Forescout’s Vedere Labs reveals first proof-of-concept of IoT ransomware

Daniel dos Santos, Head of Security Research, Forescout Vedere Labs

Forescout’s Vedere Labs launched research titled R4IoT (Ransomware for IoT), a proof-of-concept study showing how ransomware can exploit IoT devices for access and lateral movement to IT and OT assets, with the intention to cause disruption to business operations.

Why is R4IoT a viable study?

The R4IoT study emerged from the observation of an increase in the number and diversity of IoT, IoMT and OT devices connected to IT networks and the ransomware attacks that were being attempted. The rapid expansion in the number of connected devices in firms increases the risk posture of every business across the globe, all related to the growth of IoT devices in networks, converging IT and OT networks, and the rise of supply-chain vulnerabilities.

“R4IoT is the first work to analyse how ransomware impacts IoT and delivers a full proof-of-concept from initial access via IoT to lateral movement in the IT network, and impact on the OT network,” said Daniel dos Santos, Head of Security Research, Forescout Vedere Labs.

“Threat actors are exploiting a broader threat surface than before and we see hacking groups discuss IoT access on forums today.  It has become imperative to arm organisations with knowledge to extend their proactive defences and ensure IoT devices have adequate segmentation from their critical IT and OT infrastructure,” Daniel dos Santos further said.

This proof-of-concept, showed in this video and detailed in Vedere Labs’ technical report, is a clear demonstration of how IoT and OT exploits can be combined with a traditional ransomware campaign. It also shows that to mitigate this type of attack, solutions are required that allow for complete visibility and enhanced control of all the assets in a network.

What is ransomware’s post-COVID evolution?

2021 saw a plethora of devastating cyber-attacks, including ransomware attacks on Colonial Pipeline and JBS foods, as well as the Kaseya/REvil incident that simultaneously impacted more than 1,500 organisations across the globe. These incidents are part of a growing and alarming trend wherein large ransomware gangs, often operating under a RaaS model, cripple the operations of multiple types of organisations simultaneously to maximise their impact.

“It’s no secret that ransomware is a rapidly evolving global threat. While businesses look to optimise their operations and ride the digital transformation wave, cybersecurity teams are understaffed and under-resourced,” said Gavin Wilson, Managing Director A/NZ at Forescout.

“We know that being able to successfully respond to ransomware depends on being equipped and prepared. By developing a proof-of-concept like R4IoT, Forescout has gotten in front of the threat actors, and provided tech teams with the tools they need to do the same.”