Disruptionware VII: The Evolution of Disruptionware and the Growth of Ransomware as a Service (RaaS)


I have written multiple times about the danger of disruptionware to both Information Technology (IT) networks as well as Operational Technologies (OT) networks of victims globally. As discussed here, many different nefarious tools make up the disruptionware “tool kit.” These tools include, but are not limited to:

  • Ransomware
  • Wipers
  • Bricking capabilities tools
  • Automated components
  • Data exfiltration tools
  • Network reconnaissance tools

The most well-known and most used of all these tools is ransomware malware. Ransomware attacks have grown exponentially over the past few years. Dozens of ransomware gangs are launching ransomware attacks and terrorizing and extorting businesses throughout the world. This has included specific attacks against the U.S. energy sector as well as U.S. infrastructure projects.

Continue reading “Disruptionware VII: The Evolution of Disruptionware and the Growth of Ransomware as a Service (RaaS)”

Disruptionware VI: Cyber-Attack against Colonial Pipeline Illustrates Continued Vulnerability of American Energy and Infrastructure Targets


Disruptionware attacks have become increasingly more common over the last few months. Just last month, I wrote about a dangerous disruptionware attack against a Florida Water Treatment Center that could have been a mass casualty event. For more information on these types of attacks, please refer to our posts on different types of disruptionware attacks and how disruptionware attacks work.

Continue reading “Disruptionware VI: Cyber-Attack against Colonial Pipeline Illustrates Continued Vulnerability of American Energy and Infrastructure Targets”

Disruptionware V: Malicious Cyber Actors Attack a Florida Water Treatment Facility


We have posted four previous articles discussing the foundation and structure of what a disruptionware attack is, how their attack matrix works, possible defenses to disruptionware attacks and industries that are very susceptible to these attacks. Disruptionware has proven over the last year that it is a growing and dangerous cyber threat to our data, our businesses and possibly our lives.

Disruptionware attacks typically involve ransomware and they aim to encrypt and hold the victim’s data hostage. Such attacks are usually financially motivated, and, to date, there have fortunately been only a few known examples where the disruptionware attack has resulted in threats to health and safety or caused loss of life. When such significant collateral damage has occurred, it typically appears to have been inadvertently caused.

Continue reading “Disruptionware V: Malicious Cyber Actors Attack a Florida Water Treatment Facility”

Disruption IV: The New Threat Disruptionware Poses to the American Energy Sector


Over the past few months, I have written about the threat first identified by the Institute for Critical Infrastructure Technology (ICIT) called disruptionware. We have previously described what disruptionware is, how it works, and outlined some of the defenses that can be used to defend against a multitude of disruptionware attacks. Many may have thought the immediate notifications of the threat posed by this new concept of disruptionware had been adequately made public and sufficiently identified. Unfortunately, disruptionware continues to impact new sectors.

According to ICIT, disruptionware is an evolving category of malware designed to “suspend operations within the victim organization through the compromise of the availability, integrity and confidentiality of the data, systems, and networks belonging to the target.” Recently, ICIT identified a new threat from disruptionware that will likely have a seriously adverse effect on the American energy sector. ICIT goes so far as to refer to disruptionware in the context of an attack on the U.S. energy grid as a “weapon of mass destruction.”

Continue reading “Disruption IV: The New Threat Disruptionware Poses to the American Energy Sector”

Disruptionware III: Protect Your Business from a Disruptionware Cyber Attack


In the first blog in this series, we defined “Disruptionware” and showed how it was growing as a threat to many types of industries throughout the country and the world. The threat was especially noticeable within the healthcare industry and for government institutions. In our second blog, we talked about the different types of tools and attack matrixes that Disruptionware uses to cripple and/or damage unsuspecting businesses and how destructive those attacks can be. This third and final discussion will delineate what businesses can do to defend themselves against a Disruptionware attack and what cyber defenses are at their disposal to alleviate the damages caused by this new and dangerous attack medium.

