This article is part of our Conference Coverage: RSA 2017: Special conference coverage

RSAC17: More ransomware and IoT-enabled attacks on the way, warns expert

Security expert Ed Skoudis says that in 2017 organisations need to prepare for evolving ransomware and IoT-enabled attacks, as well as a combination of the two

Crypto ransomware is set to increase in 2017 and will continue to be one of the top cyber attack methods, warns security expert and Sans Institute instructor Ed Skoudis.

“There are around 150 families of crypto ransomware, which is an ideal way to attack organisations,” he told the 2017 RSA Conference in San Francisco.

Ransomware, said Skoudis, is highly efficient for attackers, because it requires no command and control channel, no exfiltration and no contact initiated by the attacker.

“Instead, the ransomware victims contact the attacker for ‘help’ in recovering from the infection,” he said, describing ransomware as a “cryptographic revolution” in criminal activity that capitalises on bitcoin as a reliable international payment system.

As well as a growing number of attacks, Skoudis said security researchers are seeing a shift in cyber attacks to target network file servers, backups and big databases, which is substantially amplifying their impact on enterprises.

He also expects to see more targeted ransomware, with attackers focusing more on organisations that are more able and more likely to pay, such as small to medium-sized banks.

Skoudis also predicts that nation state actors will increasingly disguise their attacks as ransomware attacks to hide their true nature and motivation.

Secure your network against ransomware

However, he said there are several things that organisations can do to reduce the likelihood of being paralysed by ransomware attacks or being forced to consider paying for the return of their data.

“The first thing is to ensure you have followed the best practice guidelines for system and network hygiene,” said Skoudis.

“The Centre for Internet Security has its critical controls, which define security activities that will help make you better than the average organisation in securing your environment, which goes a long way in stopping this kind of attack,” he said.

Read more about ransomware

Next, organisations should watch their network shares. “Having shares from individual laptops or workstations to other laptops or workstations is asking for trouble,” said Skoudis.

Additionally, he said organisations should have network shares on file servers only when there is a defined business need.

“And you want to limit the permissions so that if one workstation gets infected with crypto ransomware, it might try to start encrypting files on the server itself, but by limiting the permissions of each user to what they need for their job, it will have a limited impact and won’t be able to take down the whole server.”

Have an attack response plan

Skoudis said organisations should consider ransomware attacks in advance and decide who in the organisation will decide whether or not to pay attackers in the event of an attack.

“You might say you have a business principle of not paying the bad guys, but if you are confronted with a business reality of paying the bad guys a few bitcoins versus being offline or losing millions of dollars worth of data, your business principle might give way to the business reality, and so you should decide in advance who is going to decide,” he said. 

If an organisation is hit by ransomware, it is entering into a negotiation with the criminals behind the attack

Another important thing for an organisation to understand, said Skoudis, is that if it is hit by ransomware, it is entering into a negotiation with the criminals behind the attack.

“They are very practical business people. They understand the principle that some money is better than no money, so if disaster strikes, your best bet is to look small and poor,” he said.

Skoudis went on to highlight attacks that are being enabled by devices that make up the internet of things (IoT), such as connected lightbulbs, thermostats and webcams.

In the past, he said, these devices have been viewed as targets, allowing an attacker to turn on or off groups of devices to affect consumers.

“But, increasingly, the IoT is becoming an attack platform rather than just a target. With large-scale, open source worms such as Mirai spreading to tens of millions of IoT devices, attackers can exploit these systems to create massive floods to take nearly any organisation off the internet,” he said.

Skoudis also warned that these widespread IoT attack platforms could be used for attacks other than floods – distributed denial of service attacks (DDoS) – including stealthy theft of information and password cracking.

Secure all internet-connected devices

In the face of this continued and evolving threat, he said users of IoT devices should ensure that they change the default passwords. “This is one of the things you have to do because many suppliers will ship these devices with the default password,” he said.

He pointed out, however, that some devices might even require users to update the firmware to have the ability to change the password.

“Next, disable Telnet. There are a lot of IoT devices that by default are administered via Telnet. Turn that off and try to use secure shell [SSH] or turn off HTTP and use HTTPS instead.”

Skoudis also pointed out that many IoT devices have a configuration option that allows users to choose to allow the device to be managed only by a user who is on the same subnet. In other words, disable remote access across the internet if you don’t need it,” he said.

Skoudis also recommends using a segmented local area network (LAN) with Wi-Fi protected access version 2 (WPA2). “If you are using Wi-Fi to control your internet of things, put them on a separate network from the one used for laptops and other devices. Have a separate, dedicated IoT WPA2-secured network with a crazy, complex, difficult passphrase. Also set up an IoT dedicated cloud account,” he said.

Early stage penetration testing required

In the business context, Skoudis said pen testing that includes IoT devices and network should be required. “We need to drain the swamp of vulnerabilities, some of which are ridiculously trivial such as cleartext protocols, basic cross-site scripting flaws and a whole lot more.

“We also need to vigorously push suppliers to help clean this up, and one of the trends I think we are going to see is more recalls of this technology. We have seen some recall action already where some vehicles and DVRs did not have foundational security elements built in.

“If you are using Wi-Fi to control your internet of things, put them on a separate, dedicated IoT WPA2-secured network with a crazy, complex, difficult passphrase. Also set up an IoT dedicated cloud account”
Ed Skoudis, security expert

“I think we are going to see a lot more of that, and you need to participate because that is going to drive economic pressure so suppliers will test things more in advance [of releasing them to the market],” he said.

Finally, Skoudis talked about the collision of ransomware and IoT. By combining the ransomware threat with IoT, he said attackers would be able to have much more impact than through DDoS attacks.

“By encrypting configurations and control infrastructures, attackers could hold thermostats, lighting infrastructures or even cars for ransom. “If you want your car to start or your lights to come on, you may have to pay a ransom or reconfigure and re-install all the firmware in your devices,” he said.

Skoudis cited the example of the San Francisco Transit Authority, which was hit by ransomware in November 2016. The attack did not stop trains or buses from running, but the payment systems were affected so the transport services had to run for free.  

“It is a related thing where we have ransomware impacting our ability to take money for things like buses and trains,” he said.

The threat is even more pronounced, said Skoudis, in the industrial internet of things (IIoT), where a factory’s ability to manufacture or a utility’s ability to provide services could be held hostage based on a ransomware threat. “Significant attacks are coming in this direction,” he said.

Read more about IoT security

Read more on Hackers and cybercrime prevention