When discussing the ever-changing ransomware threat landscape, we often talk about what devices threat actors will target next. In addition to mobile devices, the other technology I get asked about the most is “Internet of Things” (IoT), and whether we should expect threat actors to begin going after the “smart” products in our homes or businesses.
This question stems from a valid concern, if we’re looking purely at the volume of opportunity. We’re surrounded by smart devices, and the IoT market will very likely continue to grow over the next few years. And although IoT ransomware is not likely to be the next big threat we’ll face as defenders, it still will be targeted, for reasons that will be explained.
IoT is used as a somewhat broad term to describe the wide array of internet-connected sensors and devices, including:
While smart cities are a more recent concept, the other technologies that make up the IoT landscape already exist in a variety of locations. Due to the fact that the IoT landscape is so large, and often the line between the devices themselves and the Operational Technology (OT) network is blurry, we’ll focus specifically on the home and business IoT devices themselves in this article.
Ransomware for IoT devices would very likely be conceptually different from ransomware targeting Windows, Linux, ESXi or other traditional operating systems. Many IoT devices use embedded operating systems, such as FreeRTOS, Embedded Linux or TinyOS, or altered versions of Linux-based operating systems, such as Yocto or Android Things. As a result, the types of information (such as documents or other personal data) a threat actor would look to encrypt or use for extortion purposes will likely be more limited, if present at all.
There may certainly be files on the system related to its operation (similar to a Windows machine’s .exe or .dll files), but encrypting those will likely damage the device’s ability to function, possibly even beyond repair. Typically, a ransomware actor is looking to use the stolen and/or encrypted data to extort an organization into paying the ransom. If there’s no user data to encrypt, or encryption makes the device irreparable, or is irreversible, it does not offer a compelling opportunity for a ransomware actor.
Additionally, IoT operating systems are optimized to perform the functionality they’re designed for, such as rapid computations of sensor data or network connectivity. These are often low power, may have very small amounts of memory and may not be as accessible to software developers as platforms like Linux or Windows.
This means that they may not have all the functionality required to efficiently encrypt data on the device that computer operating systems have, and developers of the ransomware would likely need specialized skills to be able to write the ransomware at all. They would have to acquire the devices for testing, and carefully design the ransomware to run on the target operating system. Working around any technical constraints the device presents may be challenging, especially compared with writing software to run on more common, full-featured operating systems.
While some IoT devices have accessible developer programs, like Android Auto, they’re not necessarily the types of devices organizations are using, and are generally more targeted toward consumers.
Predictably, ransomware targeting IoT devices would need to present a valid business case for a threat actor deploying it. Outside of the lack of data to encrypt and the complexity of developing working ransomware for these devices, one final consideration is how compelling encrypting an IoT device would truly be for a ransomware threat actor looking to make a profit.
For many of the low-cost home devices, a victim might choose instead to purchase a new one instead of paying the ransom.
There are also issues for devices primarily existing in organizations, like remote monitoring capabilities, “intelligent” logistics and asset tracking to enable manufacturing. While disabling these devices would certainly present challenges, there’s significantly more value in locking the systems that make up the IT network using a threat actor’s existing toolset.
While IoT devices do not present compelling targets for ransomware itself, that doesn’t mean they can’t be abused by threat actors trying to deploy ransomware. The major opportunities IoT devices provide are as an initial access vector, possibly allowing threat actors to gain access to an organization’s IT network, or for spam, proxies or botnets.
Gaining initial access is a key component of a ransomware attack. While more traditional avenues—things like remote services, stolen credentials and perimeter devices—are the most frequent targets, Internet-accessible IoT devices with default passwords or unexpected open ports (like SSH or RDP) could also be targets for ransomware threat actors.
In June 2022, security researchers demonstrated a proof-of-concept ransomware that uses IoT devices to gain initial access, move laterally and deploy ransomware in the IT network and eventually cause disruption to the OT network as a result.
This example serves to highlight how a ransomware actor could exploit IoT devices to deploy ransomware, with no retooling of the malware required.
Organizations using IoT devices, especially if they’re Internet-accessible, should extend their monitoring and security protocols to these devices as well. Here are some best practices: