Malware and Ransomware Protection for Internet of Things (IoT) Devices

Malware has been around for quite a few years, and it continues to bring businesses down to their knees. Ransomware, in particular, was a nuisance strain of malware that restricted access to enterprise data through encryption. Today, it has evolved into an advanced attack vector with dire consequences.

The threat of permanent data loss simply can't be ignored. Even worse, cybercrime syndicates now offer ransomware as a service (RaaS), making just about anyone a potential threat actor with a score to settle.

In the context of the Internet of Things (IoT), ransomware isn't exactly a new security threat discussion. In fact, ransomware attacks gained momentum as IoT adoption started to scale. With the growth of different breeds of ransomware strains, it's critical to take a deep dive into this attack vector and identify ways to secure your organization. After all, malicious software can enter, infect an IoT device, and quickly spread across IT networks, crippling organizations.

What is Malware?

Threat actors develop malicious software or malware to leverage malicious code that disrupts, damages or destroys computer systems and devices. Hackers can also use malware to steal data or mine cryptocurrencies.

Common malware examples include viruses, ransomware, Trojan viruses, spyware, worms, and adware. According to SonicWall's 2023 Cyber Threat Report, malware surged for the first time in five years to 5.5 billion attacks. This represents a 2% year-over-year increase.

Malware is usually very small, but hackers can program a lot of logic into a tiny executable file. In the 1990s and early 2000s, size served a purpose, as computers had little Random Access Memory (RAM), and the internet was much slower during the days of dial-up connections.

Twenty-five years ago, large binary files were limited to installers and video games, requiring a lot of resources. With faster internet connections and considerable leaps in disk space and memory, binaries are no longer an issue. But malware binaries still pose a real problem.

New malware can have binary padding, which has become popular among cybercriminals. This is because binary padding makes files bigger and go undetected by malware analysis tools, for example, sandboxes, as they often have an upper limit on file sizes submitted for malware analysis. As uploads demand network transfer to the sandbox, it's an effective technique to avoid malware detection. However, the Internet of Things malware dials it back to the old days when byte-sized malware wreaked havoc across the World Wide Web.  

What is Ransomware?

Ransomware is a type of malware (of course) developed by threat actors and distributed through social engineering campaigns like phishing. The aim is to encrypt the victim's files, data, or even entire systems. Once encrypted, it will display a message demanding a ransom payment (often in cryptocurrencies like Bitcoin and Monero). Once the cybercriminal receives the ransom payment, they can decide whether to provide a decryption key that can restore access to the affected data or simply disappear and leak the data on the dark web.

Ransomware attacks are critical, timely, and often irreversible. Paying a ransom doesn't guarantee a return to business as usual. However, unprepared organizations don't have much choice. If they fail to pay by the specified deadline, they may permanently lose access to business-critical files and data. In some cases, the ransom amount can also increase as the deadline approaches or if initial payment is not made.

By 2031, ransomware attacks are forecasted to occur every two seconds. This is expected to cost businesses a whopping $265 billion annually.

There are different variants of ransomware families:

• Crypto ransomware (usually a single extortion scenario where data is encrypted and held for ransom)
• Locker ransomware (usually a single extortion scenario where threat actors lock the victim's operating system, such as Linux or Microsoft Windows, making the device inaccessible)
• Doxware (or leakware) (usually double extortion where the threat actor threatens to publicize sensitive data)

There are also triple extortion scenarios where threat actors also add Distributed Denial of Service (DDoS) attacks and brute force attacks after encryption and threats of data leaks. There are also quadruple extortions, where cybercriminals add another layer of extortion by contacting the victim's customers and stakeholders directly to add more pressure on them to pay the ransom.

How Does IoT Increase the Risk of Malware and Ransomware Attack?

When we add IoT into the mix, things become much worse, as an IoT-focused ransomware attack can derail or even destroy critical infrastructure. IoT devices also expand an already large attack surface through which IoT malware can quickly spread.

For example, attacks initiated by ransomware gangs like Conti and DarkSide concentrate on critical infrastructures or high-profile targets that rely on industrial control systems (ICS) and operational technology (OT). Whenever threat actors initiate a targeted ransomware attack, it raises the stakes and the urgency to return to business as usual.

