RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

Table of Contents
1. Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3. Why R4IoT, Why Now?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4. The State of Ransomware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4.1 Threat Actors’ Motivation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4.2 It’s Not About Encryption, It’s About Extortion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4.3 Anatomy of Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

5. What Future Attacks Could Be Like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5.1 IoT and OT to Gain Initial Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5.2 Impact Beyond Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

6. Reality Check – The Data Behind the scenes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

7. R4IoT: Creating a Ransomware in a Lab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

7.1 Lab Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

7.2 Attack Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

7.2.1 Initial Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

7.2.2 Lateral Movement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

7.2.2.1 Lateral Movement via WMI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

7.2.2.2 Discovery of Domain Controllers, Zerologon, pass the hash. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

7.2.2.3 More on lateral movement, dropping R4IoT executables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

7.2.3 Impact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

7.2.3.1 C&C Server/Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

7.2.3.2 Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

7.2.3.3 Cryptocurrency mining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

7.2.3.4 IoT/OT impact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

7.3 A Summary of R4IoT TTPs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

8. Stopping the Threat: a Playbook for Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

8.1 Risk Management with the NIST Cybersecurity Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

8.2 Implementing Policies with a Zero Trust Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

8.3 Further Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

9. Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

VEDERE LABS 2
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

1. Executive Summary
In this report, Vedere Labs demonstrates R4IoT: a data exfiltration and denials of service, major gangs
proof of concept for next-generation ransomware such as Conti and ALPHV have been focusing on
that exploits IoT devices for initial access, targets IT exploiting network infrastructure devices and increasing
devices to deploy ransomware and cryptominers, the sophistication of their ransomware payloads.
and leverages poor OT security practices to cause
f The intent of a study like R4IoT is to prepare
physical disruption to business operations.
businesses and cybersecurity at large to deal
f The need for a study like R4IoT emerged from the with an inevitable increase in sophistication
observation of an increase of the number and diversity and scope of traditional ransomware by:
of IoT, IoMT and OT devices connected to standard
f providing a step-by-step demonstration of how
corporate IT networks. Such devices increase the risk
posture in nearly every business that has to now deal IoT and OT exploits can be combined with a
with the growth of IoT in corporate networks, IT/OT “traditional” ransomware campaign, and
convergence and the rise of supply chain vulnerabilities.
f providing a playbook for mitigating this emerging

f R4IoT is the results of Vedere Labs’ continuous analysis type of attack by relying on complete visibility and
of how ransomware gangs have been evolving in past enhanced control of all the assets in a network.
years. Besides adding new layers of extortion, such as
f A video showing R4IoT in action can be found here.

2. Introduction
In 2021, the cybersecurity community saw many f Also in May, JBS Foods was attacked by another
instances of devastating cyberattacks that led ransomware gang, REvil, and forced to shut down
organizations to lose huge amounts of money or to its facilities in several countries before paying
temporarily halt their operations. Among them: $11 million to recover access to its systems.

f In February, Oldsmar water treatment plant employees f In July, Iran Railways had to shut down its train
noticed that sodium hydroxide levels were rapidly operations due to a hacking group infiltrating an
rising on their computer screens. Someone accessed IT system and spreading malware. Iran has not been
the treatment system using the remote connectivity forthcoming about the details of this attack, leading
tool TeamViewer, but employees thwarted the attacker security researchers to form their own hypotheses.
from moving laterally into other IT infrastructure.
f Also in July, malicious actors combined a supply chain
f In May, Colonial Pipeline was hit by a ransomware attack vector with a ransomware payload in the Kaseya
attack that caused a gas crisis. The attackers, known VSA incident. REvil, the same group that previously
as Darkside, gained access through a VPN that did attacked JBS, was able to use the Kaseya remote
not require multifactor authentication. Although management tool (VSA) to infect managed service
Darkside took control of Colonial Pipeline’s IT systems, providers and their customers with ransomware. In total,
once Colonial Pipeline knew its IT operations were more than 1500 organizations were hit simultaneously.
affected, the company chose to proactively take its OT
systems offline to prevent the attack from spreading.

VEDERE LABS 3
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

While the Oldsmar and Iran Railways incidents show a public statement on cybersecurity and convened
what individuals or small groups of attackers can a meeting of 30 countries to increase their efforts to
achieve against critical infrastructure operators, the combat cybercrime and ransomware specifically.
Colonial Pipeline, JBS Foods and Kaseya incidents are
part of a growing and alarming trend: large ransomware Successful response to ransomware depends not only on
gangs, often operating a Ransomware-as-a-Service legal and political action but also on equipping organizations
(RaaS) model, crippling the operations of several to be able to defend themselves. In this report, we
types of organizations, often at the same time. demonstrate two things: first, that the evolution of the
ransomware threat landscape is far from over because
Ransomware was without a doubt the biggest threat of 2021 attackers still have a large attack surface to explore, and
for most organizations. This was already a known problem second, that there are ways to mitigate both the likelihood
in previous years, but attackers have been evolving quickly and the impact of attacks on organizations, thus decreasing
and have moved from purely encrypting data until circa the overall risk to which these organizations are exposed.
2019 to exfiltrating data before encryption in 2020 to large
extortion campaigns with several phases in 2021. The trend We explore the current state of ransomware attacks
continued in early-2022 with the emergence of new and very (Section 4) and business networks (Section 6) to discuss
sophisticated ransomware families such as ALPHV and more how ransomware could evolve in the coming years because
attacks by RaaS groups such as Conti, which have even taken of two ongoing trends: (i) the proliferation of IoT devices in
a political position after the Russian invasion of Ukraine. enterprise organizations, and (ii) the convergence of IT and
OT networks. We created a proof-of-concept ransomware
This evolution in attacker methods means that ransomware (Section 7) that exploits the first trend by using exposed
gangs can now cripple the operations of virtually any vulnerable devices, such as an IP camera or a Network
organization. For that reason, the response to ransomware Attached Storage (NAS) as initial access point, and the second
has been gaining momentum. In January 2021, Emotet, trend to hold OT devices hostage, thus adding another
a cybercrime group that develops a malware loader layer of extortion to an attack campaign. Finally, we discuss
frequently used by ransomware gangs, was disrupted in how cybersecurity controls aligned to mature frameworks
a global action coordinated by Europol, while another can be used to detect and stop this attack or, even better,
global action arrested members of REvil in January 2022. prevent it from happening in the first place (Section 8).
In October 2021, United States President Joe Biden issued

3. Why R4IoT, Why Now?

R4IoT novelty resides in the following key contributions. firmware modification on the targeted devices and
works at large-scale on a wide variety of devices
f This is the first and only known work to combine impacted by TCP/IP stack vulnerabilities.
the worlds of IT, OT and IoT ransomware and to
have a full proof of concept from initial access f We discuss future scenarios where the OT impact could
via IoT to lateral movement in the IT network be launched remotely (as in the current case of Ransom
and then impact in the OT network. Beyond just Denial of Service targeting exposed IT systems).
encryption, our proof of concept on IT equipment
f We implemented detection and response actions for the
includes deployment of a cryptominer and data
exfiltration (also known as double extortion). attack that serve as a playbook for organizations looking
to defend against both current and future threats.
f The impact we demonstrate on OT is general
purpose: it is not limited to standard operating
systems (e.g., Linux) or device types (e.g., building
automation), does not require persistence or

