Is Killware Really the Next Evolution of Healthcare Ransomware Attacks?

December 07, 2021 - In October 2021, US Department of Homeland Security (DHS) Secretary Alejandro Mayorkas told USA Today that “killware” would be the next big cybersecurity threat to watch out for.  

Mayorkas cited a February attack on a Florida water treatment facility, in which malicious actors attempted to raise the level of lye in the public water supply to dangerous levels. DHS observed at least three attacks on US water and wastewater treatment facilities in 2021 alone.

Multiple attacks on critical infrastructure, including water treatment facilities and hospitals, may signify a shift in priorities for threat actors. In the past, it was common for hacking groups to explicitly state that they would not target hospitals, schools, or any critical infrastructure entities. But now, groups like FIN12 and others have made healthcare entities their prime targets.

While none of the 2021 water treatment facility attacks resulted in human harm, the actions present a troubling new threat to organizations that have not yet implemented proper network safeguards. It is now clear that some threat actors are willing to risk lives in order to successfully obtain a ransom from their victims.

Although killware sounds like a terrifying new threat, healthcare organizations can safeguard their data and patients using the same measures they would use to combat ransomware.

In the current cyber threat landscape, most bad actors are still only interested in financial gain. The use of killware is unlikely and less of a risk than other pressing security concerns, but it is still worth considering.

What is killware?

“Killware is the next evolution of ransomware,” Brian Wrozek, chief information security officer (CISO) at Optiv Security, said in an interview with HealthITSecurity.

Many healthcare organizations have accepted ransomware attacks as an inevitable occurrence, making the threat less potent, Wrozek explained. Killware gives threat actors leverage again by raising the stakes. Even if the hackers have no intention of actually inflicting harm, the threat may be enough to scare victims and receive a hefty payout.

Killware can be deployed using the same technical tactics as ransomware. However, rather than threatening to encrypt or publish sensitive data, threat actors using killware intend to harm or kill people. Research from Gartner suggested that by 2025, threat actors will be regularly weaponizing operational environments to do just that.

“Traditional ransomware is losing a little bit of its punch,” Wrozek remarked. “You can’t surf the web without seeing another news article about somebody getting hit with ransomware. It’s becoming old news in a way.”

But when a medical device is manipulated and human lives are at risk, “now you’ve got people’s attention,” Wrozek suggested.

Recently discovered vulnerabilities in infusion pumps and insulin pumps indicated that threat actors could manipulate medical devices to remotely change medication doses and pose risks to patient safety. No incidents have been reported, but the possibility of exploitation made a good case for organizations to invest in updated medical device security measures and phase out legacy devices.

More than 550 organizations reported healthcare data breaches to HHS in 2021. Although organizations are seemingly getting better at cybersecurity by implementing cyber insurance and employee education, threat actors are successfully deploying ransomware at similar rates to 2020.

Cybercriminals have evolved at the same rate to make up for the increased awareness and preparedness by healthcare organizations.

“They look for creative ways to change the game on us,” Wrozek stated. “And I think killware is that next evolution.”

Debunking killware myths

Although it goes by a different name, killware methods and tactics are largely the same as those of ransomware. Companies and individuals may be justifiably afraid of the looming threat of killware, but preparing for it requires implementing the same cyber hygiene protocols that they would use to protect against ransomware.

“They will continue to target using the same techniques,” Wrozek suggested. Phishing emails, ransomware, and targeting legacy systems have worked for threat actors in the past.

“I don't see them really adapting their techniques or what they're trying to attack as much as trying to raise the anxiety level of the victims in order to convince them to pay and pay more.”

Some people may also be under the impression that killware will eclipse ransomware and become a daily threat to healthcare organizations. Wrozek maintained that this is unlikely because widespread harm would likely garner unwanted government attention.

“I don’t think they want to push the envelope to that point,” Wrozek said of the attackers.

The May 2021 attack on Colonial Pipeline, which impacted thousands of miles of the US fuel supply chain, already gained enough attention to spark multi-country initiatives aimed at stopping ransomware. President Biden issued an executive order days after the attack and called on various government agencies to develop best practices and ransomware risk mitigation tactics for critical infrastructure entities.

The government attention resulted in consequences for threat actors. In October, a coalition of international governments hacked and forced REvil/Sodinokibi ransomware group offline. In November, the US Department of Justice (DOJ) announced two indictments connected to REvil/Sodinokibi as part of the department’s Digital Extortion Task Force.

Since most cybercriminals are financially motivated, additional attention brought on by killing and harming victims would likely not be in their best interest.

“I don’t know that I would be losing sleep over killware,” Wrozek continued. “There are not a lot of attackers out there thinking about how they can kill a bunch of people. It is about how much money they can make. So yes, it is a threat, but at the end of the day they just want you to pay the ransom.”

However, even if threat actors do not deploy an attack with the intent to do harm, patient harm can still occur as a result of a cyberattack. Healthcare cyberattacks are known to result in appointment diversions, delayed care, and inaccessible EHR records, all of which could cause disruptions to quality care. 

Safeguarding your organization

“It’s all about practicing these tried-and-true foundational security controls, like multifactor authentication and keeping your systems updated and patched on a regular basis,” Wrozek advised.

“The other technique that I think is underutilized is threat modeling, and really looking at your systems and your environment from the attacker's point of view.”

The Food & Drug Administration (FDA), in partnership with MITRE and the Medical Device Innovation Consortium, recently released a playbook for medical device threat modeling to help organizations detect and mitigate vulnerabilities. 

Implementing network segmentation and employee education modules are also crucial security measures that organizations should take to mitigate risk.

But these preventive measures are only useful if they are regularly practiced. Healthcare organizations should use tabletop discussions to go through their cyber incident response plan and make sure that roles and responsibilities are clearly defined across the organization. Each organization has specific needs and circumstances, which makes practicing and tailoring the response to a specific organization even more crucial.

Killware, like traditional ransomware, provides yet another incentive for organizations to invest in cybersecurity and implement technical and administrative safeguards to maintain patient safety.