…and it’s more cost-effective than paying the ransom

Ransomware attacks are on the rise.  Due to relatively low execution costs, high rates of return, and minimal risk of discovery (compared to other forms of malware), ransomware has quickly become a preferred method of attack for cybercriminals.

This fact is backed up by recent data from Atlas VPN who states that the amount of demanded ransom payments increased by 140 percent from 2018 to 2019.  What’s even more troubling is that of those attacked, 57 percent of organizations settled and paid the ransom during the last 12 months.

Although the most common source of ransomware infection remains an organization’s computer systems, IoT devices are also vulnerable as the infection can spread quite quickly across the organization, especially when the network is not properly segmented.  Later in this blog post, we will examine a real-world example within a large hospital system in Europe and what they did when they discovered that their ultrasound devices were infected with WannaCry.

With IoT, ransomware can have devastating effects. In addition to impacting the data within the devices, ransomware can render the physical functions of that device inaccessible until the ransom is paid.

WannaCry – the most infamous form of ransomware – and it’s not over yet!

Of all the types of ransomware out there, the one people are most familiar with is WannaCry.  According to Wikipedia, WannaCry is estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars.

Although WannaCry was first detected in May of 2017, according to Safety Detectives, three years later, in 2020, it still represents nearly half of all reported ransomware incidents in the US alone. 

Some important facts related to WannaCry:

• WannaCry, as well as other forms of malware/ransomware, leverage a well-known exploit named EternalBlue,
• EternalBlue exploits a vulnerability in the Window’s Server Message Block version 1 (SMB v1) protocol, which allows the malware to spread to all unpatched Windows systems from XP to 2016 on any network that has this protocol enabled.
• This vulnerability allows remote code execution.
• Ironically, the patch needed to prevent WannaCry infections was actually available before the attack began: Microsoft Security Bulletin MS17-010, released on March 14, 2017, updated the Windows implementation of the SMB protocol to prevent infection via EternalBlue.
• There is a kill switch domain that thankfully prevents WannaCry from encrypting files – essentially shutting it down.  This has significantly reduced the impact of this ransomware.  This kill switch, however, doesn’t help devices WannaCry has already infected and locked down.  And without directly patching the Microsoft Operating System, the EternalBlue exploit will remain, posing a significant attack vector.
• All EternalBlue-based malware (including WannaCry) exploits the same Windows vulnerability, so the fact that these attacks are still increasing three years later suggests that plenty of unpatched Windows systems are still out there.

If you have been a victim of a ransomware attack in the past, it is important to pay attention to any unattended devices.For example, hospitals and other organizations, who have had their computer systems impacted by the multiple rounds of WannaCry outbreaks, need to confirm that any medical devices (especially those running old versions of MS Windows Operating Systems) haven’t also been infected.

Real-world scenario of medical device infection with WannaCry and the innovative solution found.

In 2019, a European hospital system had a serious WannaCry infection in their network.  Unfortunately, some medical imaging (or DICOM) devices were also affected since they were running old versions of MS Windows operating system. These devices couldn’t be patched without breaking the device manufacturer’s warranty and, due to the expense of these devices, couldn’t easily be replaced. 

Enter Defender for IoT

This European hospital system decided to do a Proof of Concept with Extreme’s Defender for IoT.  Defender for IoT provides in-line protection and segmentation of vulnerable devices.  The hospital wanted to see if it might be able to help solve its suspected malware/ ransomware issue.

Step 1:  Confirm the existence of the infection on the imaging machines.  The hospital selected one of the suspicious DICOM devices, specifically an ultrasound in the maternity section of the hospital.  The danger with this device being infected is that some of the images and reports could be stolen and held for ransom, or worse, the device could be taken control of and rendered unusable.

• Using the Defender for IoT solution, a traffic capture was performed on the ultrasound.  A significant number of flows from the ultrasound to the network, using SMB Over TCP (port 445), were found.  Since this is the preferred port and known exploit for EternalBlue/WannaCry, it confirmed that the machine was infected.
• To investigate the ultrasound further, an Nmap security scanner was used to check all opened ports and scan for vulnerabilities.  This showed many open UDP/TCP ports that shouldn’t have been, indicating that the Windows device was not hardened at all, and could enable the spread of the infection to other unpatched operating systems vulnerable to the EternalBlue exploit.

Step 2:   Confirm the ultrasound device could function safely while being infected with Defender for IoT.  Since the ultrasound device cannot be patched or upgraded, the infection will remain.  However, by using Defender for IoT, the infection can be contained within the ultrasound device preventing propagation through the network.

What the hospital did: 

• Used Defender for IoT to apply policies to the ultrasound device to ensure that no UDP/TCP ports are opened EXCEPT those explicitly allowed by the imaging staff & IT Managers. Defender for IoT was deployed as an overlay to their existing third-party network, allowing the hospital to implement it quickly and easily.
• Segmented the imaging machines within their own secure encrypted network segment that runs over the hospitals existing 3^rd party network isolating it from the rest of the IT network.
• NO future attacks or vulnerabilities via the EternalBlue exploit are expected to affect this ultrasound device in the future.

In short, using Defender for IoT, this hospital system can continue to use its infected medical devices without worrying about another reinfection of their broader network and without worrying about data corruption or loss of the ultrasound images and files.  Through the combination of applying security profiles and segmenting the devices, Defender for IoT ensured that this hospital could continue to leverage its asset safely and securely.  

New ransomware designed specifically to attack IoT devices? 

Cybersecurity experts all agree that ransomware attacks are only going to accelerate and could represent an increased threat to IoT devices in 2020 and beyond. The recent headline making cyber-attack at Honda illustrates this alarming trend.  Why?

• Honda appears to be the first victim to a family of relatively new file-encrypting ransomware called EKANS or SNAKE, which was only discovered in December of 2019.
• Experts are not certain if the attack was targeting the IT network or the Industrial Control Systems themselves.  But the result, was that some of Honda’s manufacturing systems were forced offline. 
• Experts are concerned that this form of ransomware could be used to attack other Industrial Control System across utilities, manufacturing, energy, and critical infrastructure.

Although more information still needs to be gathered on this very high-profile breach as well as this newer form of ransomware, companies that run Industrial Control Systems need to review existing security practices and even perform risk assessments to see where vulnerabilities might exist.  Particularly where some IT/OT convergence has taken place.  Helpful guidance can be found from the US Cybersecurity and Infrastructure Security Agency in their document titled Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies.

In summary

In addition to protecting your computer systems and company data from the threat of a ransomware attack, it is also critical to review and update your current IoT security practices, especially for mission-critical endpoints such as medical devices and industrial control systems. 

Defender for IoT can be an important component of a multi-layer defense strategy for unattended endpoints.  And like the example shown with the European hospital system, it also be used to contain ransomware, malware, and viruses within high-value, infected devices that cannot be patched so that they can continue to be used safely and securely.

For more information:

• Learn more about Extreme’s Defender for IoT solution by watching this demo video
• Ransomware: Listen to this on-demand webinar hosted by Data Equipment AS and presented by Extreme’s Distinguished Engineer, Ed Koehler
• IoT Security:  Listen to this on-demand webinar hosted by Data Equipment AS and presented by Extreme’s Distinguished Engineer, Ed Koehler
• Segmentation:  Register and listen to this on-demand webinar with IDG on “Rethinking the Network and Security in the Era of IoT and COVID-19”