Killware is Here, but so are the Tools to Defeat the Threat

By Callie Guenther, Critical Start Cyber Threat Intelligence Manager

Want to learn how to combat Killware? Watch our webinar recording!

USA Today is promoting killware as the latest threat to cybersecurity. As publicity around this concept continues to build, security teams and leaders in particularly vulnerable industries such as healthcare grapple with understanding the scope of this threat. In the face of such uncertainty, it’s helpful to take a step back and determine the true nature of killware, separating out the hype to determine what exactly it is that we’re facing.

While it sounds like a brand-new type of technology, killware is the malware that you’re used to, but the difference lies in how it’s being used. Instead of focusing on a financial gain, such as a ransom payout to restore critical infrastructure that’s been penetrated, the malware in this case is used to disrupt infrastructure to cause physical harm or death to actual people.

Killware is increasing the stakes on the Ransomware-as-a-Service model. While global Ransomware attacks on ever-larger targets have given wings to a new tech sector, we are still just beginning to understand its destructiveness. Cyber criminals are increasingly targeting our nation’s critical infrastructure to include hospitals and water supplies, banks and first responders, and transportation and energy providers. Talking with USA Today, Alejandro Mayorkas, Secretary of the U.S. Department of Homeland Security stated that cyber-attacks are increasingly posing risks to “public health and safety”.  

In order to mitigate this threat, we must first take a look at how and why killware is growing in popularity.

Defining the threat

It’s worth noting that there has been some pushback against the idea of killware, as organizations such as Malwarebytes Labs point out that cyberattacks are stopped based on the method used, not the intent behind them. They point out that there are no Indicators of Compromise (IOCs) specific to killware, as it is just malware utilized for a different end goal. But with the potential consequences of the end goal being this serious, it’s hard to ignore what those who deploy this malware are trying to accomplish.

We all remember the Colonial Pipeline attack that gripped the country’s attention in April, but this attack resulted in a disruption to consumers. There was another incident that could have had implications far beyond service interruptions. The target of that attack was a water treatment plant in Oldsmar, Florida where an unidentified hacker increased the levels of Sodium Hydroxide (lye) and Caustic Soda in an attempt to poison the water supply. Sodium Hydroxide controls water supply acidity and removes heavy metals from water. In very small doses there is no cause for concern, but in high doses, the effects can range from skin irritation to potential death from severe burns. Homeland Security officials would not comment on who might have been behind the Florida attack, including whether it was linked to a foreign power.

State-affiliated or sponsored actors often have objectives aligned with either the political, commercial, or military interests of their country of origin. Iranian hackers infiltrated the control system of a small dam less than 20 miles from New York City in 2013, illustrating that critical infrastructure including national power grids, factories, pipelines, bridges, and dams have always been prime targets for digital armies. In both cases, the primary objective of the attacker was to cause harm to humans. Whether it is in a chemical plant, an air traffic control system, a dam, or manufacturing factory, it is an alarmingly rapid evolution, but not entirely surprising. Malware, and more specifically ransomware, is the fastest-growing criminal market, thus it’s inevitable that we’ll begin to see increasing numbers of so-called killware attacks aimed at crippling infrastructure.

Weaponized technology is the persistent theme. Echoing Secretary Mayorkas, security experts warn that, when it comes to being tested, the cyber-physical security space is in its infancy. The rise in consumer products such as autonomous vehicles and wearable medical monitoring devices has created millions of potential access points for threat exploitation. In July, Gartner released a report predicting that “cyber attackers will have weaponized operational technology environments to successfully harm or kill humans by 2025” and estimated that the cost of attacks with resulting fatalities could climb to over $50 billion dollars in the next two years.  

Vulnerabilities in healthcare

Hospitals and healthcare have always been a high-value target for cybercriminals, but even more so in the last 18 months. The immense and unprecedented stress the system has endured under the COVID-19 pandemic and a rapid transition of the industry to a digitally dependent remote workforce has threat actors capitalizing on new or amplified cyber vulnerabilities. While some adversaries will target or pursue the compromise of patient health records, others will target or pursue the compromise of patient health itself. The overwhelming trend is that the industry focuses almost exclusively on the protection of patient health records and rarely takes measures to address threats to physical patient health.

In October 2020, officials from the FBI, the U.S. Department of Homeland Security, and the U.S. Department of Health and Human Services assembled a conference call involving numerous healthcare executives with the intent to warn the industry about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” The aggressive Russian-speaking ransomware group known as Ryuk was discussing plans to deploy ransomware at more than 400 healthcare facilities in the U.S. Shortly after this conference, healthcare providers observed a 45% increase in attacks, which is more than double the number seen in any other industry.

How to mitigate killware

While all of this seems to add an apocalyptic consequence to the already significant threat posed by malware, there is good news. Since killware is a new motive for an existing malware, the means for defeating that malware remains the same. However, the potentially devastating impacts of killware make it an even more urgent incentive to bolster the protective measures that your organization should already have in place.

Reactivity benefits the attacker, so waiting for an issue to present itself in your organization is not an option. With ransomware attacks growing by more than 350% annually, fighting data breach threats and mitigating avenues of intrusion alone is not enough. Many organizations are taking preventative measures by partnering with managed security providers who have the capability to safeguard critical infrastructure. Countering unauthorized access and threat intrusion is best approached with aggression and early warning detection capabilities are imperative to identification remediation of malicious traffic. Managed security providers enable organizations to proactively monitor organizational security round-the-clock and their robust detection capabilities identify behavior-based threats to determine and mitigate risk quickly.

Want to learn how to combat Killware? Attend our webinar this week!