As various reports from around the world suggest, ransomware is attacks are on the rise. As compared to other forms of malware and due to relatively low execution costs, high rates of return, ransomware has quickly become a preferred method of attack for cybercriminals.
In the current day scenario, hackers have deduced the fact that enterprises often have less visibility into the IoT (Internet of Things) devices, and can therefore inflict devastating effects without detection, even when computer systems remain the most common source of ransomware infection. In addition, IoT devices are often not built with security in mind, leaving them vulnerable for exploits. To maximize damage, IoT-based attacks can also spread across the network very quickly and ransomware can render the physical functions of that device inaccessible until the ransom is paid by the victim.
Sadly, there always is a blame game played when it comes to shouldering the responsibility for bolstering IoT security. Often, it’s up to individual organizations to protect themselves from IoT-based attacks.
From a myriad of ransomware that has been known to the digital world, arguably the most lethal and infamous is the Wannacry ransomware. It is estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars.
Other forms of infections along with Wannacry have leveraged a well-known exploit named EternalBlue. It exploits a vulnerability in the Windows Server Message Block version 1 (SMB v1) protocol, which allows the malware to spread to all unpatched Windows systems from XP to 2016 on any network that has this protocol enabled.
The same windows vulnerability is exploited by all EternalBlue based malware, including Wannacry. It is evident that plenty of unpatched systems are still running around the world since the number of these attacks is still increasing, three years after its first attack was reported.
While WannaCry primarily targets computers, IoT devices are not immune to its malice.
How a WannaCry attack was thwarted –
Last year, in 2019 a European hospital system discovered their ultrasound devices were infected with WannaCry. Since several digital imaging and communications in medicine (DICOM) devices were running old versions of MS Windows operating systems, they were found to be infected as well. These devices could not be patched without breaking the device manufacturer’s warranty and, due to the expense of these devices, could not easily be replaced.
Fortunately, the hospital followed the following steps and was able to stop the attack –
The infection on the imaging machines was confirmed
- an ultrasound in the maternity section of the hospital was selected and diagnosed as it was suspected to be infected. This was a highly perilous move since it risked the possibility of sensitive patient information to be stolen or worst could have been held for ransomware. A significant number of flows from the ultrasound to the network, using SMB Over TCP (port 445) was detected after a traffic capture on the ultrasound device was performed. Since this was the preferred port and known exploit for EternalBlue/WannaCry, it confirmed that the machine was infected.
Affected devices were isolated and security profiles were applied
- The infection couldn’t be eliminated since the ultrasound device couldn’t be patched or upgraded. However, the hospital was able to contain it and continue using infected medical devices without worrying about infecting the broader network or losing the ultrasound images and files. A security solution was used to do it so that certain devices on the network could be isolated and the infection could be contained within the ultrasound device, preventing propagation through the network. Security policies were applied by the IT team to the ultrasound device to ensure that no UDP/TCP ports were opened, except those explicitly allowed by the imaging staff and IT managers.
Unattended devices were monitored, and they remained vigilant
- The IT personnel didn’t stop or rest once they isolated the known impacted devices. Hospitals and other organizations that have had their computer systems impacted by multiple rounds of WannaCry outbreaks need to confirm that any medical devices (especially those running old versions of MS Windows Operating Systems) have not also been infected. They also verified that other devices were not infected and closely monitored the network and devices on it for any suspicious activity.
Our security experts forecast that ransomware attacks are only going to accelerate and could represent an increased threat to IoT devices in 2020 and beyond. They suggest, in addition to protecting computer systems and company data from the threat of a ransomware attack, it is critical to review and update current IoT security practices, especially for mission-critical endpoints such as medical devices and industrial control systems.
Ransomware has been a persistent threat and shall continue to be one for a long while but that also means that we should always be prepared for it when it strikes the next time.
To read more, please check eScan Blog