VEDERE LABS 4
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

Although R4IoT is unique in its kind, in the past five automation devices. Those works were theoretical
years, other researchers have discussed around the analyses extrapolating from real-world incidents
possibility of ransomware extending to IoT and OT and without actual implementation, but both terms have
they have produced small-scale demonstrations of gained some popularity (e.g., AT&T, Gartner, Sophos).
how such interplay between ransomware and IoT or OT
f In 2020, Brierley et al. published PaperW8, a proof-
devices could work. We list such previous works below.
of-concept ransomware that works on multiple Linux-
f In 2016, Andrew Tierney at PenTestPartners based IoT. The goal of their PoC is to infect devices,
demonstrated a proof of concept to lock a user out display ransom notes on those devices and threaten
of a thermostat until a ransom was paid. This PoC to permanently brick them. The same team published
worked by changing the firmware of the device so the in 2021 another PoC that focused on data-stealing
user could not access its settings, and the attacker ransomware, where the data stolen comes from IoT
could set the temperature to any desired value. devices, such as audio, video and sensor feeds.

f In 2017, Stephen Cobb at ESET coined the term f In 2021, David Nicol analyzed the trend of
“jackware” for ransomware that affects IoT devices ransomware attacks affecting IT systems of
through hijacking. That paper discussed some possible energy delivery organizations and discussed
scenarios for jackware, mostly focusing on the automotive characteristics of OT systems that would make
industry. In 2019, the same researcher coined the term them susceptible to ransomware attacks, such as
“siegeware” for ransomware that affects building embedded web servers and rogue devices.

4. The State of Ransomware

4.1 Threat Actors’ Motivation
Threat Actors are after money. It is safe to say that Although it’s difficult to know exactly how much ransom
ransomware is now a billion-dollar industry, with the market was paid in total, the US Financial Crimes Enforcement
leaders taking in tens of millions of dollars per year. Network investigated 635 suspicious activity reports
related to ransomware just in the first half of 2021. Those
According to the Verizon Data Breach Investigations reports had a total value of $590 million, which was
Report (DBIR) 2021, more than 80% of cyber more than the $416 million investigated in all of 2020.
incidents have a financial motivation and are
perpetrated by organized criminals. Ransomware is Another data source, which relies on tracking blockchain
currently how cyber criminals get their money. transactions related to wallets known to belong to
ransomware gangs, reports more than $44 million
Ransomware is very lucrative, and some of the biggest paid in 2021, with Conti receiving the biggest total
ransom payouts happened in 2021. For instance, Colonial payout at $16 million, REvil coming in second at $12
Pipeline and Brenntag reportedly paid $4.4 million each million and DarkSide coming in third at $9 million.
to DarkSide, whereas JBS paid $11 million to REvil. That
amount does not account for lost revenue, the price of
investigation and response, customer notification, fines and
any other costs incurred beyond the ransom payment.

VEDERE LABS 5
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

4.2 It’s Not About Encryption, f Unleashing distributed denial of service (DDoS) attacks
against their victims during the ransom negotiation
It’s About Extortion period. This method (“triple extortion” or ransom
denial of service) has been gaining popularity,
There is still a big misconception that ransomware means
and companies that routinely monitor DDoS attacks
malware for data encryption. It started like that, but
reported record levels of attacks in 2021.
ransomware is about getting a ransom – extorting victims
via cyberattacks. The goal of ransomware attacks is to f Publicly shaming or harassing their victims by
force organizations to face a dilemma: pay the ransom contacting customers, partners and media
and hope that attackers restore access to systems and outlets to announce the hack and make the
go away, or don’t pay and try to mitigate the effects negotiation public (“quadruple extortion”).
of the attack with internal resources. There are many
ways to force this dilemma currently. Besides encrypting According to Sophos, in 2021 there was a decrease
data, ransomware gangs routinely take other actions to in successful data encryption from 73% to 54% of
gain leverage and force their victims to pay, such as: attacks; nevertheless, there was an increase from
3% to 7% in the number of incidents where data
f Exfiltrating massive amounts of sensitive data was not encrypted but the victim still had to pay a
and threatening to release it publicly. This is ransom because of other extortion techniques.
currently done by almost every ransomware and
has become known as “double extortion.”

4.3 Anatomy of Attacks

There are more than 1,000 different identified Each ransomware group behaves slightly differently,
ransomware variants, with the FBI having stated in using diverse tools, infrastructure and extortion methods.
June that they were tracking more than 100 active However, the tactics and techniques used during attacks
groups, each responsible for at least a dozen attacks. are very similar. Figure 1 presents a high-level anatomy
of a ransomware attack divided into three steps.

Figure 1 – High-level Anatomy of a Ransomware Attack

Initial Access: Threat actors gain unauthorized access Vulnerabilities in perimeter devices/services, such as VPN
to systems either by exploiting local or remote software and cloud-based applications, have become particularly
vulnerabilities (e.g., buffer overflows or command popular for initial access. Local vulnerabilities are usually
injection) or by leveraging credential-based attacks (e.g., exploited by phishing users into running malicious code,
brute forcing, password spraying, credential stuffing). which is still the most common form of compromise.

VEDERE LABS 6
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

f Lateral Movement: Once inside a compromised organization to recover their data is usually lower than
network, ransomware threat actors have three types the initially demanded payment, which happens after a
of tools at their disposal: common exploit/pentesting negotiation period that can take dozens of turns.
frameworks (such as CobaltStrike and Mimikatz),
bespoke hacking tools (which are increasingly less Those steps are often not all performed by the same group.
popular) and internal Windows tools (such as RDP, WMIC, Two very common trends today are ransomware as a service
net, ping and PowerShell). The use of internal tools is (RaaS) and initial access brokers (IABs). In the RaaS model,
known as “Living-Off-The-Land” and is currently the most one group develops the ransomware encryptor and then
common (because they are usually already available distributes it to affiliates, who use it after they have gained
and harder to detect as malicious). RDP, for instance, access to an organization and who then share the received
was used in 90% of attacks in 2021, in 28% of attacks payments with the original developers. IABs are groups
it was used both internally and externally (i.e., for initial that sell initial access to networks, typically in the form of
access), and in 41% it was used only internally (i.e., for valid credentials (obtained via phishing or data leaks) or
lateral movement). These tools are used to scan the compromised machines via malware, such as Hancitor,
network (net, ping), obtain credentials (Mimikatz), disable IcedID, Qbot and Trickbot. Yet other parts of the criminal
security tools such as antivirus and firewalls, move underground may enter the picture, such as bulletproof
from one machine to another (RDP, WMIC) and connect hosting services, which provide hosting for malware
to a C2 server (CobaltStrike) to receive instructions. distribution, as well as command and control servers.

f Impact: Once several machines have been infected, the The steps taken by attackers can be more granularly
attackers can exfiltrate collected data to the C2 or other categorized into common Tactics, Techniques, and
servers and encrypt the files directly on local machines or Procedures (TTPs), for which there is a common
over the network (using SMB shares). The attackers then framework called MITRE ATT&CK. When looking
leave a text file notifying victims of the attack and giving at five of the most common ransomware groups of
instructions for ransom payment. The amount paid by an 2021 (Conti, DarkSide, Egregor, Maze and Ryuk),
the following TTPs were the most popular.

