First ransomware, now killware. Can it be stopped?

by Egress
Published on 12th Nov 2021

Ransomware is quite rightly a major cybersecurity concern. The biggest ransomware cases where major companies have been forced to a halt until they pay a ransom have made global, headline news. The impact to victim organizations is usually financial loss and reputational damage, but it can be more serious.

In cases such as the Colonial Pipelines attack, ransomware has caused real-world impacts for the general public too. This attack created energy shortages all the way down the east coast of the US. It showed the danger of ransomware striking critical infrastructure and it’s not a stretch to imagine how an attack like this could lead to loss of life.

Unfortunately, that’s the exact goal of a new type of threat: killware.

What is killware?

Highly unpleasant. It’s malware with a specific motive to cause physical harm to people. That could be through contaminating the chemical balance of water or gasoline supplies, stopping hospital operations, or disrupting traffic control networks. Essentially, the aim is shutting down or disrupting services that are vital for keeping people healthy or safe.

And we’re not talking about hypothetical scenarios – the threat is already here. A water treatment facility in Florida was targeted in an attempted hack during February 2021. What made this particular hack concerning was the motivation to distribute contaminated water to residents. Authorities stated that the motive was “not financial gain but rather purely to do harm.” Thankfully the attack failed, but it serves as a chilling warning.

Given the prevalence of ransomware and the ease of getting hold of it on the Crime-as-a-Service marketplace, it’s hardly surprising that certain groups have sought to take it to a new and deadly level. Even though killware attacks are unlikely to dominate the threat landscape in the same way ransomware does, when attacks do happen, they have the potential to be deadly.

How does killware work?

Similarly to ransomware, in the sense that it locks down computer systems via encryption. The key difference here is that no ransom can be paid in exchange for decryption. A gang behind a ransomware attack is motivated by profit – it’s simply a means to get their hands on money (usually cryptocurrency). Most cybercriminals are still going to be motivated by money rather than causing chaos, so killware should remain a rarer (but far more dangerous) threat.

Like with ransomware, spear phishing is a highly effective way to deliver killware into IT systems. An email is a simple method to get a malicious payload inside the digital walls of an organization. All it takes is one insider to click a link or open an attachment and the killware will be downloaded and able to spread throughout the wider IT system.

Phishing also lowers the barrier of entry to cybercrime. Inexperienced cybercriminals can purchase killware online as well as readymade phishing kits that contain everything they need to breach an organization. They don’t need advanced hacking skills to bring critical infrastructure to its knees – just an email and an insider willing to click on it.

Can it be stopped?

Killware is an extreme extension of ransomware, and the U.S. government was already taking ransomware very seriously, going as far as to class it on the same level of threat as terrorism. They have also proposed new legislation that requires critical infrastructure owners to report any attacks to the Cybersecurity and Infrastructure Agency (CISA). The hope is this will enable the government to better understand the threat landscape.

The recent efforts to shut down the infamous REvil ransomware gang appear to have been successful too. However, there a lot of similar groups out there. And whether REvil stay gone or another gang pops up to replace them remains to be seen. In future cases of killware where nation states have the potential to be involved, everything will become even more complicated.

Even with government support, steps need to be taken at the organization level too. Over 90% of ransomware is delivered by phishing. For most cybercriminals, this would be the easiest way to deliver killware too. Email is the biggest weakness for many organizations and is an entry point that needs securing.

Organizations need to future-proof their security strategies, ensuring they have the right technology in place to defend themselves against ransomware today and killware tomorrow.

Concerned about ransomware? Learn how to stop it being delivered into your organization by email.