When Ransomware Marries IoT

For Cybercriminals, it’s a Match Made in Heaven

This is an age in which ransomware has made the barrier to entry for would-be cybercriminals lower than ever. And, with the proliferation of IoT devices, for attackers, there’s ample opportunity to compromise smart devices. And the convergence of these two threats has certainly attracted the interest of cybercriminals.

Ransomware and IoT are colliding – and the impact has created the perfect storm for cybercriminals.

At a high level, ransomware encrypts its victims’ data or blocks their access to a computer system or network until a sum of money is paid. With lower execution costs, high returns and minimal risk of discovery (compared to other forms of malware), ransomware has quickly become a preferred method of attack for cybercriminals. And it’s now easier than ever for virtually anyone – even individuals with minimal security knowledge – to extort money from companies and individuals through do-it-yourself ransomware toolkits or via the services of a Ransomware-as-a-Service (RaaS) provider.

When it comes to the popularity of ransomware as an attack vector, the numbers don’t lie. An August 2016 report from Osterman Research found that, during the course of the previous 12 months, nearly 50 percent of the companies surveyed were the victim of a ransomware attack. And Kaspersky’s Q1 Lab Malware Report revealed a 250 percent rise in mobile ransomware during the first few months of 2017. The business model of ransomware has proven highly lucrative, and there’s no sign that the malware will go away anytime soon.

Furthermore, the threat of ransomware has been exacerbated by the growth of the “internet of things (IoT).” We’ve seen an exponential increase in the number of products that are now connected to the internet (think “smart” pillows, toothbrushes, thermostats and refrigerators), and the proliferation of these IoT devices has vastly expanded the network of potential targets for cybercriminals.

We’re living in an age where ransomware has made the barrier-to-entry for would-be cybercriminals lower than ever, and the sheer volume of IoT devices means that, for attackers, finding devices to compromise is never in short supply. And the convergence of these two threats has certainly attracted the interest of cybercriminals.

How Bad Is It?

The likelihood of ransomware attacks on IoT devices and the ease of exploitation depends on several factors:

• How widely used is the product? No surprises here: While any connected device could be a target, popular products will inevitably draw more interest from cybercriminals. After all, targeting more users will most likely yield more rewards.
• Is it secure by design? Everyday appliances (e.g., the iron, washing machine and dryer) are subjected to rigorous testing, both by the manufacturer as well as independent testing labs. However, a similar approach is not being taken with respect to the cybersecurity of IoT devices. Many vendors choose convenience over implementing proper security measures – a flagrant violation of best practices in product development – and as a result, most IoT devices are insecure by design.
• Does it use default credentials? IoT devices should default to secure configurations at the time of deployment, and users should be forced to change default passwords on first use. Many IoT-enabled devices, such as the internet-enabled cameras that made up the Mirai botnet, are insecure because their owners don’t think to change the password.
• Does it prioritize maintenance? IoT devices should include built-in mechanisms that allow new patches and upgrades to be pushed out in a convenient and timely manner.

When it comes to smart device ransomware, the asset value determination has an added factor from ransomware that targets traditional technologies, such as laptops and desktops. Unlike with traditional ransomware, attacks on IoT devices can not only compromise the data collected, but they could also render critical physical functions inaccessible – greatly escalating potential damage and, therefore, also increasing the chances that a victim will pay up.

For example, ransomware that infects a smart thermostat could turn up the heat during scorching summer temperatures or blast the air conditioning in the middle of a blizzard. While this may seem like an inconvenience rather than a catastrophe for homeowners, the implications escalate from a business perspective. If cybercriminals gain control of a building’s HVAC system, an organization’s electricity bill could increase to the point where paying a ransom becomes a practical and cost-effective option.

These same principles apply to a variety of IoT devices, and it’s not hard to imagine more disturbing scenarios, such as ransomware attacks against connected cars, smart cities and medical devices. While real-life attacks have not yet been seen in this regard, the impact of ransomware on such targets could expose affected victims to potentially dangerous or even life-threatening consequences. For example, in October 2016, Johnson & Johnson issued a warning that one of its insulin pumps for diabetics was at risk of being hacked, causing a lethal overdose. Additionally, in August 2017, 465,000 U.S. residents received notices to update the firmware that runs their life-sustaining Abbott (formerly St. Jude Medical) pacemakers, or risk falling victim to potentially fatal hacks.

Best Practices for Ransomware-IoT Safety

As a result of this new threat landscape, it’s important for buyers to be more astute in their purchasing choices and security awareness. Here are four considerations to help you in this endeavor:

• Assess the risk of compromise (based on the factors discussed earlier) before buying and using any smart device. Additionally, pay close attention to ransomware-IoT developments, as education and awareness are the first lines of defense against attackers.
• Evaluate how easy it is to harden the IoT product. For example, having the ability to change default credentials and disable insecure protocols can be very effective in preventing ransomware attacks.
• Have a recovery plan in place. Some devices can be reset to factory settings with the press of a button, while others require manufacturer involvement. In extreme cases, recovery may be impossible, forcing users to pay the ransom as a last resort. It’s up to buyers to understand the recovery process for the devices they own and to create a contingency plan should they become infected.
• Assess how any data collected, stored or processed is secured, and evaluate the impact if that data becomes compromised, altered or made unavailable. This includes data stored by the device itself, as well as any cloud storage services it may use to collate or process data centrally.

We’ve just begun to hear about ransomware attacks on IoT devices, but the potential consequences are real – and frightening. We hope to see safety legislation and compliance requirements around IoT someday soon, or the market will continue to be flooded with connected devices that are vulnerable to ransomware attacks. Until then, we, as the consumers of IoT devices, need to band together to create a better security posture for everyone through awareness, shared intelligence and responsible actions.