TACTIC TECHNIQUE
Initial Access T1078 Valid Accounts

Execution T1059.001 - PowerShell

T1071 Application Layer Protocol

Command and Control
T1573 Encrypted Channel (HTTPS)

T1082 System Information Discovery

Discovery
T1057 Process Discovery

Privilege Escalation T1053.005 Scheduled Task/Job

T1074.001 Data Staged: Local Data Staging

Collection
T1560 Archive Collected Data

Exfiltration T1041 Exfiltration Over C2 Channel (HTTPS)

Impact T1486 Data Encrypted for Impact

In March 2022, Vedere Labs released a threat briefing that discussion points immediately stood out to us: how IoT
analyzed leaked chats and documents of Conti. In these devices are a major initial attack surface. They specifically
chats and documents, the group explains some of its TTPs in mention how specialized hardware such as printers, routers
more details, such as how VPN and RDP are recommended and PLCs are often left unpatched and are not treated
as ideal backdoors, and how Active Directory Domain by defenders as a major risk. They also discuss in their
Controllers are primary targets for persistence. One of the chats how to acquire devices to test specific exploits.

VEDERE LABS 7
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

5. What Future Attacks Could Be Like

Based on some trends described in Section 4, such as We deliberately left out a discussion on lateral movement
new extortion techniques and evolving complexity of because this is a “solved” problem from the point of view of
attack campaigns, as well as other parts of the threat attackers with the use of commoditized exploit/pentest tools
landscape that we will describe below, we discuss and “living off the land” as discussed in the previous section.
what the future of ransomware could look like from
two points of view: initial access and impact.

5.1 IoT and OT to Gain Initial Access

Ransomware groups could soon directly be using examples of IoT botnets used in ransom DDoS attacks
IoT and OT devices as entry points, or initial access and containing messages from known ransomware gangs.
brokers could be ready to acquire exploits and sell 2. Exploits for IoT devices are frequently negotiated in
access to millions of those devices to other actors. darknet markets, and other threat actors are starting
This is because of the following reasons. to notice the potential of these devices. For instance,
Lemon Duck is a Monero cryptomining botnet that
1. Phishing is very effective but still depends on
uses IoT devices as entry points to infect computers.
human interaction. Vulnerabilities on IT perimeter
The Conti ransomware group targets devices, such
devices and applications are being routinely exploited
as routers, cameras and NAS with exposed web
automatically, but they tend to be patched fast because
interfaces, to move internally in affected organizations,
of the immediate risk they expose. On the other hand,
variants of the Trickbot malware use routers as a proxy
a growing number of IoT and OT devices connected to
to contact Command & Control servers.Finally, the
enterprise networks and actively exploited could provide
Cyclops Blink malware (linked to the state-sponsored
valuable entry points for attackers because they are
Sandworm group) exploits routers for initial access.
harder to patch and manage. IoT devices are currently
compromised primarily to become part of large botnets 3. Some major breaches are already believed to be tied
that execute DDoS attacks, which started with Mirai to exposed IoT or OT devices. During the cyberattacks
back in 2016 and has evolved toward modern malware against the Israeli water sector in 2020, the attackers
such as Mozi and Gafgyt. These malware use either supposedly got access to PLCs via routers that exposed
default and weak credentials or unpatched vulnerabilities them to the internet. A similar case are internet-facing
to gain remote control of devices such as IP cameras, RTUs or gateways and converters. It’s more likely that
Network Video Recorders (NVRs) and routers. Modern these devices are exposed to the internet than PLCs
examples such as BotenaGo pack more than 30 exploits directly, in the case that asset owners don’t use a private
for several types of devices. Botnet operators could WAN for their geographically distributed infrastructure.
leverage the initial access provided by IoT devices These devices are increasingly Linux-based and, in many
to either deploy ransomware themselves or sell the cases, are riddled with known vulnerabilities or default
access to ransomware affiliates. There are already credentials that would allow for initial attacker access.

VEDERE LABS 8
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

5.2 Impact Beyond Encryption

All the forms of extortion mentioned in Section 4.2 work both in the same campaign, such that critical devices are
very well for attackers, but as defenders increase their impacted by ransomware and less critical devices run
capabilities (from incident response to backups and unnoticed, cryptominers would give attackers another
even cyber insurance), attackers must come up with assurance that they will get a return on their investment.
new types of impact to continue to get their payouts. Otherwise, ransom groups could use cryptominers as a
decoy while implanting encryptors, similar to what other
Ransomware was initially about denying access to files Advanced Persistent Threats (APTs) have done.
via encryption, but other forms of denial of service could
become part of attack campaigns, such as Telephony Another trend is the rise of attacks targeting operational
Denial of Service (TDoS), where attackers flood VoIP technology, particularly internet-exposed devices,
systems to deny communication, and siegeware, where and leading to loss of availability. Recent examples
attackers take building automation devices hostage include threat actors targeting UPS devices via weak
(which happened in real incidents in 2021). credentials and EV charging stations. Impacting OT
field devices could add another layer to extortion
IoT devices could also be leveraged in other ways. campaigns focusing on critical infrastructure targets.
For instance, hacktivists recently spammed several
internet-connected receipt printers with “antiwork” One thing that ties together both the initial access and impact
messages. Sending ransom notes via the same possibilities brought by embedded IoT and OT devices is the
printers and preventing them from being used for increasing number of supply chain vulnerabilities affecting
business operations would be an effective way to millions of these devices at the same time. Examples include
leverage those devices as part of a ransomware. Project Memoria affecting TCP/IP stacks, BadAlloc affecting
RTOSes, Access:7 affecting a popular IoT management
Cryptomining networks that hijack many computers platform and vulnerabilities in the busybox application used
to mine for cryptocurrencies is a rising trend and less by many Linux devices. Exploiting supply chain vulnerabilities
noticeable and risky for attackers than ransomware; could allow attackers to greatly amplify the effect of attacks
there have been many arrests related to ransomware that were previously specific to some types of devices.
but far fewer because of cryptomining. But combining

