R4IoT: new approach to ransomware attacks

Sheila Zabeu -

June 09, 2022

Who thought they had seen it all in ransomware was wrong. Forescout’s Vedere Labs recently released a report describing how a new ransomware attack exploits Internet of Things (IoT) devices as a vector to perform intrusions. The lab predicts that this will be the next step in the evolution of ransomware and has coined the name “Ransomware for IoT” or R4IoT for this new approach. The study details how IoT devices can be used to allow attackers to gain access and move laterally between IT and OT networks to cause problems for their operations.

The proof of concept conducted by the lab shows that this new ransomware scheme exploits two trends: the proliferation of IoT devices in organizations and the convergence of IT and OT networks. It initially uses vulnerable devices, such as IP cameras or Network-Attached Storage (NAS) equipment, as an access point. It then exploits the convergence between IT and OT networks to hold OT devices hostage, thus adding an extortion layer to the attack campaign.

According to Forescout, this is the first job to combine IT, OT, and IoT and have a complete proof of concept for ransomware attacks, from initial access via IoT devices to lateral movement in IT networks to then impacting OT networks. In addition to encryption, the proof of concept on IT equipment includes deploying encryption mining software and data exfiltration. The video below simulates an R4IoT attack on a hospital that exploits an IP video camera vulnerability.

R4IoT: When Ransomware Meets the Internet of Things – Forescout

In addition to demonstrating how an R4IoT attack works, the report presents ways to reduce the chance of intrusion and mitigate the negative impacts should this type of incident happen, based on three lines of action: Identifying and Protect, querying information about vulnerable IoT, and OT assets being exploited and prioritizing their protection; Detect, understanding the critical ransomware tactics, techniques, and procedures (TTP); and Respond and Recover, keeping up-to-date policies, controls, and response plans.

Cyber-attacks involving IoT and OT are part of an evolution that started with criminal action of simply encrypting data and then moving to threats to publicly disclose it, in cases where it usually involves confidential or customer information. There are also sophisticated ransomware tools sold as a service (RaaS) and large, phased extortion campaigns. And the evolution of the ransomware landscape is far from over because attackers still have a large attack surface to exploit. 

For Forescout, R4IoT can be seen as innovative in the way it combines the exploitation of vulnerabilities in IoT/OT environments with a traditional ransomware attack campaign. Moreover, its potential impact on OT networks is general, meaning that it is not limited to any specific type of operation or operating system, let alone equipment (e.g. industrial automation). It also requires no persistence or firmware changes to the target devices and can work on a large scale on devices affected by vulnerabilities in the TCP/IP stack.

According to the 2021 Verizon Data Breach Investigations Report (DBIR), over 80 percent of cyber incidents are financially motivated, and ransomware attacks are currently the top source of money for cybercriminals.

Modus operandi

More than 1,000 variants of ransomware were identified, a term widely used today. The FBI has compared the mission of investigating the current wave of cyber attacks and about 100 different types of ransomware, tracking hackers in several countries, to the challenge faced during the terrorist attacks of September 11, 2001. 

Each ransomware group behaves slightly differently, using different tools, infrastructures, and extortion methods. However, the tactics and techniques employed during attacks are very similar, explains Forescout. 

Generally, a ransomware attack is divided into three stages: initial access, lateral movement, and impact production. To gain undue access, attackers typically exploit local software vulnerabilities or perform credential-based attacks (e.g., brute force). According to Forescout, perimeter devices/services vulnerabilities, such as VPNs and cloud applications, are often used to gain unauthorized access. Phishing methods that execute malicious code are also common forms of intrusion.

After a successful intrusion, ransomware actors have three types of tools at their disposal: those that identify and exploit vulnerabilities (exploit/pen-testing frameworks such as CobaltStrike and Mimikatz), custom hacking tools (increasingly less popular), and Windows internal tools (such as RDP, WMIC, net, ping, and PowerShell, currently the most common because they are already available and harder to identify as malicious). RDP, for example, was used in 90% of attacks in 2021.

Once they have infected the machines, the attackers can encrypt the files and harvest data. They usually leave a text file notifying victims of the attack and giving instructions to pay the ransom. 

These three steps are usually not performed by the same group. It is common today to see groups offering ransomware-as-a-service (RaaS), which develop the encryption system, distribute it to affiliates, and receive part of the ransom payment. On the other side, other groups called Initial Access Brokers (IABs) sell access to networks, usually in the form of valid credentials or machines compromised by malware. Other clandestine groups provide hosting services for malware distribution and command and control servers.