Threat Watch

IoT Ransomware Proof-of-Concept Highlights Often Overlooked Vulnerable Devices

Researchers at Forescout’s Vedere Labs developed a Proof-of-Concept Internet of Things (IoT) ransomware framework that simulates an attacker leveraging an exposed IoT device to gain access to an IT network and further pivot to take down OT devices. Vedere Labs conducted the research in response to recent trends among ransomware groups and included a 29-page report detailing their methodology and recommended defenses against attacks like this.

In the PoC, the researchers use R4IoT (Ransomware for Internet of Things), a framework they developed to interact with IoT, IT, and OT assets, to initially compromise an exposed IP Camera (IoT device). From there, they discover vulnerable Windows machines (IT devices), and pivot into one. The attacker can then perform data exfiltration and deploy a crypto miner or ransomware. They then scan the network for vulnerable Operational Technology (OT) devices and find a Programmable Logic Controller with a known vulnerability, and leverage that to shut down the lights and HVAC.


The individual attacks showcased in R4IoT are not new, but the attack framework is novel for combining IoT, IT, and OT attacks under one umbrella. The development of this framework is simply following the trend for ransomware groups—especially politically-motivated groups—to continue to get more aggressive in their extortion through to its logical conclusion: holding companies’ building automation infrastructure and other OT systems hostage. Companies can expect attacks to be increasingly more damaging as these groups get more aggressive to successfully extort their ransoms.

As IoT devices become more common-place, vendors are making the devices easier to use out of the box, and therefore more easily accessible to both authorized and unauthorized users. Companies should explore a separate network segment for IoT devices with heavy access control, only allowing the bare minimum required connections. In order to determine bare minimum required connections, companies can log all connections to and from a sample device, create firewall rules allowing those connections and deny all others, and then start denying those connections one by one to see which ones break functionality of the device. These recommendations also apply to OT devices, especially ones that are exposed to the internet.

For devices that must be accessed from outside company networks, companies should require VPN access, ideally with Multi Factor Authentication, to ensure IoT and OT devices are not public-facing.

Companies should also implement PoCs for new IoT and OT devices prior to widespread implementation, when possible, to determine attack surface area. Choosing the right device can make securing those devices significantly easier.

The report from Vedere Labs has a full NIST Cybersecurity Framework matrix for the entire attack, which can be leveraged to develop remediations for every step in the process. The matrix is generalized to the type of attack rather than specific to R4IoT, extending its value.