TECHNICAL NOTE: OT-SPECIFIC IMPACT CONSIDERATIONS

The predictions about initial access and impact above apply to methods and controller payloads to have big impact in many
organizations in any industry since the growth in the use of IoT environments. They could rely on firmware or logic downloads
and OT is not restricted to a specific sector. However, we would on the controller to drop a payload that disables engineering
also like to add some considerations about future initial access interfaces (so no further updates are possible) and starts a
and impact for OT environments. countdown on a logic bomb. This could be very simple like just
strobe toggling all the inputs/outputs when it goes off (which
It is simple to lock out and extort victims for Purdue Level 2 and requires no process comprehension).
above because those are regular Windows/Linux machines,
but doing the same for PLCs is more complex. There has Notifying the extorted victim that it has some time before the
been prior academic work targeting specific PLCs by changing logic bombs go off in all its controllers puts pressure on paying
their configurations, however the implementation differs a the ransom. This is scalable since the attacker must only figure
lot between models/vendors and requires attackers to know out ways to get code execution on the controllers for each major
what specific devices their victims run. Ransomware as a DCS once and then port the payload for each of them.
service needs to exploit economies of scale with minimal need
for finetuning by affiliates. To build a threat that extorts OT It’s a one-time attacker investment for few major parties (e.g.,
environments at scale, attackers need to figure out a way to be ABB 800xA, Siemens PCS7, Emerson DeltaV and GE Mark VIe)
able to ‘lock’ many different environments. that are used all over the world. Many of their controllers run
on well-known RTOSes like QNX (Emerson, GE) and VxWorks
One option is to use network-level denials of service like we (800xA) or have otherwise well-understood internals (PCS7).
explore on the rest of this report (see Section 7.2.3). Another That way attackers don’t have to port their malware to
option is to focus on homogenous, high-impact environments thousands of PLCs but can take a ‘big game hunting’ approach
like distributed control systems (DCS). Here the attacker has a where they list companies known to use specific DCSs and
guarantee that all the controllers in a victim are of a particular target them directly with the guarantee that all controllers their
vendor, so they only need to develop a limited amount of access controllers will be affected.

VEDERE LABS 9
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

6. Reality Check – The Data Behind the Scenes

To show that the predictions in Section 5 are realistic, information about 18 million devices from more than
we analyzed data from Forescout Device Cloud, one of 1,400 global customers. Real-time visualizations of the
the world’s largest repositories of connected enterprise data presented in this section are available online as part
device data —including IT, OT and IoT device data — with of Vedere Labs’ Global Cyber Intelligence Dashboard.
a number of devices that grows daily. The anonymous
data comes from Forescout customer deployments Figure 2 and Figure 3 show a breakdown of our data that
and, at the time of this report’s publication, contains allows us to make some interesting observations.

Figure 2 - Vedere Labs Global Cyber Intelligence Dashboard

Figure 3 - Weakest Points on IT and IoT/IoMT/OT Devices

VEDERE LABS 10
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

1. IoT, IoMT and OT devices combined represent 44% 6. Healthcare is the most affected vertical, with more than
of the total devices in enterprise networks. This 100 thousand devices impacted by Project Memoria.
means that ransomware threat actors focusing Among the most common OT/IoT devices are PLCs,
only on IT equipment are missing almost half of building automation controllers and infusion pumps. As
the available attack surface on organizations. we have described in previous research, healthcare
organizations are great targets for attackers, partly
2. Surveillance equipment, such as IP cameras
because of the diversity of their device ecosystems.
and NVRs, represent 40% of these devices.
This means that attackers focusing on IP 7. Our data shows more than half a million devices
cameras are sure to find popular targets. using the default VLAN1, meaning that segmentation
is frequently not implemented. Network segmentation
3. Two vendors – Axis and Hikvision – account for 77% of the
is a fundamental measure to limit the attack surface
IP cameras in these networks. Axis cameras alone account
in any network. Segmentation is often achieved by a
for 39% of the ones observed. Models from both vendors
combination of different techniques at Layer 2 and Layer
have multiple known code execution vulnerabilities.
3, including deploying VLANs, subnetting, ACLs and
This means that weaponizing IP camera exploits
firewalling. There are several important reasons why
as a reusable point of entry to many organizations
user devices should not be left on the default VLAN –
(exactly what initial access brokers do) is feasible.
VLAN1 contains control plane traffic which a malicious
4. Based on the data in Figure 3, of the 4.15 million device can tamper with to cause disastrous consequences,
devices running Windows OS in our dataset, more than such as deletion of a VLAN database, performing VLAN
60% have an open WMI port (135/TCP), while roughly hopping attacks and changing the root bridge, among
35% have a RDP port (3389/TCP) open. This means others. While examining the VLANs with most IoT/OT
that “living off the land” using common Windows devices, we noticed several VLANs containing a mix
tools is feasible in enterprise organizations. of IT and IoT/OT (i.e., IP cameras, building automation
5. There are more than half a million devices running equipment and point-of-care diagnostic systems sit
TCP/IP stacks vulnerable to Project Memoria, together with Windows workstations). Secure network
spread out across organizations in almost every segmentation should consider the context and purpose
industry vertical. This means that exploiting of devices rather than segmenting based on location,
these devices with similar and simple denial of floor or department. Mixing IP cameras and diagnostic
service attacks grants to attackers the possibility systems – or other business-critical devices – in the
of disrupting many types of organizations. same VLAN means that there is a path for an attack to
spread from an insecure camera to a critical device.

VEDERE LABS 11
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

7. R4IoT: Creating a Ransomware in a Lab

To demonstrate the points discussed so far, we implemented plus encryption on an IT network with an extended
R4IoT in our Vedere Labs locations (Figure 4). R4IoT impact on both IT and OT. In the next subsections, we
is a proof-of-concept malware that combines an IoT describe the technical details behind R4IoT. A summary
entry point and typical ransomware lateral movement of the attack can also be found in this video.

Figure 4 - Vedere Labs Facilities

VEDERE LABS 12
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

7.1 Lab Setup

Figure 5 – Lab Network

Figure 5 shows the devices and networks in our f 192.168.1.0/24 and 192.168.3.0/24 – Operational Network
lab, which is a simplified model of an enterprise that holds several IoT and OT devices. These devices
organization with the following subnets: can be accessed only from the Corporate Network.

f 192.168.85.0/24 – External Network (not shown in the Our hypothetical organization consists of
Figure) – a local network that simulates the external the following devices and machines:
network. We have chosen to use this network instead
of the real Internet for security considerations. 1. Axis M2025-LE camera, vulnerable to CVE-2018-
10660, CVE-2018-10661, CVE-2020-10662 and
f 192.168.4.0/24 – Corporate Network with Windows Zyxel NAS 326 vulnerable to CVE-2020-9054. These
workstations. This is an internal network that is are the only devices directly exposed to inbound
connected to other internal networks (see below). connections from the External Network.
This network has limited connections to the External 2. ADDC Windows server – Windows Active Directory
Network (managed by the Windows firewall): no devices Domain Controller (ADDC) machine deployed in the
from the “internet” can reach machines in the Corporate Corporate Network. This machine is not exposed
Network. Hosts in this network rely on Windows to inbound traffic from the External Network and
remote administration capabilities (such as WMI). is vulnerable to CVE-2020-1472 (Zerologon).
f 192.168.2.0/24 – IoT network with IoT devices connected 3. Victim1 and Victim2 are Windows 10 machines
to the Corporate Network. One of the devices (Axis that are part of the domain controlled by the ADDC
M2025-LE camera) is misconfigured in such a way (Corporate Network). Victim1 is used by the security
that it can be accessed from the External Network. personnel to access the video feed provided by the
This is a realistic scenario, as we see many IP cameras Axis. Finally, this machine has an RDP port enabled with
exposed directly over the internet (e.g., Shodan weak credentials. Inbound traffic from the External
queries or incidents such as the Hikvision hack). Network is not allowed for Victim1 and Victim2.

