Vedere Labs details Ransomware for IoT approach of IT, OT, IoT asset vulnerabilities exploited by ransomware hackers

Forescout Technologies’ Vedere Labs has provided details of a new attack approach called Ransomware for IoT or R4IoT. The proof of concept covers next-generation ransomware that exploits IoT devices for initial access, targets IT devices to deploy ransomware and cryptominers, and leverages poor OT (operational technology) security practices to cause physical disruption to business operations. By compromising IoT, IT, and OT assets, R4IoT goes beyond the usual encryption and data exfiltration to cause physical disruption of business operations. 

The San Jose, California-based company also released a detailed playbook describing how organizations can protect themselves against a new ransomware attack that leverages IoT devices to deploy ransomware. In addition, the report includes a comprehensive, proof-of-concept demonstration of the new attack vector that Vedere Labs predicts will be the next step in ransomware evolution. 

Vedere Labs said that IoT, IoMT (Internet of Medical Things), and OT devices combined represent 44 percent of the total devices in enterprise networks. Thus ransomware hackers focusing on IT equipment are missing almost half of the available attack surface. Healthcare is the most affected vertical, with more than 100 thousand devices impacted by Project Memoria. The most common OT/IoT devices are PLCs, building automation controllers, and infusion pumps.

The report also said that more than half a million devices are running TCP/IP stacks vulnerable to Project Memoria, spread out across organizations in almost every industry vertical. This means that exploiting these devices with a similar and simple denial of service attacks grants to attackers the possibility of disrupting many types of organizations.

The proof-of-concept ransomware exploits the first trend (growth in IoT devices) by using exposed, vulnerable devices, such as an IP video camera or network-attached storage (NAS) device, as the initial access point to the network. It exploits the second trend (convergence of IT and OT networks) to hold OT devices hostage, thereby adding another layer of extortion to an attack campaign. 

R4IoT results from Vedere Labs’ continuous analysis of how ransomware gangs have been evolving in past years. Apart from adding new layers of extortion, such as data exfiltration and denial of service, the report said that major ransomware gangs such as Conti and ALPHV have been focusing on exploiting network infrastructure devices and increasing the sophistication of their ransomware payloads.

The need for a study like R4IoT emerged from observing an increase in the number and diversity of IoT, IoMT, and OT devices connected to standard corporate IT networks. Such devices increase the risk posture in nearly every business that has to now deal with the growth of IoT in corporate networks, IT/OT convergence, and the rise of supply chain vulnerabilities. 

The Vedere Labs study intends to prepare businesses and cybersecurity at large to deal with an inevitable increase in sophistication and scope of traditional ransomware. This is done by providing a step-by-step demonstration of how IoT and OT exploits can be combined with a ‘traditional’ ransomware campaign. Additionally, a playbook for mitigating the emerging type of attack by relying on complete visibility and enhanced control of all the assets in a network is provided.

The R4IoT report said that ransomware hackers are after money, and it is safe to say that ransomware is now a billion-dollar industry, with the market leaders taking in tens of millions of dollars per year. Ransomware is also turning out to be very lucrative, and some of the biggest ransom payouts happened in 2021. For instance, Colonial Pipeline and Brenntag reportedly paid US$4.4 million each to DarkSide, whereas JBS paid $11 million to REvil. 

“Although it’s difficult to know exactly how much ransom was paid in total, the US Financial Crimes Enforcement Network investigated 635 suspicious activity reports related to ransomware just in the first half of 2021,” according to the Vedere Labs report. It added that those reports had a total value of $590 million, which was more than the $416 million investigated in all of 2020.

Another misconception the report tried to iron out was that ransomware means malware for data encryption. “It started like that, but ransomware is about getting a ransom – extorting victims via cyberattacks. The goal of ransomware attacks is to force organizations to face a dilemma: pay the ransom and hope that attackers restore access to systems and go away, or don’t pay and try to mitigate the effects of the attack with internal resources,” it added. 

Analyzing the anatomy of the ransomware attacks, the Vedere Labs report said that there are more than 1,000 different identified ransomware variants, with the FBI stating in June that they were tracking more than 100 active groups, each responsible for at least a dozen attacks. “Each ransomware group behaves slightly differently, using diverse tools, infrastructure, and extortion methods. However, the tactics and techniques used during attacks are very similar,” it added.

