No Honor Among Thieves: Ransomware Targeting COVID-19 Frontlines

On March 18, 2020, Lawrence Abrams of Bleeping Computer reached out to a number of prolific cyber-criminal groups including Maze, DoppelPaymer, Sodinokibi, and Ryuk, and asked, “Will you continue to target healthcare and/or medical organizations during the COVID-19 pandemic?” To the surprise of many, Maze and DoppelPaymer indicated they would not. However, many asked the question—how long would this good faith last? Unfortunately we now are starting to see the answer.

Despite good intentions, two facts still remain. Ransomware attacks are one of the most profitable and therefore popular tactics used by cyber criminals and blossom in times of national emergencies. Second, cyber criminals are predatory in nature and base their attacks on opportunity to create higher, faster ransomware demands, which COVID-19 offers plenty of.

Notable Attacks

Within one month of Abrams’s interview, Interpol (International Criminal Police Organization) reported a significant increase in the number of ransomware attacks against key organizations and infrastructure engaged in the virus response.

The Maze group, who intially pledged not to target healthcare organizations, is reported to have attacked Hammersmith Medicines Research, a British COVID-19 vaccine test center. The attack stole records of patients who participated in testing trials from the past 20 years and published the data on the dark web with a ransom demand. The research lab was able spot the attack in progress and restore their systems without paying the ransom.  

One of the organizations who did not respond to Abrams’s initial inquiry was Ryuk. Shortly after, a healthcare organization reported a ransomware attack through PsExec, a method associated with Ryuk. According to CPO Magazine, Ryuk has gone on to target more than 10 other healthcare providers including a network of at least nine hospitals, with one reportedly in a state severely impacted by COVID-19. 

The Sodinokibi group also did not respond to Abrams initial inquiry, but was indicated in an attack. Abrams reported, “A strain of Sodinokibi, tracked by Microsoft as REvil, was attempting to exploit weaknesses in VPN server security to encrypt data found in hospital servers and machines.” Many groups including Sodinokibi are preying on weaknesses such as the improper configuration of company VPNS during the shift to remote workforces.

The Worlds’ Response

Interpol recently issued a purple notice (to seek or provide information on modus operandi, objects, devices and concealment methods used by criminals) to the 194 member countries and their law enforcement agencies alerting them of the COVID-19 cyber threats. Accompanying the notice was a statement outlining the severe consequences of these types of attacks from Interpol Secretary General Jürgen Stock stating that “Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths.”

Recently, the U.S. government appointed America’s first COVID-19 fraud coordinator, Shaun Sweeney, to oversee the fraud prosecution of coronavirus attackers. In addition, the U.S. also announced they are waiving the threshold for initiating fraud causes related to coronavirus-related scams. To find out how to report COVID-19 related crimes and cyber best practices relating to COVID-19, refer to

Related Articles

How Can Schneider Downs Help?

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit or contact us at [email protected].

In addition, our Incident Response Team is available around the clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
IRS Joins Forces to Combat Fraud Against Charitable Organizations
Buyer Beware: 2021 Holiday Shopping Scams
How Much Does a Data Breach Cost in 2021?
Cybersecurity Awareness Month is Ending... Now What?
What to Expect When You’re Expecting a Single Audit
President Biden Signs K-12 Cybersecurity Act into Law
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.