Cyber SecurityPersonal Security

Covid-19: Ruthless Ransomware Authors Attack Hospitals

The coronavirus outbreak continues to hold the entire world hostage, and healthcare facilities are at the forefront of this struggle. The fact that hospitals and pharmaceutical labs are overwhelmed with work and research makes them more vulnerable to malware attacks than ever before. Saving lives is their top priority, and everything else comes next. Malicious actors do not seem to care about the importance of these commendable efforts, though. They are waging a cyberwar against medical organizations as if the COVID-19 emergency were not underway.

The wakeup call that signaled cybercrime’s indifference was a dramatic surge in phishing campaigns capitalizing on the pandemic scare that took root in January 2020. Crooks have been since spawning emails impersonating trusted healthcare institutions such as the World Health Organization (WHO) to get hold of users’ credentials and install info-stealing Trojans. Whereas these stratagems are not specifically aimed at hospitals, ransomware operators took the wickedness to the next level by orchestrating targeted attacks against the healthcare industry.

INTERPOL Says Ransomware Raids Against Hospitals Are on the Rise

According to recent findings of INTERPOL, the International Criminal Police Organization, threat actors have ramped up their attempts to pollute the IT networks of hospitals with ransomware despite the COVID-19 crisis. The adverse outcome of such an incursion is not restricted to data damage. It can also hamper quick medical response and thus impact the physical well-being of the patients.

Considering the increase in ransomware attacks zeroing in on healthcare institutions, INTERPOL has given the police in 194 member states a heads-up about the menace by issuing a Purple Notice. This notice means that INTERPOL alerts the public and requests help from the public in the form of information on modus operandi, objects, devices, and concealment methods used by criminals.

The organization emphasizes its commitment to providing technical support as well as mitigation and protection assistance to all the countries under its wide umbrella. Additionally, its Cyber Threat Response (CTR) team is amassing details on dubious Internet domains to further bolster in-depth analysis of ransomware incidents and adopt relevant countermeasures to safeguard the critical health infrastructure.

The law enforcement officials claim that emails with booby-trapped links or attachments are the dominating vector of ransomware distribution at this point. Therefore, phishing awareness of the medical personnel is half the battle. An extra recommendation is to keep all critical data backed up to storage isolated from the main systems. The regular software and hardware updates, strong passwords, and effective antivirus solutions will further strengthen the security posture of healthcare institutions.

The Word “Ethics” Is Not in Ryuk Ransomware Authors’ Vocabulary

Ryuk, a longstanding strain that focuses on crippling enterprise networks, keeps attacking hospitals during the coronavirus outbreak. One of such onslaughts was detected in late March 2020. According to security analysts at Sophos, the malefactors behind this threat hit an unnamed U.S. health organization. The infection was remotely deployed in the host network by means of the PsExec command-line tool. The predatory software then spread laterally across the digital environment, encrypted valuable data, and dropped a note with ransom demands onto the affected computers.

Furthermore, endpoint security software provider SentinelOne claims that the Ryuk ransomware has attempted to contaminate ten medical organizations since February 2020. One of the targets is a network of nine American hospitals involved in COVID-19 response. During the unprecedented period when people’s lives are at stake, this activity is particularly disgusting.

Dharma Ransomware Does Not Depart from Its Regular Genre Either

Another ransomware lineage known as Dharma follows in the footsteps of Ryuk by continuing to disrupt the work of healthcare facilities around the world. Having splashed onto the scene back in 2016, it is also one of the oldies in the extortion ecosystem. Its operators’ tactics have hardly changed ever since, and hospitals have not vanished from their radar despite the current global crisis.

The latest spin-off of this family is using the coronavirus theme at different stages of its deployment inside a host network. Its primary payload is an executable file named 1covid.exe that mimics a benign email attachment. If a recipient gets on the hook and runs this file, the ransomware gains a foothold on the machine and tries to expand the attack surface by looking for other devices on the same network and infecting them as well.

