Jackware: A new type of ransomware could be 10 times as dangerous

Jason Glassberg is co-founder of Casaba Security, a cybersecurity and ethical hacking firm that advises cryptocurrency businesses, traditional financial institutions, technology companies and Fortune 500s. He is a former cybersecurity executive for Ernst & Young and Lehman Brothers.

The ransomware crimewave — which has been pummeling businesses, cities, and police departments left and right for the last few years — hit a grim new milestone recently with the first high-profile attacks on U.S. critical infrastructure.

Between the attacks on Colonial Pipeline and JBS, which disrupted nearly half of the East Coast’s gasoline supply for a week and threatened 20% of the U.S. meat market, respectively, consumers are finally experiencing the first physical impacts to their daily lives from cyber attacks.

As bad as these attacks are, they could get a lot worse.

Cybercriminals are constantly evolving, and what is keeping many security professionals up at night is the growing risk of “jackware” — a new type of ransomware that could be 10 times more dangerous because instead of encrypting Windows computers and servers. Jackware hijacks the actual physical devices and machines that make modern life possible.

It’s only a matter of when we will see these attacks happen.

Attendants direct cars as they line up to fill their gas tanks at a COSTCO on Tyvola Road in Charlotte, North Carolina on May 11, 2021. - Fears the shutdown of a major fuel pipeline would cause a gasoline shortage led to some panic buying and prompted US regulators on May 11, 2021 to temporarily suspend clean fuel requirements in three eastern states and the nation's capital. A ransomware attack Friday on Colonial Pipeline forced the company to shut down its entire network, though industry experts say any shortages will be temporary. (Photo by Logan Cyrus / AFP) (Photo by LOGAN CYRUS/AFP via Getty Images)
Attendants direct cars as they line up to fill their gas tanks at a COSTCO on Tyvola Road in Charlotte, North Carolina on May 11, 2021. (Photo by LOGAN CYRUS/AFP via Getty Images) (LOGAN CYRUS via Getty Images)

A few lines of code can disable a machine

Malware is generally something that only affects computers, but over the last 20 years, there has been a boom in the development of tiny computers that add connectivity and “smart” features to every type of machine and device you can imagine.

These tiny computers are known as “embedded devices,” and they now play a key role in critical infrastructure, cars, mass transit, health care, office buildings, and even the home. And just like a desktop computer, embedded devices are also vulnerable to malware.

However, the difference between hacking a computer and hacking an embedded device is that the latter has direct physical consequences.

The reason why jackware is so dangerous is that it can shut down these embedded devices, crippling the larger physical machine. That means cyber attacks would lead to even worse disruptions in critical services and supplies than what we’ve seen thus far with ransomware while also potentially causing permanent physical damage to these systems and even putting peoples’ lives in danger.

For instance, if malware disrupts an “electronic control unit” (ECU) in a car, it could cause the brakes to malfunction or prevent the engine from starting — effectively “bricking” the car. It could break a million-dollar MRI machine. It could cause a pipeline to shut down for months or trigger a fire or explosion at an electric substation. Subways may not run. Airplanes may not be able to take off. Even buildings can be sabotaged because they rely on automation systems to operate.

Speaker liaison Genevieve Netter is silhouetted against a Black Hat logo during the Black Hat USA 2014 hacker conference at the Mandalay Bay Convention Center in Las Vegas, Nevada August 6, 2014. REUTERS/Steve Marcus (UNITED STATES - Tags: SCIENCE TECHNOLOGY TPX IMAGES OF THE DAY)
Speaker liaison Genevieve Netter is silhouetted against a Black Hat logo during the Black Hat USA 2014 hacker conference in Las Vegas. REUTERS/Steve Marcus (Steve Marcus / reuters)

Not the first we're hearing of this

The alarm bells have been ringing for a long time on the cyber-sabotage threat of jackware.

The first notable incident of a physical malware attack was the 2010 disruption of Iran’s nuclear weapons program. This digital attack destroyed centrifuges and revealed the “kinetic” potential for cyber attacks.

Skip ahead to 2015, when hacking researchers for the first time hijacked the controls of a Jeep Cherokee as it drove on the highway. Later that same year and again the following winter, Russian hackers took down part of Ukraine’s electric grid through cyber warfare.

In 2016, the vulnerable state of IoT devices was widely exposed when the Mirai botnet took control of 600,000 of these devices.