VEDERE LABS 13
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

4. Attacker’s machine (Figure 6) – a machine that the is used as a Command & Control server for R4IoT
attacker uses for Initial Access and initial Lateral executables deployed at Victim1 and Victim2.
Movement. Initially, this machine can only access Axis, 6. WAGO PLC1, WAGO PLC2, WAGO PLC3 and
as Victim1, Victim2 and ADDC rely on Windows Firewall NEC IP Phone – several OT/IoT devices within
to restrict connections to the External Network. the Operational Network(s). These devices are
5. C&C Server (Figure 6) – another attacker-controlled affected by the NUCLEUS:13 vulnerabilities
machine in the External Network. This machine (found within Project Memoria).

7.2 Attack Details

Figure 6 illustrates the various steps the attacker takes to
execute R4IoT, which are detailed in Sections 7.2.1 to 7.2.3.

Figure 6 – Attack Overview

7.2.1 Initial Access

Attacker uses the Axis M2025-LE camera as the entry However, the Axis camera in our lab is affected by
point into the Corporate Network. Initially, the access critical vulnerabilities. Attacker achieves remote
to the web interface of the camera (which also contains command execution and takes over the camera
administrative settings) is password protected. In the past, by exploiting the following vulnerabilities:
we have seen wide usage of known default credentials
f CVE-2018-10661: Authorization bypass vulnerability.
for gaining access to internet-facing web cameras. In our
scenario, we assume that the default password has been Anyone can send unauthenticated HTTP requests that
changed and the new password is unknown to Attacker. reach .srv files of the Apache Tomcat webserver running
on the camera. Such requests are, in turn, forwarded to
the /bin/ssid process that runs with root privileges.

VEDERE LABS 14
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

f CVE-2018-10662: Attackers can access the interface to the camera to monitor the video feed. Netstat is a
that allows unrestricted dbus messages. This host-based utility that shows active connections to the
interface is reachable from /bin/ssid’s .srv files. host where it runs without firing “noisy” network scans.

f CVE-2018-10660: Shell command injection vulnerability f If a connected Windows machine is found, scan
into one of the service interfaces of dbus. it for the Windows RDP service via a single HTTP
request with curl to port 3389. If the port is open,
Attacker performs the following actions, which it is assumed that the RDP service is available.
are fully automated, on the Axis camera:
f Obtain valid RDP credentials using a dictionary
f Originally, the root ‘/’ directory is mounted in the read- attack against accounts with high privileges (a
only mode (RO). This limits the amount of non-volatile custom tool developed by Attacker is used) 1.
disk space available to Attacker to only a few megabytes.
Therefore, ‘/’ is re-mounted in the read-and-write (RW) f If successful, create an SSH tunnel between the
mode, allowing uploads of large files and keeping them attacker machine and the RDP machine (Victim1, as per
on the disk. Figure 6), making the camera act as a proxy server.

f Start a local web server (Attacker’s machine) to upload f Mount a folder from the attacker’s machine
files to the camera. These files include the busybox to the RDP machine (Victim1) for dropping the
utility, and Attacker-developed scripts and binaries. R4IoT executables and auxiliary files.

f By default, SSH connections to Axis are disabled. Once having RDP access to Victim1, Attacker manually
Therefore, Attacker enables sshd and creates a new user disables the Windows Firewall and any antivirus or defense
with root privileges (so that if something goes wrong, software. Then, they copy the R4IoT executables and
Attacker may still retain control over the camera). auxiliary files to Victim1 and run the lateral movement
executable. Figure 7 shows a screenshot from the Attacker’s
f Find active network connections from hosts of the machine: the Initial Access executable has been successfully
Corporate Network to Axis (using netstat). Attacker executed and the Attacker can start deploying R4IoT.
assumes that there will be a Windows machine connected

Figure 7 – Initial Access from Axis to Victim1

1
We want to land on a user account that allows us to disable endpoint security tools on the Victim1 machine and to initiate connections
towards a domain controller. We do not try to detect user privileges automatically because the Attacker will interact the Victim1 machine
and deduce that.

VEDERE LABS 15
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

To further illustrate how IoT devices can be used We used a Zyxel network-attached storage (NAS)
for initial access in ransomware operations, we device (Zyxel NAS326) that runs embedded Linux on
have explored an alternative scenario, in which, an ARM processor. The device is affected by CVE-
instead of the Axis camera, the attacker finds 2020-9054, a pre-authentication command injection
another IoT device exposed to a public network. vulnerability, which may allow a remote, unauthenticated
attacker to execute arbitrary code on the device.

Figure 8 – Pseudocode of the “executer_su” Main Function

We have discovered that remote commands launched Figure 8 illustrates that the “executer_su” binary is owned by
via CVE-2020-9054 are executed with the same privileges the root user. It also shows that the binary is just a wrapper
as the webserver’s user “nobody”. It is a special Linux around the “execv()” call that executes any command, and it
user that does not own any files and has no special also contains a call “setuid(0)”, which sets the effective user
privileges. However, the vulnerability description mentions ID of the calling process to the owner of the binary (root).
the “setuid utility”, which can be used for privilege
escalation. By analyzing the firmware files, we found Considering the above, we have modified the original
the “executor_su” binary that is common to various IoT exploit for CVE-2020-9054 to execute remote commands
devices and is commonly used for privilege escalation. through the “executer_su” binary, but the rest of the
(We have seen some evidence suggesting that Mukashi, attack is performed exactly as with the Axis camera.
the newer version of the Mirai malware, used the
same technique for weaponizing this vulnerability.)

VEDERE LABS 16
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

7.2.2 Lateral Movement

The R4IoT lateral movement executable will identify Domain subscribed to it. Next, it will resolve these names to IP
Controllers (DCs) in the network and attack them with addresses, search for the Administrator account’s password
an exploit for CVE-2020-1472 (Zerologon). After attacking hash and use it to disable Windows Firewall and Windows
a vulnerable DC, it will dump the LSA hashes from the Defender in every domain-subscribed host through WMI.
compromised DC and the account names of machines

7.2.2.1 Lateral movement via WMI

Understanding WMI is crucial to get insights about the inner (CIM) classes and their providers. Windows exposes
workings of R4IoT. WMI stands for “Windows Management a set of core CIM classes that can be used out of the
Instrumentation” and is used as the infrastructure to box to manage the system. (PowerShell is one scripting
manage data and operations on Windows-based operating environment where they can be used.) However, threat
systems. It is heavily used for administrative tasks and is actors are also known to use it heavily for infiltration into
designed for local and remote management. It exposes Windows networks and systems. R4IoT is no different
manageable entities through Common Information Model in this aspect, as it relies on the same techniques.

