Ransomware Attacks on Security Cameras and NVRs Are a Growing Threat

Ransomware attacks on security cameras and network video recorders represent one of the most alarming cybersecurity developments facing property owners and security professionals. The scenario is grimly ironic — the system installed to protect your property becomes the target of an attack that locks you out of your own surveillance footage, encrypts your recordings, and demands payment to restore access. These attacks are not hypothetical; they are happening to businesses and individuals in New Zealand and around the world with increasing frequency.

The vulnerability exists because security recording infrastructure is fundamentally a computing system — running operating systems, connected to networks, and storing valuable data. When security professionals talk about protecting property, they rarely include protecting the protection system itself. This oversight creates an opportunity that cybercriminals are exploiting with growing sophistication.

How Ransomware Targets Security Infrastructure

Ransomware attacks on CCTV and security recording systems follow several common attack vectors, each exploiting different weaknesses in how these systems are typically deployed and managed.

Network Video Recorders (NVRs)

NVRs are essentially specialised computers running embedded Linux or Windows operating systems. Many run outdated software that is no longer receiving security patches, have web interfaces exposed to the internet with weak or default passwords, and use vulnerable versions of common services like SSH, HTTP, and RTSP.

Attackers scan the internet for exposed NVR web interfaces — a trivial task using search engines like Shodan that index internet-connected devices. Once found, they attempt to gain access through:

• Default credentials: Many NVRs ship with well-known default usernames and passwords that users never change
• Known vulnerabilities: Unpatched firmware containing security flaws that allow remote code execution
• Brute force attacks: Automated tools that try thousands of password combinations against exposed login pages
• Supply chain compromise: Firmware updates from compromised sources that contain backdoors

Once inside the NVR, the attacker deploys ransomware that encrypts the recorded video files and potentially the NVR’s operating system, rendering it inoperable until a ransom is paid.

Cloud CCTV Platforms

Cloud-based camera platforms present different attack surfaces. Account takeover through phishing, credential stuffing, or social engineering gives attackers access to the cloud management console, where they can delete recordings, change passwords, and lock the legitimate owner out of their own system.

More sophisticated attacks target the cloud platform itself. If a cloud CCTV provider suffers a ransomware attack on their infrastructure, every customer using that platform is affected simultaneously. Several such incidents have occurred internationally, with thousands of businesses losing access to their security footage when their provider’s servers were encrypted.

Network Lateral Movement

Perhaps the most dangerous scenario is when security infrastructure is compromised as part of a broader network attack. Ransomware that enters a business network through a phishing email or compromised workstation can spread laterally to NVRs, camera management servers, and access control systems that share the same network. The security system is encrypted alongside everything else, leaving the business both operationally crippled and physically unprotected during the recovery period.

Real-World Incidents and Their Impact

Several high-profile incidents illustrate the severity of this threat.

In 2021, a ransomware attack on Verkada, a cloud-based security camera company, exposed live feeds from over 150,000 cameras across hospitals, schools, prisons, and corporations. While this attack focused on data access rather than encryption, it demonstrated the devastating scale of cloud platform compromises.

Numerous smaller-scale attacks have targeted individual businesses, encrypting NVR footage and demanding ransoms typically ranging from a few hundred to several thousand dollars in cryptocurrency. For businesses that rely on CCTV footage for insurance claims, dispute resolution, or regulatory compliance, the loss of recordings can have consequences far exceeding the ransom amount.

In New Zealand, CERT NZ has documented cases of security system compromise, though many incidents go unreported due to the embarrassment of having a security system itself become a security vulnerability. The true scale of the problem is likely significantly larger than reported figures suggest.

Protecting Your Security Recording Infrastructure

Defending security systems against ransomware requires the same cybersecurity discipline applied to any critical computing infrastructure. The following measures, implemented systematically, dramatically reduce the risk of a successful attack.

Network Architecture

The single most important defensive measure is network segmentation. Security cameras and NVRs should operate on a physically or logically separate network from business computers and general internet access. This isolation prevents ransomware that enters through a phishing email or compromised workstation from reaching the security infrastructure.

Specific network measures include:

• Dedicated VLAN: Place all cameras and NVRs on a separate VLAN with firewall rules restricting traffic flow to and from the security network
• No direct internet access: NVRs should not be directly accessible from the internet. Remote access should be provided through a VPN or the manufacturer’s secure cloud relay service
• Disable UPnP: Universal Plug and Play can automatically create port forwarding rules that expose security devices to the internet without the owner’s knowledge
• Firewall rules: Explicitly define which devices can communicate with the security network, blocking all other traffic

Authentication and Access Control

Strong authentication practices prevent unauthorised access to security management interfaces:

• Change all default passwords immediately during installation — on cameras, NVRs, and any management software
• Use unique, complex passwords for each device and service
• Enable two-factor authentication where available, particularly for cloud-based camera platforms
• Create individual user accounts rather than sharing a single admin login among multiple staff
• Regularly audit user accounts and remove access for departed employees or contractors

Firmware and Software Maintenance

Keeping security device firmware current is essential. Manufacturers regularly release firmware updates that patch security vulnerabilities. An NVR running firmware from three years ago likely contains multiple known vulnerabilities that attackers can exploit.

Establish a regular firmware update schedule — monthly checks at minimum — and subscribe to manufacturer security advisories so you are notified of critical patches as they are released. For organisations with many devices, centralised management platforms that automate firmware deployment significantly reduce the maintenance burden.

Backup Strategies for Security Footage

Even with strong preventive measures, no system is completely immune to compromise. A robust backup strategy ensures that critical footage survives a ransomware attack.

Effective backup approaches for security recordings include:

• Offline backup: Regularly export critical footage to external storage that is disconnected from the network after transfer. Ransomware cannot encrypt what it cannot reach
• Immutable cloud storage: Some cloud storage services offer write-once-read-many (WORM) capabilities where stored data cannot be modified or deleted for a defined retention period
• Redundant recording: Configure cameras to record to multiple destinations — both the NVR and a separate storage device or cloud service — so that compromising one recording system does not eliminate all copies
• Edge storage: Many cameras support microSD card recording as a backup. While limited in capacity, edge storage provides a local copy that survives NVR compromise

Incident Response Planning

Having a plan for when a security system is compromised is as important as prevention. The plan should address immediate containment — isolating affected devices from the network to prevent spread — communication with the monitoring centre to ensure they are aware of the situation, alternative security measures during the recovery period, forensic preservation of evidence for potential prosecution, and the decision framework for whether to pay a ransom.

Security professionals generally advise against paying ransoms, as payment encourages further attacks, does not guarantee data recovery, and may violate sanctions regulations if the attacker group is on designated lists. However, each situation must be assessed individually based on the criticality of the encrypted data and the availability of backups.

The most sophisticated alarm system in the world provides zero protection if ransomware has encrypted its NVR, disabled its cameras, and locked out its operators. Cybersecurity for security systems is not optional — it is the foundation upon which all physical security depends.

For New Zealand businesses and property owners, protecting security infrastructure from ransomware requires a shift in thinking. Security cameras and NVRs are not appliances that can be installed and forgotten — they are networked computing devices that require the same cybersecurity attention as any other system on the network. The cost of implementing proper cyber hygiene for security systems is minimal compared to the cost of discovering that your protection system has itself become a victim.