The high-level anatomy of a ransomware attack includes initial access gained by exploiting unauthorized access to systems either by exploiting local or remote software vulnerabilities, such as buffer overflows or command injection. Furthermore, the hackers are known to breach access by using credential-based attacks such as brute-forcing, password spraying, and credential stuffing. 

After the initial access to a compromised network, ransomware hackers have three types of tools at their disposal, including common exploit/pen-testing frameworks like CobaltStrike and Mimikatz, bespoke hacking tools which are increasingly less popular, and internal Windows tools such as RDP, WMIC, net, ping, and PowerShell. 

Once several machines have been infected, the attackers can exfiltrate collected data to the C2 or other servers and encrypt the files directly on local machines or over the network (using SMB shares), the report said. The attackers then leave a text file notifying victims of the attack and giving instructions for the ransom payment. The amount paid by an organization to recover its data is usually lower than the initially demanded payment, which happens after a negotiation period that can take dozens of turns.

Based on these trends, the Vedere Labs report provided an outlook into the future of ransomware from two points of view: initial access and impact. For initial access, ransomware groups could soon directly be using IoT and OT devices as entry points, or initial access brokers could be ready to acquire exploits and sell access to millions of those devices to other actors. 

Phishing is very effective but still depends on human interaction. At the same time, vulnerabilities on IT perimeter devices and applications are being routinely exploited automatically. Still, they tend to be patched fast because of the immediate risk they expose. On the other hand, a growing number of IoT and OT devices connected to enterprise networks and actively exploited could provide valuable entry points for attackers because they are harder to patch and manage. 

“IoT devices are currently compromised primarily to become part of large botnets that execute DDoS attacks, which started with Mirai back in 2016 and has evolved toward modern malware such as Mozi and Gafgyt,” Vedere Labs said in its report. “These malware use either default and weak credentials or unpatched vulnerabilities to gain remote control of devices such as IP cameras, Network Video Recorders (NVRs), and routers. Modern examples such as BotenaGo pack more than 30 exploits for several types of devices. Botnet operators could leverage the initial access provided by IoT devices to either deploy ransomware themselves or sell the access to ransomware affiliates,” it added.

For initial access, the report also considered exploits for IoT devices that are frequently negotiated in darknet markets, and other hackers are starting to notice the potential of these devices, the report said. Additionally, some major breaches are already believed to be tied to exposed IoT or OT devices. 

All the forms of extortion work very well for attackers. Still, as defenders increase their capabilities, ranging from incident response to backups and even cyber insurance, attackers must come up with new types of impact to continue to get their payouts, Vedere Labs said in its report. For example, ransomware was initially about denying access to files via encryption, but other forms of denial of service could become part of attack campaigns, such as Telephony Denial of Service (TDoS). Additionally, IoT devices could also be leveraged in other ways. For instance, hacktivists recently spammed several internet-connected receipt printers with ‘antiwork’ messages.  

Vedere Labs also said that cryptomining networks that hijack many computers to mine for cryptocurrencies are a rising trend and less noticeable and risky for attackers than ransomware; there have been many arrests related to ransomware but far fewer because of cryptomining.

“Another trend is the rise of attacks targeting operational technology, particularly internet-exposed devices, and leading to loss of availability,” Vedere Labs said in its report. Recent examples include hackers targeting UPS devices via weak credentials and EV charging stations. Impacting OT field devices could add another layer to extortion campaigns focusing on critical infrastructure targets, it added. 

The report identified that IoT and OT exploits are new tools in the attacker’s arsenal. Ransomware has been the most prevalent threat of the past few years, and so far, it has mostly leveraged vulnerabilities in traditional IT equipment to cripple organizations. But new connectivity trends have added a number and a diversity of OT and IoT devices that have increased risk in nearly every business. 

In order to help organizations strengthen their cybersecurity posture, it is imperative to mitigate this type of attack. Solutions are required that allow for extensive visibility and enhanced control of all the assets in a network.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.