Ransomware as examined in the context of the internet of things (IoT) is not a new discussion. When ransomware attacks were gaining momentum and IoT adoption started to expand, security experts already began to look at the potential risks of ransomware attacks when they involve the IoT.
IoT and ransomware are worth reexamining now that a different breed of ransomware families are targeting organizations and IoT use has become widespread in the industrial sector.
Ransomware attacks hinge on being timely, critical, and irreversible. The involvement of IoT in ransomware campaigns can amplify the impact of attacks because of cascading consequences especially in the case of critical infrastructure. In addition, IoT devices widen the attack surface through which ransomware can be deployed. These are conditions that can exacerbate disruptions.
Ransomware operators like DarkSide have set their sights on critical infrastructures or high-profile targets. These organizations likely rely on operational technology (OT) and industrial control systems (ICS), which raises the urgency and the stakes involved in a ransomware attack. Ransomware attacks have become such a threat to OT assets that the US Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet to inform organizations about them.
Attacks that involve OT systems can be dangerous and have cascading effects down the supply chain, pressuring victim organizations to comply with ransom demands. The convergence of IT and OT components can open a path for attackers to cross from IT to OT networks.
It is important to note, however, that ransomware rarely target OT systems directly. The EKANS ransomware is a rare example that is capable of stopping ICS software processes, while most ransomware families today, such as Ryuk, REvil, and Conti, target IT systems. However, intrusions into the IT network can disrupt and impact the OT network even if it has not been infected directly by ransomware. This was the case for Colonial Pipeline, which had to shut down its systems to prevent the ransomware from infecting its industrial network. Unfortunately, this necessary measure could not prevent fuel shortages in several US states from happening as a result. Other indirect effects of ransomware on OT systems could be loss of visibility and theft of operational information.
Disruption is also the main goal for ransomware attacks in other industries, which likely also rely to some extent on IoT devices and systems. In the Trend Micro midyear roundup, we reported how manufacturing, healthcare, and food and beverage were among the top five industries that saw the most ransomware activity.
The healthcare industry saw attacks from the likes of Ryuk and Conti ransomware families, which added pressure to an already strained healthcare system amidst the pandemic. It is difficult to determine if these recent attacks had a direct impact on medical devices, but ransomware has been known to infect medical devices before. Connected medical devices, while incredibly useful today, can also act as entry points for attacks if not properly managed. Medical devices also carry vulnerabilities and flaws that make them susceptible to malware infection.
Aside from the healthcare industry, the food production industry has also adopted IoT tools and systems to optimize production. According to an FBI advisory, ransomware attacks are targeting the food and agriculture sector to exfiltrate and encrypt data. They note how the sector is becoming increasingly more reliant on IoT processes, expanding the attack surface. Some of these attacks did not only cost the victims, but also affected the supply chain, driving prices up for consumers.
The IoT can significantly redefine the attack surface an organization would need to secure. This concern also includes every-day IoT devices such as smart appliances and routers. Once set up, some IoT devices, specifically routers, are often forgotten in the background, never to be examined again unless something goes wrong. But these devices can be exploited to allow ransomware to enter a system. Botnet malware, a well-known problem for IoT devices, can also be used to distribute other malware. In our research on IoT botnets, we found that it is still possible for routers to remain infected with a botnet that has been defunct for two years, highlighting how seemingly simple devices can act as a doorway for critical attacks.
IoT ransomware is a ransomware attack targeting IoT devices. In such a scenario, threat actors control or lock a device (or several devices) to extort payment. An example of a ransomware variant that crossed over to a specific IoT device is FLocker, an Android mobile lock-screen ransomware that shifted to smart TVs. Two separate researches have also tested ransomware attacks on a smart thermostat device and a coffee machine. Such attacks have not progressed much in recent years.
Most ransomware attacks affect NAS devices and routers, which can be a concern for consumers. In general, they have yet to pose a major threat to organizations, because threat actors will have little to gain from executing them.
Organizations that are hit by ransomware attacks, such as those we have discussed here, can suffer from significant financial losses, not only from paying the ransom, but also from operational delays and remediation costs. Ransomware campaigns now involve a data theft component for double extortion schemes in which victims are susceptible to losing mission critical data and suffer reputational damage.
To defend against ransomware, organizations have to address the security gaps that can open a path for critical attacks. In the realm of the IoT, these security concerns include the following:
The best way to deal with ransomware, especially those that involve the IoT, is to prevent them from happening. Like any other threat actor, ransomware operators are more likely to take the path of least resistance to reach their targets. Organizations need to address possible entry points for ransomware attacks and keep their IoT environments adequately secured.
Here are steps organizations can take to defend against ransomware attacks:
The IoT has much in store for the future. While the pandemic caused IoT implementation to slow down, many industries since have observed the benefits of the IoT especially in a time when remote work and social distancing became the norm. The reality of 5G can also easily reignite plans to move forward. Unfortunately, current times also had a reinventive effect on ransomware. Threat actors have found new opportunities in their targeted attacks and double extortion schemes. Industries that have much at stake — many often involve IT/OT systems — are prime targets. Organizations need to reexamine their current defenses especially for ransomware and plan an effective implementation of the IoT to reap the benefits of this technology without fear of it being used in ransomware campaigns.