Forescout published a new study demonstrating how next-generation ransomware can exploit IoT devices for initial access to IT and OT assets

Illustration: BIGSTOCK/Copyright: cc7 studio

Forescout’s Vedere Labs has released a new report titled R4IoT (Ransomware for IoT), a proof-of-concept study demonstrating how next-generation ransomware can exploit IoT devices for initial access and lateral movement to IT and OT assets, with the intention to cause physical disruption to business operations.

Over the past few years, ransomware has been evolving because of two main ongoing trends: digital transformation driving rapid growth in the number of IoT devices in organizations, and the convergence of IT and OT networks.

Ransomware actors have been evolving quickly and have moved from purely encrypting data until circa 2019 to exfiltrating data before encryption in 2020 to large extortion campaigns with several phases in 2021.

The trend continued in early 2022 with the emergence of new and very sophisticated ransomware families such as ALPHV and more attacks by ransomware-as-a-service gangs such as Conti. This evolution in attacker methods means that ransomware gangs could now cripple the operations of virtually any organization.

Forescout’s report includes a detailed playbook describing how organizations can protect themselves against a new type of ransomware attack that leverages IoT devices, such as video cameras, to deploy ransomware. The report includes a comprehensive, proof-of-concept demonstration of this new attack vector which Vedere Labs predicts will be the next step in ransomware evolution – “Ransomware for IoT” or R4IoT.

The R4IoT report describes how IoT devices can be exploited for initial access and lateral movement to IT and OT devices, with the objective of causing physical disruption of business operations.

The proof-of-concept ransomware described in the R4IoT report exploits the first trend by using exposed vulnerable devices, such as an IP video camera or a network-attached storage (NAS) device, as the initial access point to the network, and the second trend to hold OT devices hostage, thus adding another layer of extortion to an attack campaign.

Beyond demonstrating how an R4IoT attack works, the report shows that there are ways to mitigate both the likelihood and the impact of this type of incident on organizations, thus decreasing the overall risk that organizations face.

Three important observations from the study of the ransomware threat landscape make mitigation of this threat possible across the NIST Cybersecurity Framework functions:

• Identification and Protection are possible because hundreds of very similar attacks happen simultaneously. For instance, Conti had more than 400 successful attacks on US and international organizations in 2021. That means it is possible to identify devices and vulnerabilities being actively exploited so their protection can be prioritized.

• Detection is possible because most tools and techniques these actors use are well-known. We present the top Tactics, Techniques and Procedures (TTPs) used by malware in 2021.

• Response and Recovery are possible because attacks are not immediate and fully automated. The average dwell time of ransomware attackers was 5 days in 2021.