Continue reading “Disruptionware III: Protect Your Business from a Disruptionware Cyber Attack”

Disruptionware II – The “Cyber Terminator” and What This New Threat Means to You and Your Data


We recently published a blog about a very new and emerging threat coined “disruptionware,” now faced by workforces in multiple industries – especially focused on workers employed in government and in the health care sector. As first identified and discussed by the Institute for Critical Infrastructure Technology (ICIT), disruptionware is designed to attack the traditional “CIA Triad,” i.e., the confidentiality, integrity and availability of a user’s systems, networks and data. Disruptionware is an emerging form of malware, with a greater adverse impact than more traditional, standalone ransomware attacks, in that it is designed to actually suspend physical operations within a victim organization. Unlike most cyber-attacks focusing on the “IT” networks in a business, disruptionware directly attacks a company’s “Operational Technology” (OT) environments — in short, it attacks a firm’s physical infrastructure in addition to attacking its networks, systems and/or data.

To understand how disruptionware works, one must understand its basic foundational construction. This graphic, reprinted with permission of ICIT, provides an excellent representation of characteristic disruptionware components:

While ransomware is still the leading “go to” form of disruptionware for many cyberattacks, disruptionware introduces many new cyber-attack soldiers to do its bidding, such as:

  • Wipers – wiper malware maliciously wipes data making it unrecoverable
  • Bricking Capabilities – a PDoS (permanent denial of service attack) malware that renders devices unusable by overwriting portions of the device’s firmware
  • Automated Component Attacks – uses tools such as botnets and other automated components to overwhelm a network with inbound traffic, leading to a destructive denial of service attack
  • Data Exfiltration Tools – tools used by malicious actors to target, copy and transfer sensitive data from one network to another; causes extreme disruption of employer business focus and severely taxes human resources of the victim company
  • Enhanced Network Reconnaissance Tools – tools such as remote access Trojans, key loggers and network-mapping tools that infiltrate and permanently destroy the OT environment of their victims

Many of these tools are designed to do more than just encrypt data in hopes of ransom, but to actually and utterly destroy a user’s systems, networks and data permanently. Due to the ubiquitous and intense nature of these attacks, it is imperative that companies immediately consider, at least to start, hardening their IT and OT networks as much as possible as well as provide social awareness training to their employees to help curtail the spread of disruptionware.

The severe danger of disruptionware attacks on the OT environment of critical infrastructure in places like government institutions and hospitals is that the attacks are tailored to their actual business continuity and physical foundational IT and OT systems. Disruptionware attackers particularly focus on targeting the growing connection (and merging) of IT and industrial control systems (ICS). In doing so, disruptionware is able to heap massive potential damages on organizations that are trying to turn these disparate networks into a single unified system. This threat is highlighted by the huge rise in ransomware attacks alone. According to Cybersecurity Ventures, ransomware attacks are predicted to occur every 11 seconds by 2021, with a cost to victims of over $20 billion, and with global cyber-crime-related damages in 2021 estimated to reach $6 trillion.

There have already been some recently identified disruptionware attacks with losses in the hundreds of millions of dollars, as victim companies were unprepared to defend themselves against the devastating damage caused by these multifaceted attacks. So, the natural next question is why disruptionware is so dangerous despite its lack of advanced “sophistication.” This is because disruptionware:

  • Has a high rate of successful compromise
  • Requires little to no continued adversarial effort
  • Consumes a target’s internal resources very effectively
  • Disrupts daily operations
  • Has the ability to spread down the supply chain, making it very attractive to cyber-villains, from traditional script-kiddies to nation-state threat actors

Disruptionware was initially very successful in taking advantage of remote desktop protocol (RDP) attacks which, until the last few months, were a reasonably unknown attack point of entry. In July 2019 alone, there were over 805,000 systems considered vulnerable to RDP exploits — making those systems targets for additional attacks in the form of disruptionware.

In short, disruptionware provides another major advantage for cyber-criminals. In many of these attacks, the cyber adversary may still maintain access to the system, thus allowing installation of backdoors, remote-access Trojans or other types of dangerous or unknown malware. ICIT has noted that disruptionware could also stem from cloud-based attacks, due to its ability to maintain “persistent synchronization” and could even potentially attack millions of devices attached by the Internet of Things (IoT). Disruptionware may allow a cyber-criminal to take control of (or destroy) smart appliances in private residences, such as smart washers and dryers or smart thermostats.

With the assistance of outside counsel, organizations are well-advised to begin thinking about how to confront these new forms of cybersecurity threats from both a business and technical perspective. There are, in fact, multiple defenses that can combat these new and emerging disruptionware attacks.

We will discuss those defenses in more depth in my next disruptionware blog.

©2022 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.