Then, by applying a combo of the asymmetric RSA cipher and symmetric AES-256 cryptosystem, Dharma renders all potentially important files inaccessible and triggers a rescue note listing the attackers’ contact details so that the victim can negotiate the decryption terms. By the way, the email address specified in this how-to document is coronavirus@qq.com, no matter how revolting it may sound. In case a large network is impacted, the criminals may demand dozens of bitcoins (worth hundreds of thousands of dollars) for data recovery per victimized organization.

Perpetrators with Russian Roots Compromising European Pharma Companies

Two high-profile hacker gangs carried out a series of attacks against pharmaceutical and manufacturing companies in Germany and Belgium in late January 2020. Group-IB security researchers attributed these raids to Russian-speaking threat actors representing notorious syndicates dubbed TA505 and Silence. Whereas the track record of the former group includes past breaches of healthcare institutions, the latter appears to have switched from hacking finance sector companies to the new range of targets.

The attacks reportedly piggybacked on two vulnerabilities documented as CVE-2019-1405 and CVE-2019-1322 to run harmful executables with elevated privileges inside the infiltrated networks. Although the analysts were unable to pinpoint the final-stage payload because the attacks were thwarted at an early stage, they found clues suggesting that these incursions could have been attempts to perform ransomware attacks disguised as classic breaches. This theory, in part, revolves around the fact that the TA505 group had previously distributed several mainstream ransomware programs, including the infamous Locky and Rapid lineages.

A Few Cybercriminal Groups Claim to Be Easing the Grip

In contrast to the disgusting foul play highlighted above, some ransomware operators appear to follow an unspoken code of ethics—at least they claim to. In mid-March 2020, researchers at the Bleeping Computer cybersecurity portal tried to contact malicious actors behind today’s most active ransomware families. The question was whether they were going to stop infecting organizations that tackle the COVID-19 pandemic. Surprisingly, some black hats replied.

The felons in charge of the Clop ransomware campaign said they never zeroed in on hospitals and charities and would adhere to this practice further on. Another claim was that if they accidentally hit such an entity, they will provide the data decryption tool for free. Interestingly, the Clop gang stated that pharma companies do not fit the mold of their “whitelist” because they benefit from the healthcare crisis and will have to pay the ransom if attacked.

The architects of another ransomware called DoppelPaymer also assured the analysts that they would not be targeting hospitals during the coronavirus outbreak. If they infect such an institution by mistake, they will restore data for free. The only caveat is that the organization must prove that it is involved in the healthcare industry. As is the case with Clop, though, DoppelPaymer will stick with ransom demands if a pharma company falls victim to it.

The gangs at the helm of the Nefilim and NetWalker ransomware nasties claimed that hospitals and nonprofits never were on their list of intended victims and it would stay that way. However, NetWalker operators said that if a health organization’s data is encrypted by accident, they will not drop their demands and will insist on the ransom payment for the decryptor.

Although the extortionists deploying the prolific Maze ransomware confirmed their intention to cease attacks against hospitals, they are not too fair and square in terms of carrying through on this promise. Shortly after making the original statement about a non-attack strategy regarding “all kinds of medical organizations,” they published files previously stolen from a UK company called Hammersmith Medicines Research, which is going to perform clinical trials of coronavirus vaccines. The spilled records include personal information of thousands of former patients. On a side note, threats to leak organizations’ data obtained during a ransomware attack is a recent approach used to pressure the victims into paying ransoms.

Summary

The current situation demonstrates how the real and digital worlds can overlap to such an extent that people’s physical condition depends on cybersecurity. Even though some ransomware actors purport to have temporarily excluded hospitals from their list of targets, everyone should keep in mind that those are double-dealing individuals who can make empty promises in a snap and prioritize financial gain over morals. Therefore, decision-makers in the healthcare industry need to enforce a proactive security model based on employee’s online hygiene, data backups, and reliable security software that will identify and block the attack before it affects critical data.

Show More

David Balaban

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Back to top button
Close
X

We use cookies on our website

We use cookies to give you the best user experience. Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services.