Targeted Ransomware: A New Cyber Threat to Edge System of Brownfield Industrial Internet of Things

Muna Al-Hawawreh, Frank Den Hartog, Elena Sitnikova

Research output: Contribution to journalArticlepeer-review

35 Citations (Scopus)


Much value in a brownfield Industrial Internet of Things (IIoT) implementation resides at its edge tier, where new types of devices and technologies are deployed to interoperate the legacy industrial control systems with servers and systems in the cloud, and leverage the benefits of the Internet of Things technologies. One of these novel devices is the IIoT edge gateway, which is used to connect critical physical systems with the cyber world, and to provide consistent storage, processing, and analytical and controlling capabilities. However, these devices also come with new and advanced threats such as targeted ransomware. In this paper, we investigate this threat in detail. We studied the threat actors' motivations, the anatomy of ransomware for edge gateways, and the likelihood of such ransomware attack to happen in the future. We found that threat actors find IIoT edge gateways attractive ransomware targets due to their vital roles and functionalities in working with critical infrastructure and that the likelihood of such attack to occur is high. We built the first version of a ransomware security testbed for IIoT, and for test purposes, we developed a first version of ransomware target at IIoT edge gateway in a brownfield system. From our measurements we conclude that kernel-related activity parameters are significant indicators of the abnormal behavior caused by crypto-ransomware attacks in IIoT edge gateways, much more so even than for similar attacks in information technology server workstation. Thereby, some potential countermeasures for addressing targeted ransomware in IIoT systems are recommended as proactive strategies for dealing with attackers' new techniques and tactics.

Original languageEnglish
Article number8703829
Pages (from-to)7137-7151
Number of pages15
JournalIEEE Internet of Things Journal
Issue number4
Early online date1 May 2019
Publication statusPublished - Aug 2019
Externally publishedYes


  • Brownfield Industrial Internet of Things (IIoT)
  • countermeasures
  • crypto-ransomware
  • cybersecurity
  • edge gateway
  • logic locking
  • targeted ransomware


Dive into the research topics of 'Targeted Ransomware: A New Cyber Threat to Edge System of Brownfield Industrial Internet of Things'. Together they form a unique fingerprint.

Cite this