OT systems-focused ransomware can have a domino effect across the supply chain. It's become such a serious threat that the US Cybersecurity and Infrastructure Security Agency (CISA) published a fact sheet to make organizations aware.

However, IoT malware attacks rarely focus on the OT systems directly. Instead, the ransomware might disrupt ICS software processes and IT systems, but the intrusion into the network can impact the OT network. For example, this is exactly what happened in the infamous Colonial Pipeline case. Although the company managed to prevent ransomware from infecting industrial systems, it couldn't avert fuel shortages in several states.

Understanding the Threat Landscape

IoT is also at risk of getting infected by a slew of malware families, including spyware (that covertly collects sensitive data), worms (that self-replicate and spread), and bots or botnets (for example, Mirai botnets where hackers hijack IoT devices to initiate coordinated attacks). Other IoT malware include cryptocurrency miners and DNS changers (that change WiFi DNS settings and redirect users to malicious websites).

IoT is a desirable target for ransomware attacks. IoT devices (including IoT medical devices in the healthcare industry) come with inherent weaknesses, such as weak or default passwords that aren't changed and outdated firmware and software.

What Are the Potential Consequences of Malware and Ransomware on IoT?

An IoT ransomware attack can have dire consequences. For example, even after the victim pays the ransom, unauthorized users may monitor activities via compromised smart CCTV cameras, misuse banking or crypto wallet credentials, and use compromised devices to initiate DDoS attacks on other targets. Threat actors can also conduct in-depth analysis of custom enterprise software, reverse engineer the code, and leverage it for their benefit. 

IoT cybersecurity risks include:

• Botnet enlistment
• Data theft
• Device hijacking
• Psychical security breaches (by compromising smart locks and cameras)
• Spying and eavesdropping
• Unauthorized device operation

IoT essentially redefines the attack surface that enterprises must secure. IoT devices like routers are often in the background and forgotten by IoT and computer security teams. They are never really examined unless something goes wrong, leaving them highly vulnerable to malware infections. Botnet malware and botnet attacks, which often infect IoT gadgets, can quickly distribute other malware families, including ransomware. This makes IoT botnets especially dangerous.

How to Defend IoT Environments from Malware and Ransomware Attacks?

The best defense against malware such as ransomware in an IoT-heavy environment is to prevent it from happening in the first place. Threat actors are human, after all. Like any other criminal, they are more likely to target businesses that have the least resistance. This makes it vital to follow cybersecurity best practices.

Victims of both malware and ransomware attacks experience significant costs. They suffer the financial loss related to the ransom payment, the consequences of operational delays, remediation costs, and the loss of customer trust and brand value. For example, double extortion ransomware campaigns where victims can lose mission-critical data can't avert reputational damage.

Real-Time Identification of IoT Vulnerabilities

To defend against IoT malware attacks, enterprises need to adopt a proactive approach to IoT security. IoT vulnerabilities are rampant, and security researchers discover new bugs regularly. As new malware targets these vulnerabilities, organizations must quickly identify them and resolve them before threat actors exploit them. However, malware defense is far from straightforward.

Rapid IoT Adoption Across Organizations

IoT adoption is often rapid and organization-wide. Businesses must take a conscious approach to slow down the pace of IoT adoption to avoid increasing the complexity of IoT environments and exasperating potential device management and security issues. Whenever this is the case, deploying a detection mechanism to detect malware is usually an afterthought. For example, IoT malware analysis (including static analysis and dynamic analysis) and intrusion detection systems like botnet detection tools only become a priority after a security event.

IoT Devices Connected to Legacy Systems

Many industries still operate with legacy systems at the heart of their IT infrastructure and still use them in critical business operations. They do this while taking advantage of internet-connected devices to access the benefits of data, artificial intelligence, deep learning, and machine learning algorithms, and automation. The presence of legacy systems can quickly increase risk exposure because the OEM may have already stopped issuing patches for these connected devices and systems.

