs, IP cameras, smart TVs, set-top boxes, printers, NAS storage systems, and more, all of which were using factory default credentials. Some of these infected devices were (and likely some still are) online and accessible external to the network via telnet, web browsers, or similar means, as well as running botnets. In addition to using the same broad-sweeping technique as the original Mirai, OMG uses additional techniques to target specific IoT device models, making for even more directed prescriptive attacks.

IoT Device Security

The good news is that this situation is changing. The adoption of the M.U.D. standard for instance, and the increasingly informed consumers – particularly at a business level – mean that manufacturers are starting to take heed.

The bad news is that we’re still not seeing many of the more mass-produced products keeping security at the forefront, and there’s a (largely) commercially-driven unwillingness for manufacturers, even for Industrial IoT devices, to update their older device models with firmware that complies with M.U.D., or indeed any other security measures.

CyAmast expands on the capabilities of other solutions in the market by halting anomalous behaviours before impacts from a compromise are possible. By detecting any deviations from an established behavioural profile, remediation steps can be taken, and the issue isolated and resolved. This means that even devices without security measures in place, as well as older devices are protected from all threats, including those explored in this article.

If you’d like to see how CyAmast can help you improve your operational efficiencies and boost your security posture, reach out today.