7.2.2.2 Discovery of Domain Controllers, Zerologon, pass the hash

Once the R4IoT lateral movement executable is Since Victim1 is part of a domain, this machine will
executed on Victim1, it grabs all the instances of have at least two instances of the “Win32_NTDomain”
the class “Win32_NTDomain”, which represents a class, and one of them will contain this set of fields.
Windows domain, and extracts the following fields:
R4IoT is designed to attack more than one Domain Controller.
f DomainControllerName: Computer name In our lab environment, it will attack the only DC we have
for the discovered domain controller with CVE-2020-1472 (Zerologon). After that attack, the target
(example: “WIN-8DS4VJS9R7A”) DC will have a null password associated with the DC machine
account “WIN-8DS4VJS9R7A”, allowing the Attacker to login
f DomainControllerAddress: IP address of the discovered into it with a null password and dump the LSA secrets.
Domain Controller (example: “192.168.4.102”)
We relied on the “secretsdump.py” script of impacket to
f DomainName: Name of the domain dump LSA hashes that eventually contain the NTLM hash of
(example: “VICTIMSNET”) the domain administrator, as well as hashes for the machine
accounts. A typical output of this script is shown on Figure 9.
f DnsForestName: Name of the root of the
DNS tree (example: “victimsnet.hack”)

Figure 9 – Output Example of “secretsdump.py”

VEDERE LABS 17
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

The NTLM hash format is composed of the following: follows the format ‘ACCOUNT_NAME:RELATIVE_ID:NT_
(1) an account name string; (2) a relative ID number; HASH:LM_HASH:::’. In our case, for example, the domain
and (3) a concatenation of the NT and LM hashes. It administrator’s account has the following hash:

In addition to dumping NTLM hashes, “secretsdump.py” part of the domain forest governed by the compromised
extracts Kerberos keys from the DC. Such keys are handy DC. This allows use of the DC server to retrieve the IP
because they contain the machine names, which are addresses of these machines with DNS queries.

7.2.2.3 More on lateral movement, dropping R4IoT executables

The R4IoT lateral movement executable maps the IP the “Set-MpPreference” and “Set-NetFirewallProfile”
addresses of machines to their machine names within commands. Finally, it drops other R4IoT executables
the compromised domain. It uses the NTLM hash of and auxiliary files with the SMB request “SMB_
the administrator’s account and the WMI functionality COM_WRITE_ANDX” and executes the C&C Agent
implemented within impacket to connect to each executable through the WMI CIM class instances
of these machines. Once connected, the executable “Win32_Process” and “Win32_ProcessStartup”.
disables Windows firewall and Windows Defender using

7.2.3 Impact
Apart from the lateral movement executable, f Cryptominer executable – a client for mining
R4IoT includes the following components: a cryptocurrency. Its purpose is to hijack the
computational resources of the victim machine
f C&C Agent executable that reports back to C&C and use them in favor of Attacker.
Server and runs local commands based on instructions
received from C&C Server. This executable is f Memoria executable that will launch DoS
automatically started on every Windows machine attacks against critical IoT/OT assets.
that the lateral movement executable can reach.

VEDERE LABS 18
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

7.2.3.1 C&C Server/Agent

We rely on a modified version of the Racketeer toolkit 2 to decrypt files on the infected machine, exfiltrate files and
provide C&C Server/Agent functionalities. Upon receiving launch arbitrary executables with administrative privileges.
a command from C&C Server, C&C Agent can encrypt/

Figure 10 – Racketeer C&C Server

Figure 10 shows that after the lateral movement First, Attacker may choose to exfiltrate data from a
executable is done, there are two victim machines that victim machine. For example, Figure 10 shows that
report back to C&C Server. For example, by using the launching the “attack exfil” command against one
“heartbeat” command, Attacker can retrieve the name of the C&C Agents will enumerate text files on the
of the compromised machine, the process ID of C&C victim and send them to C&C Server. There might be
Agent running on that machine and the name of the sensitive information 3 of interest to Attacker.
user with whose privileges C&C Agent was started.

2
We would like to thank Dimitry Snezhkov for providing this useful toolkit to the community. To learn more, please watch this DEFCON
presentation at https://www.youtube.com/watch?v=VJ8aqReB118 or visit the Github page of the tool at https://github.com/dsnezhkov/
racketeer.

3
For our exercise, we only retrieve text files and send them to an FTP server hosted on C&C Server. This functionality can be further extended
to perform targeted searches for data of interest, as well as to decrease the detectability of data exfiltration.

VEDERE LABS 19
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

Figure 11 – Data Exfiltration

7.2.3.2 Encryption
After the sensitive information has been retrieved, Attacker posted. Upon receiving a corresponding command, C&C
will proceed with encrypting sensitive files and posting a Agent will create hundreds of text files on a desktop of
ransom notice. Figure 12 shows some of the sensitive files every user of the machine. These text files will contain
being encrypted, and Figure 13 shows the ransom notice the same ransom notice with demands of payment.

Figure 12 - Encrypting Sensitive Files

VEDERE LABS 20
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

Figure 13 - Ransom Notice

7.2.3.3 Cryptocurrency mining

Upon receiving a command, the C&C Agent will launch an when started, will attempt to connect to a mining pool
executable for mining the Monero cryptocurrency. We use and perform mining operations. For example, Figure 14
a pre-configured off-the-shelf client called XMRig that, shows a small portion of the traffic generated by XMRig.

Figure 14 - Monero Traffic

VEDERE LABS 21
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

7.2.3.4 IoT/OT impact

The Memoria executable can be invoked from C&C Server any physical process controlled by some of the affected
via C&C Agent. The executable will launch a custom network devices (WAGO PLCs) will be interrupted. Figure 15 shows
scanner 4 to identify critical IoT/OT assets in the network the physical effect of the attack against one of such devices in
that may contain critical vulnerabilities 5. After such assets our lab, visible to Attacker: the WAGO PLC on the left crashes
are located, Memoria will launch a Denial-of-Service attack so that the HVAC system on the right stops functioning
against these assets (an exploit for CVE-2021-31886). After immediately, so the fan stops and the lights go off.
the attack, the vulnerable devices will go offline. In addition,

Figure 15 – The Physical Effect of an Exploit of CVE-2021-31886

4
The network scanner is based on: https://github.com/Forescout/project-memoria-detector

5
Our lab has several devices affected by Nucleus:13 (see https://www.forescout.com/research-labs/nucleus-13/).

VEDERE LABS 22
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

7.3 A Summary of R4IoT TTPs

Table 1 shows a summary of the attacker tactics,
techniques and procedures that are part of R4IoT.

