Ransomware Exponentially Increasing as IoT Provides New Avenues of Attack

This article increases awareness for organizations seeking to enhance their digital risk posture against the increasing threat of ransomware (a type of malware) deployed by threat actors to prevent or limit users from accessing their system until a ransom is paid.

Ransomware is increasingly targeting multiple industries with downtime and lost productivity as its attack surface expands beyond the virtual realm to the physical via the Internet of Things (IoT), however, organizations can posture against this threat with a comprehensive approach to risk management.

Background: At the Feb 2017 RSA conference, Ed Skoudis of SANS reported over 150 families of crypto ransomware were in the wild and evolving. SonicWall reported that ransomware instances grew from 3.8 million in 2015 to 638 million in 2016. Other researchers estimated economic payoff to criminals at $1 billion in 2016. The surge is linked to increased targeting of banking, technology, utilities, and energy industries and is driven notably by the rise of Ransomware as a Service (RaaS) and the low cost and risk associated with conducting an attack.

The growing IoT expands the attack surface and provides opportunities for ransomware campaigns to target physical devices and systems, unlike traditional ransomware which has primarily targeted digital data. Ransomware targeting IoT devices could interfere with smart homes, vehicles, medical devices, or Industrial Control Systems (ICS) connected to the IoT such as power grids, hospitals, manufacturing lines, and water pumping stations. Ransomware in late 2016 interrupted San Francisco Municipal Transportation Authority (SFMTA) payment machines and in Jan 2017 compromised the electronic key system of an Austrian hotel. Proof-of-concept attack scenarios for ransomware exploiting IoT connected devices include security researchers locking down a connected thermostat at 99 degrees and hijacking simulated water plants. In Nov 2016 a DDoS attack against building heating took heating offline in several buildings in Finland. While not a ransomware attack this opens up new use cases we expect to see exploited by ransomware in the future.

Organizations can best posture against ransomware attacks on their networks by pursuing strategic and tactical risk mitigation plans. Such plans may include senior management buy-in, maintaining digital asset inventories, implementing ACLs and monitoring of physical and IT infrastructure, testing a disaster recovery plan, and investing in employee security training. A significant number of IoT devices lack any form of security, however, IoT dependent systems and devices can be protected by incorporating well-known industry best practices into security plans, including firmware updates, encryption, and authentication.