Killware: The Most Dangerous Evolution of Ransomware?

Following these four best practices will not only empower you to defend against killware, but they will also help you defend against all other types of cyberattacks.

Brian Wrozek, CISO, Optiv Security

January 28, 2022

4 Min Read
Digital blue skeleton with key in foreground
marco salvarado via Alamy Stock

2021 was filled with high-profile ransomware attacks on businesses across industries -- some of which (e.g., the Colonial Pipeline attack) shut down entire markets and caused panic in parts of the US. As disruptive and destructive as these attacks were, the next wave of ransomware could be even more dangerous -- especially for the healthcare industry.

Like a virus, threat actors will continue to evolve and mutate the way they attack businesses to make the greatest profit. In “classic” ransomware attacks, bad actors encrypt a victim’s data and then force them to pay a ransom to have it unencrypted. But this evolved to cybercriminals forcing victims to pay a ransom not only to have their data unencrypted, but to prevent it from being publicly released or sold. Today, we’re beginning to see the third wave of ransomware -- killware.

Killware Puts the Healthcare Industry on High Alert

At a high level, killware is a ransomware attack that could result in physical harm, including loss of life, if a ransom isn’t paid. By raising the stakes in this way, cybercriminals are putting more pressure on victims to pay the ransom.

Hospitals and other healthcare organizations are increasingly at risk for these types of attacks, given system downtime of any kind -- even minutes -- could prevent critical patients from getting the treatment they need to survive. The world witnessed the detrimental consequences of killware in the attack on Springhill Medical Center in Alabama.

Additionally, medical equipment manufacturers and even individuals using internet-connected medical devices, such as insulin pumps or pacemakers, also are at risk. If cybercriminals hack into the WiFi networks or systems that these devices are connected to, they could potentially manipulate the data or even the way a device works, which could expose the personally identifiable information (PII) of millions of users or turn deadly in a worst-case scenario.

Fighting this New Threat with Good Security Hygiene

Regardless of industry, organizations need to take the proper precautions and practice good cybersecurity hygiene to defend against potential killware attacks. The good news is that most IT security teams hopefully will find that they are well on their way to a strong killware defense, as the strategies required to fight this new threat aren’t all that different from what organizations should be doing to protect against other types of cyberattacks.

Here are four best practices to keep in mind:

  1. Prioritize security basics -- they are the foundation of a strong cyber defense strategy. If an organization fails to master cybersecurity fundamentals, they will not only create gaping security holes for cybercriminals to exploit, but they won’t be able to effectively use more advanced security tools to bolster their defense strategy. That said, the first step to a strong killware defense strategy is to make sure basic security protocols, processes and controls are in place and working as they should -- things like multi-factor authentication, network segmentation, patching, systems updates and so on.

  2. Make application security part of the development process from the start. To eliminate those security holes, it’s important to build all applications, products and solutions -- including medical devices -- using a “security by design” model. This means building in security policies, controls and guardrails from the start, rather than adding controls after the fact.

  3. Implement and enforce threat modeling. Organizations can become so focused on getting a product out as quickly as possible, that they overlook the importance of determining how that product (or application, service or solution) could be attacked. Taking this perspective through threat modeling is important because it can identify areas of vulnerability and gaps in security that need to be addressed before a product goes to market.

  4. Develop and practice an incident response (IR) plan. The last thing any company wants if they do get hacked, is to be left scrambling to figure out what to do. This is why developing, documenting and practicing IR plans is so important. The ability to respond quickly with a pre-defined plan localizes the attack and minimizes the damage done.

Seeing the Big Picture

If successful killware attacks become too commonplace, it will generate attention from the US government as well as law enforcement entities, and they’ll be forced to respond. This is publicity that cybercriminals don’t want. They want to use killware for economic leverage, but, at the end of the day, they don’t want government scrutiny or to take lives, which I believe, is what will keep this threat at bay.

That said, one death is one too many, and organizations need to put the proper cybersecurity strategies in place to minimize the risk of a successful attack. Following these best practices will not only empower you to defend against killware, but all other types of cyberattacks as well -- enabling you to protect employees, customers, partners and other stakeholders in more ways than one.

About the Author

Brian Wrozek

CISO, Optiv Security

Brian Wrozek is a seasoned cybersecurity executive with more than 20 years of experience in IT and information security and management. As CISO at Optiv Security, Wrozek oversees all corporate security functions including cyber operations, incident response, vulnerability management and security governance activities.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights