[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Journal of Information Processing
Online ISSN : 1882-6652
ISSN-L : 1882-6652
 
SPOT: In-depth Analysis of IoT Ransomware Attacks Using Bare Metal NAS Devices
Hiroki YasuiTakahiro InoueTakayuki SasakiRui TanabeKatsunari YoshiokaTsutomu Matsumoto
Author information
JOURNAL FREE ACCESS

2024 Volume 32 Pages 23-34

Details
Abstract

Ransomware attacks targeting Network Attached Storage (NAS) devices have occurred steadily in the threat landscape since 2019. Early research has analyzed the functionality of IoT ransomware binaries but failed to reveal its operation and attack infrastructure. In this paper, we propose an attack observation system named SPOT, which uses popular bare metal NAS devices, QNAP, as the honeypot and the malware sandbox to conduct an in-depth analysis of IoT ransomware attacks. During the six-month observation from September 2021 to March 2022, we observed on average, 130 hosts per day accessing from the Internet to compromise the NAS devices. Moreover, we executed 48 ransomware samples downloaded from VirusTotal in the SPOT sandbox. We identified seven remote Onion proxy servers used for C&C connection and successfully observed three samples infecting the NAS device to connect them to the C&C server behind the TOR network. The ransom notes gave two kinds of contact points; instruction web pages and email addresses. Though the email addresses were not reachable, we could access the instruction website. We kept monitoring the website and observed a “30% discount campaign” for ransom payments. We also interacted with the threat actor via online support chat on the website, but we were banned from the channel because we asked about their organization. We observe that the degree of automation in the attack operation is much higher compared to the carefully tailored and targeted ransomware attacks. While each case of successful ransom payment is limited to 0.03 BTC, the automated nature of the attacks would maximize the frequency of such successful cases.

Content from these authors
© 2024 by the Information Processing Society of Japan
Previous article Next article
feedback
Top