Subscriber Discussion

Ramsonware And Cameras: What Impact, If Any, Does Ransomware Have On A Camera?

UI
Undisclosed Integrator #1
Apr 22, 2017

We are dealing with a Ransomware issue that took over a client's entire network (very large and complex network infrastructure with many systems across the network).  The VMS system was also taken over.  

The client determined they would not pay the ransom and all systems are being wiped, reimaged or rebuilt.  All details aside, I am curious if anyone knows the impact that ransomware could have on the individual camera.  This is a large enterprise VMS system (redundant master servers, multiple recorders with failover, dual redundant NIC ports/power supplies/controllers, etc).  

Everything is back on line from the VMS standpoint (although much of the other campus systems are still down), however we have a high concentration of a specific camera (I would prefer not to name the manufacturer) that we cannot get to come online. We cannot access the camera's homepage at all, neither from within the VMS or outside the VMS going direct to the camera.

So my question is:  What impact, if any, does ransomware have on a camera?  Can ransomware take over the individual cameras?  

I have yet to find anything online beyond ransomware events that took over an entire system, no specific mention of the impact this could have on individual camera or how ransomware could impact different types of cameras based on camera build/design/engineering.

 

U
Undisclosed #2
Apr 22, 2017
IPVMU Certified

Ransomware typically is written for PC based architectures, since the instantaneous value of the data is high and the entry vectors are numerous.

Though there have been a few reported attempts targeting Linux IoT devices, I have not heard of any hybrid infestation of both.

Have these cameras been hard reset to factory defaults and then tested with a no-hop network (laptop direct connection)?

Related: Washington DC Police Surveillance Hacked - What Manufacturer's Cameras / Recorders Were Used?

Avatar
Brian Karas
Apr 22, 2017
IPVM

The goal of ransomware is to encrypt your files, and then charge the victim money to get a key to decrypt them. Because of that, it is primarily a threat to personal files/business files, things that can't easily be recovered by a factory reset.

Ransomware also relies on being able to upload and execute the program that encrypts the files.

This makes ransomware almost zero risk to individual cameras, they contain no real unique information that can't be easily recreated/reset.

 

UI
Undisclosed Integrator #1
Apr 22, 2017
In reply to Brian Karas

Thank you Brian,

This is our line of thinking as well.  Obviously the situation is quite chaotic as the impact was large, so walking through all steps to restore one subsystem across the entire campus is a bit complicated to say the least.

The cameras being inaccessible was something we didn't expect given the nature of ransomware.  Was hoping we might be missing something obvious, but it does not look that way.

 

U
Undisclosed #2
Apr 22, 2017
IPVMU Certified
In reply to Undisclosed Integrator #1

Are any cameras of any mfr/model accessible since the VMS has been restored?

Perhaps the IP scheme was lost in the restoration of the network?

Have you used the specific camera discovery tool provided by the mfr to access the camera?

(1)
UI
Undisclosed Integrator #1
Apr 23, 2017
In reply to Undisclosed #2

Yes, all Axis and Samsung cameras were accessible via the camera home page and were able to be enrolled into the VMS without any issue.

The camera discovery tool will not identify / find the cameras.

Everything else appears good.  Tonight we go to individual cameras with a laptop direct and likely factory default.  Didn't do this yet as we were focusing on everything we can bring online first.

Client admitted a few hours ago that the attack was not "typical" ransomware where an infected email or attachment is opened but rather an "inside" attack that "took over" the network and in some cases usernames and passwords.  This is an odd confession and I do believe we don't have the full story of what happened or the overall impact.  Tough to assess and resolve quickly when the facts of what occurred are not readily available.

 

U
Undisclosed #2
Apr 23, 2017
IPVMU Certified
In reply to Undisclosed Integrator #1

Client admitted a few hours ago that the attack was not "typical" ransomware where an infected email or attachment is opened but rather an "inside" attack that "took over" the network and in some cases usernames and passwords.

Did you personally recover the VMS systems?  

Usually ransomware encrypts known data file types, but leaves programs and config alone.

Depending on what file extensions the VMS might by chance  use, I could imagine some dedicated machines not being affected greatly.

Were there encrypted files or a ransom demand in the directories?

Were those cameras Dahua by any chance?

There is a nasty default password brickbot out there that could cause camera symptoms like these.

JH
Jay Hobdy
Apr 22, 2017
IPVMU Certified

You can't access them through the network, but have you pulled a camera and tried to access it directly via an injector, stand alone switch, etc?

 

Basically remove any other variable

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions