Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Devise Attack Using IoT and IT to Deliver Ransomware Against OT

Critical industries must prepare themselves for a new wave of ransomware attacks specifically targeting OT

Critical industries must prepare themselves for a new wave of ransomware attacks specifically targeting OT

Ransomware is a category of extortion. Its sole purpose is to extract money from the victim. As industry got better at avoiding ransom demands, the attackers added another level of extortion – data blackmail to create ‘double extortion’.

As defenders get better at fending off double extortion, the attackers will evolve again. The most obvious path will be to attack operational technology (OT) rather than just IT. Attacks against OT are more difficult to achieve, but the effect is equally more difficult to mitigate. The evolution of cyber extortion makes this more than just a possible development.

Forescout’s Vedere Labs has published a proof of concept (PoC) for a ‘ransomware’ attack that uses IoT for access, IT for traversal, and OT (especially PLCs) for detonation. It is called R4IoT and is described as the next generation of ransomware. 

The worrying aspect of this PoC is that it requires nothing new. IoT access was chosen because of the growth in IoT devices that generally receive less defensive attention than other parts of the network. Such access is likely to increase.

Traversal through and across IT is known and understood, but not always seen because of the current tendency for attackers to ‘live off the land’. Crossing from IT to OT is increasingly possible because of the ongoing convergence of the two networks, necessitated by the digital transformation of modern business. Throughout the PoC, existing vulnerabilities and exploits have been used.

Future attacks against the OT of critical industries are inevitable, if only because critical industries (think Colonial Pipeline) are more likely to pay the extortion, and pay rapidly. The Forescout POC is designed to demonstrate how easily criminal gangs can deliver this type of extortion – but it is worth also noting that nation states could use the process to deliver wipers against the critical infrastructure. 

This would be technically more difficult and require a knowledge of the targeted network. Adversarial nations are thought to have been inside critical networks on surveillance missions for years – so, they may already have that knowledge.

Learn More About OT Cybersecurity at SecurityWeek’s ICS Cyber Security Conference

The two most important aspects emerging from the Forescout work are the likelihood of increased incursions via IoT devices, and the potential to disrupt the OT network for extortion purposes without requiring specialist APT-level sophistication.

Criminals are already taking note of the potential of IoT, and exploits can be bought on the dark web. “Lemon Duck is a Monero cryptomining botnet that uses IoT devices as entry points to infect computers, the Conti ransomware group targets devices such as routers, cameras and NAS with exposed web interfaces to move internally in affected organizations, variants of the Trickbot malware use routers as a proxy to contact C&C servers, and the Cyclops Blink malware (linked to the state-sponsored Sandworm group) exploits routers for initial access,” notes the report.

The growing threat from IoT comes from the number of devices that are being installed with little perception that they are an integral part of the network. They are neither defended nor patched with the rigor applied to the rest of the network. But since they are usually exposed to both the internet and the internal infrastructure, they can provide easy access for criminals.

The IT side of the operation is not discussed in detail within the report because the issues are well known if not yet well solved. Instead, the report focuses on IoT and OT embedded devices. “One thing that ties together both the initial access and impact possibilities brought by embedded IoT and OT devices is the increasing number of supply chain vulnerabilities affecting millions of these devices at the same time,” says the report. The researchers call out Project Memoria affecting TCP/IP stacks, BadAlloc affecting RTOSes, Access:7 affecting a popular IoT management platform and vulnerabilities in the BusyBox application used by many Linux devices.

Nevertheless, the progress of R4IoT ransomware is briefly described. It maps the different machines on the network, and uses the NTLM hash of the administrator’s account and the WMI functionality within impacket to connect to each. There it disables Windows firewall and Windows Defender, and drops other R4IoT executables (a crypto miner and a Memoria executable that will launch DoS attacks against critical IoT/OT assets). A modified version of the Racketeer toolkit provides C&C Server/Agent functionalities. On demand from the C&C Server, the C&C Agent can encrypt or decrypt files on the infected machine, can exfiltrate files and launch arbitrary executables with admin privileges.

The drama of the report focuses on the damage that can be done if an attacker succeeds in gaining access to IT via an IoT device, and then gains access to the OT via IT/OT convergence. Some harm could be done at Purdue Level 2 and above because those are regular Windows/Linux machines. But Forescout focuses on attacking the PLCs, since the effect is more dramatic, immediate and difficult to mitigate. It looks at internally delivered DoS attacks since PLCs are rarely exposed to the outside world.

There are more than half a million devices running TCP/IP stacks vulnerable to Project Memoria in organizations in almost every industry vertical. Exploiting these devices with similar and simple denial of service attacks gives the attackers the ability to disrupt many types of organizations.

Once the PLCs are effectively taken down by the DoS, the damage is done. Critical parts of the companies’ functioning can be halted, whether that’s a conveyor belt or an infusion pump.

“The protection window has passed,” Daniel dos Santos, head of security research at Forescout Vedere Labs told SecurityWeek. “To give an extreme example, if it is connected to a poor gas pipeline and measuring pressure conditions, things could explode. That’s the main issue with OT – if the attacker reaches that point and can cause the device to go offline or to change some settings in the device, the physical danger becomes much more present; and probably much more critical than any danger to the data.”

R4IoT is not some new development in malware. It uses exploits that already exist. More worryingly, the proof of concept shows that it could be used at scale by less sophisticated hackers using ransomware-as-a-service. The implication is that critical industries must prepare themselves now for a new wave of ransomware attacks specifically targeting OT.

Traditional rapid response to IT ransomware, such as taking the systems off-line, won’t work with OT. It is what dos Santos describes as ‘death by suicide’. You may stop further progress of the attack, but you are self-inflicting the end purpose of the attack. Organizations need to prepare their response now – and this can only be built on zero trust segmentation and improved visibility into both IT and OT with something like anomaly detection.

“R4IoT,” continues dos Santos, “is the first work to analyze how ransomware can impact IoT, and delivers a full proof-of-concept from initial access via IoT to lateral movement in the IT network, and subsequent impact on the OT network. Threat actors are exploiting a broader threat surface than before, and we see hacking groups discuss IoT access on forums today. It has become imperative to arm organizations with knowledge to extend their proactive defenses and ensure IoT devices have adequate segmentation from their critical IT and OT infrastructure.”

Related: University Project Cataloged 1,100 Ransomware Attacks on CI

Related: FBI Warns of RagnarLocker Ransomware Attacks on Critical Infrastructure

Related: Ransomware Targeted 14 of 16 U.S. Critical Infrastructure Sectors in 2021

Related: FBI: 649 Ransomware Attacks Reported on Critical Infrastructure Organizations in 2021

Learn More About OT Cybersecurity at SecurityWeek’s ICS Cyber Security Conference

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...