No Honor Among Thieves: Ransomware Targeting COVID-19 Frontlines

On March 18, 2020, Lawrence Abrams of Bleeping Computer reached out to a number of prolific cyber-criminal groups including Maze, DoppelPaymer, Sodinokibi, and Ryuk, and asked, “Will you continue to target healthcare and/or medical organizations during the COVID-19 pandemic?” To the surprise of many, Maze and DoppelPaymer indicated they would not. However, many asked the question—how long would this good faith last? Unfortunately we now are starting to see the answer.

Despite good intentions, two facts still remain. Ransomware attacks are one of the most profitable and therefore popular tactics used by cyber criminals and blossom in times of national emergencies. Second, cyber criminals are predatory in nature and base their attacks on opportunity to create higher, faster ransomware demands, which COVID-19 offers plenty of.

Notable Attacks

Within one month of Abrams’s interview, Interpol (International Criminal Police Organization) reported a significant increase in the number of ransomware attacks against key organizations and infrastructure engaged in the virus response.

The Maze group, who intially pledged not to target healthcare organizations, is reported to have attacked Hammersmith Medicines Research, a British COVID-19 vaccine test center. The attack stole records of patients who participated in testing trials from the past 20 years and published the data on the dark web with a ransom demand. The research lab was able spot the attack in progress and restore their systems without paying the ransom.  

One of the organizations who did not respond to Abrams’s initial inquiry was Ryuk. Shortly after, a healthcare organization reported a ransomware attack through PsExec, a method associated with Ryuk. According to CPO Magazine, Ryuk has gone on to target more than 10 other healthcare providers including a network of at least nine hospitals, with one reportedly in a state severely impacted by COVID-19. 

The Sodinokibi group also did not respond to Abrams initial inquiry, but was indicated in an attack. Abrams reported, “A strain of Sodinokibi, tracked by Microsoft as REvil, was attempting to exploit weaknesses in VPN server security to encrypt data found in hospital servers and machines.” Many groups including Sodinokibi are preying on weaknesses such as the improper configuration of company VPNS during the shift to remote workforces.

The Worlds’ Response

Interpol recently issued a purple notice (to seek or provide information on modus operandi, objects, devices and concealment methods used by criminals) to the 194 member countries and their law enforcement agencies alerting them of the COVID-19 cyber threats. Accompanying the notice was a statement outlining the severe consequences of these types of attacks from Interpol Secretary General Jürgen Stock stating that “Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths.”

Recently, the U.S. government appointed America’s first COVID-19 fraud coordinator, Shaun Sweeney, to oversee the fraud prosecution of coronavirus attackers. In addition, the U.S. also announced they are waiving the threshold for initiating fraud causes related to coronavirus-related scams. To find out how to report COVID-19 related crimes and cyber best practices relating to COVID-19, refer to https://www.justice.gov/usao-wdpa/covid-19-fraud-page.

Related Articles

• Cybersecurity Best Practices for Working from Home amid the COVID-19 Pandemic
• Coronavirus Cyber Scams are on the Rise

How Can Schneider Downs Help?

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact us at [email protected].

In addition, our Incident Response Team is available around the clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident.