Why IoT may be the next big target for ransomware attacks

Ransomware has become one of the most serious cyber threats plaguing organizations. Today, healthcare and other types of organizations are trying to protect themselves from encryption viruses.

But so far, not a lot of attention has been paid to the next wave of ransomware attacks, which many expect to be aimed at encrypting IoT devices. These attacks can be much more dangerous because of the omnipresent and extremely diverse nature of the Internet of Things.

Quite simply, there are some differences that make IoT ransomware more dangerous than the already widespread extortion viruses for desktops and smartphones. Here are some ways in which ransomware attacks on IoT devices pose huge challenges for healthcare organizations.

IoT ransomware does not encrypt data. The well-known and most active crypto viruses like Locky and Cerber lock down important files on infected machines. Their main strength is irreversibility—the victims are forced to either pay for obtaining the decryption key or say goodbye to their files in case there are no backups. It is usually assumed that files and important data have a value expressed in money, and this fact attracts cyber extortionists.

IoT devices often do not have any data at all. Some may believe that ransomware authors are not interested in attacking IoT devices, but that’s actually not so.

Instead of only locking some files, IoT viruses may lock and get complete control over many devices and even networks. IoT malware may stop vehicles, disconnect the electricity and even halt production lines. Such programs can do much more harm, and therefore hackers may demand much larger ransom amounts. This increases the attractiveness of this new underground market.

One could argue that IoT hacking can be stopped with a simple reboot. However, the incentive to pay extortionists does not result from irreversibility but rather from the volume and character of potential losses that may occur during the time an organization loses control over their systems.

While the Internet of Things expands the possibilities of life-supporting devices like pacemakers or industrial systems such as pumping stations, the financial benefits of blocking IoT infrastructure and the damage from belated response will grow exponentially.

Consumer IoT devices are vulnerable, but difficult to attack en masse. Attacks on consumer IoT devices, including smart homes and connected cars, are already real. Researchers have shown how they can gain control of a connected thermostat through the use of malicious code and set the device to increase the temperature to the maximum, causing the owner to pay a ransom.

Let's imagine you got into a connected car this morning and suddenly there is a message on the screen: "If you pay $500, I’ll let you get to work today." It was impossible several years ago, but because of technological progress, such scenarios do not look fantastic anymore.

Furthermore, IoT ransomware may steal important data and personal information, for example, from surveillance cameras connected to the network or from fitness gadgets and then blackmail people, threatening to publish their sensitive information.

Despite the fact that IoT devices often have serious security weaknesses, it is still premature to talk about the imminent ransomware threat for smart homes and connected cars. The wide variety of apps and devices created by thousands of manufacturers complicates extensive malware usage.

The IoT industry is highly fragmented these days. It lacks standardized approaches, common platforms and communication systems. It is difficult to carry out mass attacks. Every time a compromise occurs, hackers only target a specific type of devices, which reduces the number of potential victims.

We can conclude that hackers’ benefits from attacking consumer IoT devices are currently small. But the situation is likely to change in the future as the Internet of Things is going to deeper penetrate into our homes and offices.

Some industries already are facing high risks. Industrial systems are already very attractive for cyber extortionists. This could be any relevant system that may affect the lives of thousands or millions of people and are extremely expensive to operate. 

For example, several hospitals or integrated delivery systems have undergone a series of ransomware attacks. Normal workflow at Hollywood Presbyterian Hospital was disrupted because of ransomware. Some patients had to be moved to other facilities, and doctors started to keep records on paper.

If a hospital system is compromised, it puts the health of patients at risk. The likelihood is very high that the hospital will pay a ransom upon demand. An attack against critical infrastructure can be carried out successfully based on similar factors—if lives of people might be put in danger and time is pressing, the owners would often agree to pay up.

Power grids and power stations can be another important target for IoT malware. Their important role in the modern world was perfectly illustrated as far back as the Northeast blackout of 2003. It caused $6 billion in losses within several hours, affecting 55 million people. It wasn’t a cyber attack but a software failure. Today, hackers constantly scan the Internet for important and vulnerable networks, so energy companies should be prepared.

How to protect IoT systems from ransomware. Although there is no universal solution, many experts believe that the observance of certain guidelines and methodologies can help organizations and manufacturers better protect their IoT systems from ransomware.

One of the important points is the ability to remotely upgrade the firmware of smart devices. Safety is a journey, not a destination, and there are no connected devices that can stay safe forever. Therefore, a firmware update should be a very simple, effective and safe process. 

The latter is particularly important since insecure update channels can become portals for the infection to come in. There are time-tested measures to eliminate this malware entry point, such as blocking the processor and firmware, as well as encrypting communication channels between devices.

A reliable authentication mechanism poses another important protection measure. You may encounter situations these days when devices are connected to the Internet without any authentication at all. 

This paves the way for spoofing. If lack of authentication becomes a mass phenomenon, it will be possible to disable millions of devices. Spoofing is particularly dangerous when a server with millions of connected machines is infected.

To make intruders’ life much harder it is necessary to introduce reliable security certificate life-cycle management and standardize the code base of security systems. This will help reduce the number of attack vectors.

Of course, securing the Internet of Things remains an arduous task as the industry is only groping its way. Currently, online criminals are only beginning to weigh the risks and assess the opportunities and potential profitability of the new market. 

Meanwhile, manufacturers and users are not too concerned about the possible threat. Perhaps this will change quickly after the first successful incidents of rogue monetization of IoT vulnerabilities. Hopefully, we will have time to prepare.