IoT Devices with Weak Security

IoT security is an ongoing battle. Organizations following best practices, implementing robust security measures, and properly securing their IoT devices like printers might still be at risk because they have trouble accounting for personal devices. Mobile devices like smartphones (Apple iOS and Android), smartwatches, smart devices like e-readers, and smart home devices such as thermostats can quickly introduce malware into secure enterprise networks.

Rapidly Evolving Ransomware Attacks

As threat actors take a more targeted approach, organizations face a cybersecurity threat like never before. When cybercriminals customize ransomware IoT attacks to an organization's weaknesses, there's not much of a chance of averting an attack. This is often the case when ransomware targets critical infrastructure.

False Positives

Even the best IoT malware detection tools are known to provide false positives. Even though these malware detection methods and technologies learn from past and present malware samples, all machine learning techniques with deep learning algorithms come with some errors. This is because they inherently involve probabilities. 

The best defense against ransomware in an IoT-heavy environment is to prevent it from happening in the first place. Threat actors are human, after all. Like any other criminal, they are more likely to target businesses that have the least resistance.

Secure All Potential Entry Points

The first step in fortifying IoT security is adequately addressing each possible entry point and properly securing the IoT environment. The best way to do this is to make an inventory with all the data and assets, identify authorized and unauthorized devices on the network, and audit logs of incidents and events.

Deploy a Malware Detection System

Organizations must adopt a variety of threat detection approaches to fortify enterprise infrastructure. This includes IoT malware detection technologies to optimize protection and remediation efforts.

Regularly Update and Patch

Keeping the software, firmware, IoT systems, and devices regularly patched and updated is important. This approach will go a long way in identifying and rectifying exploitable vulnerabilities that ransomware attackers search and exploit.

Change the Default Password

IT teams are notorious for adding IoT devices onto networks without changing the default password. While changing the default password is vital, organizations can take it a step further and implement multi-factor authentication (MFA). Threat actors often use stolen credentials, so MFA can go a long way in mitigating the risk of ransomware attacks, data breaches, and other security events.

Follow the Principle of Least Privilege

Whenever businesses follow the principle of least privilege, they prevent staff from running programs that may introduce security vulnerabilities or hack tools and applications used by cybercriminals. It will also make sense to implement a zero-trust security model.

Segment Enterprise Networks and Enforce Protection

Network segmentation is crucial to stop the spread of ransomware. Whenever an IoT device is compromised, it won't endanger other devices. Robust network protection can also add an extra layer of defense against security threats that target known flaws in IoT devices.

Real-Time Network Monitoring

Having the right tools to monitor network traffic in real time is important. This approach allows organizations to visualize baseline activities and quickly identify anomalies that could indicate a potential intrusion. Using a Managed Security Service provider or tools like Forescout will help you better manage cyber risk and compliance.

Implement a Robust Backup and Disaster Recovery Program

It's important to prepare for the unthinkable. Companies must formulate a robust disaster recovery strategy. Back up files regularly and have people and processes in place to react to a potential cyberattack immediately. Although ransomware today is advanced and dangerous, backups still provide protection against encryption. As always, it's critical to test and test again regularly.

Create a Culture of Shared Responsibility

Security and business leaders must advocate for shared responsibility, especially over IoT. A cybersecurity culture that's nurtured will lead to better awareness and help staff make conscious decisions to secure personal devices.

Always Prioritize Security Over Connectivity

Understanding the risks of connecting new IoT devices to enterprise IoT networks is crucial. Each IoT device can quickly add complexity and widen the attack surface exponentially. Whenever you have to add more gadgets, make sure to change the default password, update it, and turn off unnecessary features (static features, not security features!). Using Virtual Private Networks (VPNs) for secured remote access will also help with risk mitigation and more.

Conclusion

As IoT becomes a core part of enterprise infrastructure, the future looks both promising and challenging. IoT security is a complex challenge that demands continuous attention. As the industry evolves, we can expect technologies like the blockchain to revolutionize IoT security while governments implement more regulations to govern how companies and individuals use these devices.

Although IoT is booming right now, its future is essentially in the hands of IoT cybersecurity professionals and services. In the current threat landscape, understanding and tackling threats are paramount. As such, organizations must embrace the marvels of connected device technology but remain vigilant and proactive in ensuring its security.