R4IoT: When Ransomware Meets IoT and OT
Forescout’s Vedere Labs has released a demonstration, report and detailed playbook describing how organizations can protect themselves against R4IoT: a novel, proof-of-concept ransomware that exploits an IoT device to gain access and move laterally in an IT network and impact the OT network. This demonstration is backed by rigorous research into IT, OT and IoT asset vulnerabilities as well as current ransomware trends. Specifically, it shows how ransomware could evolve based on:
- The proliferation of IoT devices in organizations
- The convergence of IT and OT networks
Detecting Mixed IT/IoT/OT threats
Attacks like the one demonstrated in R4IoT require new, superior security approaches to detect and respond to threats that leverage a combination of device types as part of an attack – attacks that siloed security tools cannot fully detect.
See how Forescout XDR can automatically detect and respond to cross-device threats like R4IoT.
Cyber attacks involving OT and IoT are part of an alarming trend: large ransomware gangs, often operating a ransomware-as-a-service (RaaS) model, crippling the operations of several types of organizations, often at the same time. Attacks have moved from purely encrypting data (2019) to exfiltrating data before encryption (2020) to large extortion campaigns with several phases (2021). Sophisticated ransomware families (ALPHV, Conti) have been active in 2022, sometimes taking a political position after the Russian invasion of Ukraine. This evolution in attacker methods means that ransomware gangs can nowadays cripple the operations of virtually any organization.
How R4IoT Works
R4IoT exploits an IoT device for initial access, targets IT devices to deploy ransomware and crypto ware, and leverages poor OT security practices to cause physical disruption to business operations. By compromising IoT, IT and OT assets, R4IoT goes beyond the usual encryption and data exfiltration to cause physical disruption of business operations.
Proof of Concept
The proof of concept on IT equipment includes deployment of a crypto miner and data exfiltration. The impact on OT is not limited to standard operating systems (e.g., Linux) or device types (e.g., building automation), does not require persistence or firmware modification on the targeted devices and works at scale on a wide variety of devices impacted by TCP/IP stack vulnerabilities.
Identify and Protect
Leverage the Forescout Vedere Labs Global Cyber Intelligence Dashboard for information about vulnerable IoT and OT assets that are being actively exploited and prioritize their protection
Use an eXtended detection and response (XDR) solution that can correlate a series of low-confidence IT/IoT/OT incidents, convert them into a high-fidelity threat, and orchestrate and automate response.
Respond and Recover
Be ready with policies, control and incidence response plans