One year later, in 2017, the first attack by weaponized ransomware (i.e., ransomware designed to destroy data instead of holding it for ransom) was launched against Ukraine by Russian hackers. The malware, called NotPetya, soon spread around the world, causing at least hundreds of millions of dollars in global damages as it disrupted major companies like Maersk, FedEx (FDX), hospitals, and more.

MRI and X-ray machines were widely infected by spyware in 2018 as part of a sophisticated cyber-espionage operation.

Earlier this year, Microsoft (MSFT) issued a warning about a major rise in firmware attacks on companies.

And even more alarming is the recent update to the TrickBot trojan — a popular platform for ransomware hackers. This new update allows the malware to attack a computer’s BIOS or UEFI firmware, which could be used to remotely brick that device.

WASHINGTON, DC - FEBRUARY 23: Microsoft President Brad Smith testifies during a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC. The hearing focused on the 2020 cyberattack that resulted in a series of data breaches within several agencies and departments in the U.S. federal government. (Photo by Drew Angerer/Getty Images)
Microsoft President Brad Smith testifies during a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC. (Photo by Drew Angerer/Getty Images) (Drew Angerer via Getty Images)

Four attack scenarios

Just as ransomware is an equal opportunity malware that will target any company and industry, the same is also true with jackware — which could have devastating consequences.

All major industries are now heavily reliant on embedded devices, as is the consumer market, which is seeing an explosion in IoT devices for the home (IP security cameras, smart door locks, smart appliances, etc.) and health and fitness, as well as a burgeoning wearables market and “connected” cars.

While the most alarming threat we face from jackware is a cyberwar-style attack by a nation-state, which could use this malware to cause far-reaching disruptions and threaten lives, this scenario is not as likely to happen because of the geopolitical consequences. (Although we could see one-off attacks periodically from state-sponsored groups that target specific companies — similar to how Iran destroyed $40 million worth of IT equipment at Las Vegas Sands Corp. (LVS) in 2014 after its CEO criticized the regime.)

BERLIN, GERMANY - MARCH 02:  Security camera hang at the German Interior Ministry on March 2, 2018 in Berlin, Germany. German authorities are investigating hacker attacks on administrative computers of the German government, including those of government ministries and parliament. Authorities said they suspect a Russian hacker group.  (Photo by Sean Gallup/Getty Images)
Hackers can target anywhere. (Photo by Sean Gallup/Getty Images) (Sean Gallup via Getty Images)

The more realistic scenario is an attack by criminal or politically motivated hacker groups, ranging from traditional ransomware-as-a-service (RaaS) hackers and other organized crime groups to hacktivists and terrorists. These groups could pull off any number of attacks on a variety of industries in the future.

Here are four scenarios that are most likely to happen in the coming years:

1. Crippling a major company

We’ve already seen how disruptive traditional ransomware can be, simply by encrypting front-end office IT systems. However, these attacks would pale in comparison to the damage, costs, and downtime that could be created by a jackware infection of physical processes and machinery.

These attacks would be worse because they would bring operations to a complete standstill, equipment could be permanently damaged, physical injuries could occur, and removing the malware would be more difficult than it is with a traditional IT system.

The biggest risk is to manufacturers, processing plants, electric and water utilities, oil and gas companies, and shipping.

A sign is seen as Exxon station is out of gas after a cyberattack crippled the biggest fuel pipeline in the country, run by Colonial Pipeline, in Washington, U.S., May 15, 2021. REUTERS/Yuri Gripas
A sign is seen at Exxon after a cyberattack crippled the biggest fuel pipeline in the country, run by Colonial Pipeline, May 15, 2021. REUTERS/Yuri Gripas (Yuri Gripas / reuters)

2. The forced update attack

For several years, hackers have increasingly targeted software vendors and supply chains — like SolarWinds and Magecart — as a way of hacking numerous victims by only having to breach a single company.

This tactic could also be used with jackware. If hackers breach an IoT manufacturer, they could potentially use that access to push malicious firmware updates to that company’s products. This is a threat that needs to be taken seriously, as it could have an enormous impact.

For instance, if hackers breached a car maker or dealership, they could potentially “brick” hundreds or even thousands of vehicles at one time by forcing the cars to install jackware.

Similarly, they could disrupt home thermostats, security systems, smart appliances, fitness devices — or any other consumer IoT product and wearable — by forcing those devices to install the malware.

