Last year, the number of new ransomware modifications increased 11-fold, from 2,900 in Q1 to around 32,000 in Q3, according to Kaspersky Security Bulletin 2016. The astronomical increase begs the question of what’s the impact when ransomware starts to take over Internet of Things (IoT) devices which is also expanding at a rapid rate. The ransomware phenomena has even led Kaspersky to declare the year 2016 as the year of ransomware, mainly due to the huge number of high-profile cases covered by mainstream media.
One Texas police unit lost 8 years of documents, photos, and videos when a ransomware attack corrupted files on its server, reported Dark Reading, one of the most widely-read cyber security news sites on the web. A hospital in Ottawa, Canada could not access almost 10,000 computers because certain employees had managed to infect the hospital network by clicking on email attachments containing ransomware. Dave Winston, chief for the Circle Sport-Leavine Family Racing, was advised by FBI to pay ransomware after a message appeared on the screen of his computer, stating, “All important files have been encrypted.”
These cases illustrate one important thing: there is now a new breed of highly sophisticated cyber criminals who are attracted by the huge financial gains made possible by highly targeted ransomware attacks. “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers,” said FBI Cyber Division Assistant Director James Trainor.
Ransomware in the era of the Internet of Things
According to IHS, there are currently approximately 20 billion Internet of Things (IoT) devices. Statista, an online statistics, market research, and business intelligence portal, predicts that this number will grow to 50 billion by 2020, with annual revenues for IoT vendors exceeding $470 billion.
Today, Internet of Things are being adopted across a wide variety of industries, including manufacturing, distribution, supply chain management, marketing, healthcare, financial services, state and local government, energy, and many others. Some of the most significant advantages of the IoT include decreased costs, reduced errors, increased productivity, access to more information, better decision-making, and new business opportunities, just to name a few.
But with these benefits also come some far-reaching threats. “If you’ve paid attention to major news stories about companies being hacked, identities stolen, and even app-connected cars being hijacked, you’ll understand digitally-connected things have definite security risks,” writes Atlantic BT, a technology consultancy with over 18 years of industry experience.
So far, attackers have been using mostly a type of cyber-attack known as a denial of service (DDoS). For example, an unnamed IoT malware strain flooded the DNS server of an unspecified University located in the United States. Stephen Gates, chief research intelligence analyst at NSFOCUS, said, “On the surface, this appears to be more of a prank than a sophisticated denial of service attack. However, this proves that large-scale IoT takeovers are possible and should be a wake-up call to those who manage networks rife with insecure IoT devices.”
It seems that it’s only a matter of time before cyber criminals take critical infrastructure hostage using ransomware, potentially placing hundreds of thousands of people at risk. Just remember the 2016 hack of Ukraine’s power grid, which left more than 230,000 residents in the dark. “Medical devices that monitor and control human systems—including pacemakers, insulin pumps, and nerve stimulators—are all becoming Internet enabled. Unethical attackers will see these medical devices as the next step in their journey beyond hospital ransomware attacks,” states the McAfee Labs 2017 Threat Predictions Report.
What makes this new wave of ransomware attacks so dangerous is the fact that the affected system cannot be restored to a working order simply by performing a hardware reset. When cybercriminals compromised the four-star Austrian hotel Romantik Seehotel Jaegerwirt and managed to gain control over its electronic key system, the hotel management temporarily shut down the infected system and got rid of the ransomware.
Fortunately, the IT industry seems to be awakening to the growing threat presented by IoT devices vulnerable to ransomware attacks. A recent report by Cato Networks titled Top Networking and Security Challenges in the Enterprise states that 50% of IT staff and more than 70% of CIOs see defending against ransomware as their number one priority for 2017.
Vendors and the state of IoT security
The problem with the current state of IoT security is that most IoT vendors are not sufficiently motivated—either financially or legally—to focus on security. IoT devices are synonymous with crowdfunding, rapid development, and very short-term manufacturer support. The Broadband Internet Technical Advisory Group (BITAG) report pointed out that the nature of consumer IoT is unique because it can involve non-technical or uninterested consumers.
In many cases, these consumers decide whether to equip large organizations and institutions with smart devices, completely obvious to the serious security and privacy risks that come with unsecured connected devices. The situation is so serious that the Federal Communications Commission recently had to step out and express concerns about the insecure IoT market that neglects security “because they lack sufficient incentives to invest in cyber security beyond their own corporate interests.”
Making IoT vendors accountable by implementing a combination of market-based incentives and regulatory oversight could be a good step in protecting networks from IoT device security risks, but most experts recommend a more comprehensive approach.
The paper suggest that Internet of Things developers should factor in security when a device, sensor, service, or any component of the IoT is being designed and developed; IoT manufacturers should improve security for both consumer devices and vendor managed devices; service providers should consider the security of the underlying infrastructure they provide; and consumers should only partner with those vendors who adhere to strong IoT security practices.
“Our nation cannot afford a generation of Internet of Things deployed with little consideration for security. The consequences are too high given the potential for harm to our critical infrastructure, our personal privacy, and our economy,” concludes the United States Department of Homeland Security, identifying four lines of effort to fortify the security of the IoT:
Coordinate across federal departments and agencies to engage with IoT stakeholders and jointly explore ways to mitigate the risks posed by IoT.
Build awareness of risks associated with IoT across stakeholders.
Identify and advance incentives for incorporating IoT security.
Contribute to international standards development processes for IoT.
Efforts like this underline the serious nature of the threat presented by large-scale ransomware attacks targeted at critical infrastructure and sensitive internet-enabled devices. Compared to virus attacks of the dotcom era, the damage won’t be counted in terms of financial losses and negative publicity, but in terms of human lives.