STEP TACTIC TECHNIQUE PROCEDURE

Exploit CVE-2018-10660, CVE-2018-10661,

Exploit public-facing
1 Initial Access CVE-2018-10662 for the IP camera Exploit
application
CVE-2020-9054 for the NAS

2 Persistence Create Account Useradd

3 Discovery Remote system discovery Netstat + Curl

Brute Force: Pasword

4 Credential Access Bespoke cracker
Guessing

Remote Services: Remote

5 Lateral Movement RDP with valid account via freerdp and SSH tunneling
Desktop Protocol

Impair Defenses: Disable or

6 Defense Evasion Manually disable Windows Defender
Modify Tools

Impair Defenses: Disable or

7 Defense Evasion Manually disable Windows Firewall
Modify System Firewall

8 Command and Control Ingress Tool Transfer Windows share (SMB through RDP)

9 Discovery Remote system discovery Win32_NTDomain

Exploitation of remote
10 Lateral Movement ZeroLogon (CVE-2020-1472)
services

OS Credential Dumping:
11 Credential Access Secretsdump.py
NTDS

12 Command and Control Ingress Tool Transfer SMB_COM_WRITE_ ANDX (SMB)

13 Execution WMI Win32_Process

14 Command and Control Application Layer Protocol HTTPS

15 Collection Data from Local System File system read

16 Exfiltration Exfiltration over C2 Channel FTP

17 Impact Data Encrypted for Impact Racketeer

18 Impact Resource Hijacking XMRig

19 Discovery Network Service Scanning Project-memoria-detector

20 Impact Endpoint Denial of Service Exploit CVE-2021-31886

Table 1 – A Summary of R4IoT TTPs

VEDERE LABS 23
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

8 Stopping the Threat: a Playbook for

Risk Management
As mentioned in the Introduction, successful risk examine how the NIST Cybersecurity Framework and
management for ransomware (both for current and a Zero Trust Architecture help to protect organizations
future threats) is paramount. In this Section, we against ransomware, using R4IoT as an example.

8.1 Risk Management with the NIST Cybersecurity Framework

The NIST Cybersecurity Framework serves as the f Detection is possible because most tools and
basis for risk management in several organizations, techniques these actors use are well-known. We
especially in critical infrastructure sectors. The already presented the top TTPs in Section 4.3.
framework has five key functions – Identify, Protect,
f Response and Recovery are possible because attacks
Detect, Respond and Recover – which encompass
the whole lifecycle of security management. are not immediate and fully automated. The average
dwell time of ransomware attackers was five days in
There are three important observations from our study 2021. For instance, there are several detailed reports
of the ransomware threat landscape that make mitigation of Conti incidents available online that detail and
of this threat possible across the NIST functions. timestamp the steps taken by attackers over these days.

f Identification and Protection are possible because Table 2 uses the R4IoT TTPs (described in Section 7.3) and
there are hundreds of very similar attacks happening the NIST Cybersecurity Framework key functions to present
simultaneously currently. For instance, Conti was one mitigation steps for complex ransomware threats. We focus
of the most successful ransomware gangs in 2021 on network-based mitigation, so we have removed steps
with more than 400 successful attacks on U.S. and that depend exclusively on endpoint behavior (2, 9, 11, 15,
international organizations. That means it is possible 17) or that represent legitimate network behavior (8, 12).
to identify devices and vulnerabilities being actively
exploited so their protection can be prioritized.

TACTIC AND
# PROCEDURE IDENTIFY PROTECT DETECT RESPOND
TECHNIQUE
Identify vulnerable Detect command
CVE-2018-10660 Patch vulnerable Temporarily
Initial Access – devices injections via protocols
CVE-2018-10661 devices quarantine device in
1 Exploit public-facing such as HTTP
CVE-2018-10662 Monitor inbound and VLAN or disconnect it
application Segment the network to
CVE-2020-9054 outbound traffic from/ Detect breaches of
prevent external access from the network
to vulnerable devices segmentation policies

Allow only the Detect deviations Temporarily

Monitor inbound and
Discovery – Remote minimum necessary of network quarantine device in
3 Netstat + Curl outbound traffic from/
system discovery traffic (e.g., no HTTP communications VLAN or disconnect it
to vulnerable devices
to RDP ports) baseline from the network

Implement policies
Detect deviations
for password strength
of network
and expiration
communications Temporarily
Credential Access Implement Multi-Factor baseline
Identify hosts with quarantine device in
4 – Brute Force: Bespoke Cracker Authentication
weak credentials Detect RDP VLAN or disconnect it
Password Guessing
Segment the network to brute forcing from the network
prevent communication
Detect breaches of
between IoT and
segmentation policies
IT devices

Table 2 – Mitigations for R4IoT TTPs

VEDERE LABS 24
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

TACTIC AND
# PROCEDURE IDENTIFY PROTECT DETECT RESPOND
TECHNIQUE

Restrict RDP con- Detect deviations of

Lateral Move- Identify potential tar- Temporarily quaran-
RDP with Valid Ac- nections only from network communi-
ment – Remote gets (hosts with RDP cations baseline tine device in VLAN
5 count via Freerdp trusted sources either
Services: Remote enabled) with service or disconnect it from
and SSH Tunneling via targeted rules or Detect breaches of
Desktop Protocol and asset inventory the network
segmentation policies segmentation policies

Defense Eva- Enforce compliance

sion – Impair Manually Disable Identify security tools policy: AV should Detect change of AV
6 Enable AV
Defenses: Disable Windows Defender running on hosts be always turned state to disabled
or Modify Tools on and updated

Defense Evasion –
Enforce compliance
Impair Defenses: Manually Disable Identify security tools Detect change of fire-
7 policy: firewall should Enable firewall
Disable or Modify Windows Firewall running on hosts wall state to disabled
be always turned on
System Firewall

Temporarily quaran-
Lateral Movement Patch vulnera-
ZeroLogon (CVE- Identify vulner- ble servers Detect Zerologon tine server in VLAN
10 – Exploitation of
2020-1472) able servers exploitation attempts or disconnect it from
Remote Services Enforce update policy
the network

Restrict WMI con-

Identify potential tar- Temporarily quaran-
nections only from Detect cleartext WMI
gets (hosts with WMI tine device in VLAN
13 Execution – WMI Win32_Process trusted sources either and blacklisted Pow-
enabled) with service or disconnect it from
via targeted rules or erShell commands
and asset inventory the network
segmentation policies

Keep an up-to-date Detect blacklisted Temporarily quaran-

Command and
Monitor HTTPS list of known C&C C&C hosts and HTTPS tine device in VLAN
14 Control – Applica- HTTPS
connections hosts and malicious connections matching or disconnect it from
tion Layer Protocol
JA3 hashes malicious JA3 the network

Keep an up-to-date list Temporarily quaran-

Exfiltration Detect blacklisted
of known C&C hosts tine device in VLAN
16 – Exfiltration FTP Monitor FTP sessions C&C hosts
Disable FTP traffic or disconnect it from
over C2 Channel Detect FTP traffic
when not needed the network

Detect known
malicious processes
Integrate with EDR Keep an up-to-date running on endpoint
Impact – Resource
18 XMRig solution to identify list of known mali- Kill malicious process
Hijacking Detect network traffic
running processes cious processes
related to crypto-
currency mining