An even greater concern, however, is that this attack could reach critical industries. The industrial Internet of Things (or IIoT), such as connected sensors, is widely used throughout many important industries, like manufacturing and energy. By disabling those devices, an attacker could cause significant disruptions.

BEIJING, Nov. 25, 2020 -- An employee demonstrates a wearable AI-powered bionic hand at the JD Global Technology Discovery Conference in Beijing, capital of China, Nov. 25, 2020. The conference, sponsored by JD.com, a leading e-commerce platform in China, kicked off here on Wednesday under the theme of
An employee demonstrates a wearable AI-powered bionic hand at the JD Global Technology Discovery Conference in Beijing, capital of China, Nov. 25, 2020. (Photo by Jin Liangkuai/Xinhua via Getty) (Xinhua/Jin Liangkuai via Getty Images) (Xinhua News Agency via Getty Images)

3. Hijacking mass transit

Criminal hackers have already proven how easy it is for them to breach public transportation agencies.

In recent years, they’ve also used ransomware to disrupt services in Fort Worth, San Francisco, Vancouver, and other cities, and even hit Cleveland’s airport in 2019.

Hackers could use these same methods to instill even greater damage if they can infect the actual vehicle systems with jackware. All mass transit systems today — from buses to trains, subways and airplanes — rely on some level of embedded devices to manage important functions. And they will become increasingly autonomous in the years ahead. By encrypting these embedded devices, an attacker could render the vehicle inoperable.

NEW YORK, NEW YORK - JUNE 03: People use the New York City subway on June 03, 2021 in New York City. According to the Metropolitan Transportation Authority (MTA), New York City’s subway system was targeted by hackers with links to the Chinese government last April. The MTA has said that no employee’s information was gained and that there was no known impact to customers of the city’s subways, the nation’s largest subway system. (Photo by Spencer Platt/Getty Images)
People use the NYC subway on June 03, 2021. (Photo by Spencer Platt/Getty Images) (Spencer Platt via Getty Images)

4. Infecting medical devices

Since the pandemic began, hospitals have been heavily targeted with ransomware. These cyber attacks have been highly disruptive, but in most cases they haven’t interfered with actual medical treatments.

That will change with jackware.

Medical devices like MRIs, X-rays, ventilators, etc., often run on outdated software and firmware with unpatched vulnerabilities. Hospitals also frequently fail to isolate these devices from the main network, leaving them exposed to cyber attacks.

Once jackware becomes more widely available in the criminal underworld, it will be easy for hackers to breach a hospital’s main network and push jackware to life-saving medical equipment. This would bring all treatments to a standstill and put patients’ lives at risk.

Dr. David Brumbaugh (R) and Claire Skold, MRI Technologist looks at live MRI images of Michael Grabinski, (background) two weeks old at The Children's Hospital in Aurora, Colorado August 23, 2010 during a research study on obesity in infants. The overall theme of the study is to understand the continuum of growth that starts really at conception, and to understand if the earliest phases of growth impacts later risk for obesity.   REUTERS/Rick Wilking (UNITED STATES)
Dr. David Brumbaugh (R) and Claire Skold, MRI Technologist looks at live MRI images of Michael Grabinski in Aurora, Colorado. REUTERS/Rick Wilking (Rick Wilking / reuters)

A persistent threat

Unfortunately, cyber threats aren’t going away anytime soon.

And the problem is going to get worse before it gets better.

These attacks will continue because it is easy for hackers to find insecure companies and exploit them. The U.S. government will have a hard time stopping them because any time you eliminate one hacking group, five more are ready to take its place.

What this means for the average person is that you should start preparing for occasional disruptions in your daily life, from supplies at the grocery store to energy, water, banking services, and any connected device you rely on.

Investors also need to be wary about the effect these attacks could have on stocks, IPOs, long-term corporate values, and the cryptocurrency market.

Jason Glassberg is co-founder of Casaba Security, a cybersecurity and ethical hacking firm that advises cryptocurrency businesses, traditional financial institutions, technology companies and Fortune 500s. He is a former cybersecurity executive for Ernst & Young and Lehman Brothers.

READ MORE:

Follow Yahoo Finance on Twitter, Facebook, Instagram, Flipboard, LinkedIn,YouTube, and reddit.

Advertisement