Monitor inbound Segment the network Detect network Temporarily quaran-

Discovery – scanning event
Project-memo- and outbound to prevent commu- tine device in VLAN
19 Network Service
ria-detector traffic from/to nication between IT Detect breaches of or disconnect it from
Scanning
vulnerable devices and OT/IoT devices segmentation policies the network

Detect exploitation
Patch devices Temporarily quaran-
attempts (buffer
Impact – Endpoint Identify vulner- Segment the network overflows) tine device in VLAN
20 CVE-2021-31886
Denial of Service able devices to isolate vulnerable or disconnect it from
Detect breaches of
critical devices the network
segmentation policies

Table 2 continued – Mitigations for R4IoT TTPs

VEDERE LABS 25
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

8.2 Implementing Policies with a Zero Trust Architecture

One way of efficiently implementing many of the mitigation Below, we show how we implemented a Zero Trust
steps presented in Table 2 is to use a Zero Trust Architecture. architecture to stop R4IoT in our lab. Our implementation
was done by leveraging Forescout Products, but the
Forrester coined the term Zero Trust in 2010, which became guidelines we discuss below can be generalized.
a NIST standard in 2020 with NIST 800-207 “Zero Trust
Architecture” (ZTA). Zero trust is the modern replacement The strategy was based on two ideas: enforce a restrictive
for perimeter-based security. In perimeter-based security, segmentation policy by default with least privilege rules
the overall idea was that whatever is outside the network is and quarantine non-compliant devices. The general
potentially malicious, whatever is inside is probably benign segmentation rule is to prevent any host from any
and a demilitarized zone (DMZ) keeps the two worlds apart. segment to reach any other host from any other segment.
The idea behind zero trust is radically opposite: never To allow the lab network to function, we have added
implicitly trust any device or communication, even if it is part the following exceptions to the Zero Trust policy:
of the internal network. In ZTA, each device, application and
f Only DHCP and DNS traffic can flow between segments
user should have their own perimeter so very fine-grained
access control policies can be implemented and enforced.
f Only a few trusted hosts can reach IP cameras

There are three key pillars to implementing Zero Trust.

f Only a few trusted hosts can reach OT devices

f Visibility is foundational to resource defense since “you

f IT devices should be able to reach the ADDC server
can’t combat a threat you can’t see or understand.”
Often, device security comes first in practical discussions f Only outbound traffic is allowed from IT
of technical controls, but visibility must extend devices to the external networks
beyond devices to network communications. That is
where controls may detect anomalous behavior. Even if a device is in a trusted segment or group, it
will get banned from the network the moment it is
f Compliance establishes what should or not compliant and will not be allowed back until there
should not be trusted in the network, making is a proof of its compliance.
it possible to act on devices that do not meet a
minimum set of compliance requirements.

f Segmentation is a fundamental control that allows

enforcing Zero Trust by limiting the allowed network
communications of devices. Zero Trust implemented
based on network visibility, compliance rules and via
appropriate network segmentation policies can help stop
the spread of ransomware by limiting attack surfaces.
In this way, only devices that need to be internet-facing
will be accessible, and any lateral movement in the
network becomes more difficult since devices can
only communicate to other devices they should.

VEDERE LABS 26
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

Table 3 illustrates the segments and the segmentation represent unallowed communications. We omitted
policies we have in place. Slate cells represent potential granular rules for other types of devices
allowed communications, whereas orange cells grouping them as ‘Rest’ for the sake of simplicity.

Allowed Communication Unallowed Communication

EXTERNAL
DESTINATION ENTERPRISE BAS
NETWORKS 6

ICS MEDICAL
OT
AD Trusted IP
SOURCE Internet Office Rest admin- Rest
servers NVRs cameras
istration

Internet N/A
NETWORKS
EXTERNAL

Office

Rest

AD
ENTERPRISE

servers

OT admin-
istration

Trusted
NVRs

ICS

MEDICAL

Rest

BAS

IP
cameras

Table 3 – Zero Trust Policy to Stop R4IoT

6
No such segment exists in our setup; we use the name as an abstraction.

VEDERE LABS 27
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

The network layout of the segments and groups is as follows:

SEGMENT TYPE IP ADDRESSES

Internet Group Public IPs

Office Segment 192.168.85.0/24

Enterprise Segment 192.168.4.0/24

ICS Segment 192.168.1.0/24

Medical Segment 192.168.3.0/24

BAS Segment 192.168.2.0/24

IP Cameras Group Based on device fingerprints

AD Servers Segment 192.168.4.102/32

OT Administration Segment 192.168.4.103/32

Trusted NVRs Segment 192.168.4.104/32

8.3 Further Resources

We focused on mitigation against R4IoT as an example in f NIST IR 8374: Cybersecurity Framework Profile
this section, but more information about risk mitigation for Ransomware Risk Management – identifies
for ransomware in general can be found on: the security objectives in the cybersecurity
framework that help prevent, detect, respond
f The No More Ransom Project – an initiative to and recover from ransomware incidents.
by the Dutch police, Europol, Kaspersky and
McAfee to help ransomware victims recover f NIST SP 1800-25: Data Integrity – Identifying
encrypted data without paying the ransom. and Protecting Assets Against Ransomware
and Other Destructive Events
f StopRansomware – a website maintained by CISA
with information, tips, FAQs, an assessment for f NIST SP 1800-26: Data Integrity – Detecting
ransomware readiness and a form to report incidents. and Responding to Ransomware and
Other Destructive Events
f Rising Ransomware Threat To Operational
Technology Assets – a CISA fact sheet with f NIST SP 1800-11: Data Integrity – Recovering from
step-by-step risk mitigation recommendations Ransomware and Other Destructive Events
for operational technology asset owners.

VEDERE LABS 28
RESEARCH REPORT | R4IoT: NEXT-GENERATION RANSOMWARE

9. Conclusion
Ransomware has been the most prevalent threat of
the past few years, and so far, it has mostly leveraged
vulnerabilities in traditional IT equipment to cripple
organizations. But new connectivity trends have
added a number and a diversity of OT and IoT devices
that have increased risk in nearly every business.

We have discussed how attacker evolution, the growth

of the Internet of Things, the IT/OT convergence and the
emergence of widespread supply chain vulnerabilities
point to two future trends for ransomware: IoT as an
entry point and OT as the target of attacks. We have
also demonstrated how we created a malware in our
lab that exploits IoT, OT and IT devices for initial access,
lateral movement and to achieve final objectives that
go beyond the usual encryption and data exfiltration
to cause physical disruption on business operations.

The most important messages of this report are that

IoT and OT exploits are new tools in the attacker’s
arsenal but also that to mitigate this type of attack,
solutions are required that allow for extensive visibility
and enhanced control of all the assets in a network.

www.forescout.com/research-labs/ [email protected]

Learn more at Forescout.com

© 2022 Forescout Technologies, Inc. All rights reserved. Forescout Technologies, Inc. is a
Delaware corporation. A list of our trademarks and patents can be found at https://www.
forescout.com/company/legal/intellectual-property-patents-trademarks. Other brands, products
or service names may be trademarks or service marks of their respective owners. Version 01_03

29