<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

COVID-19: Ruthless Ransomware Authors Attack Hospitals

Topics: Ransomware, Malware, Healthcare Security, COVID-19

Posted: 08 July 2020

Ransomware Hospitals

The Coronavirus outbreak continues to hold the entire world hostage, and healthcare facilities are at the forefront of this struggle. The fact that hospitals and pharmaceutical labs are overwhelmed with work and research makes them more vulnerable to malware attacks than ever before. Saving lives is their top priority and everything else comes next. Malicious actors don’t seem to care about the importance of these commendable efforts, though. They are waging a cyberwar against medical organizations as if the COVID-19 emergency weren’t underway.

The wake-up call that signaled cybercrime’s indifference was a dramatic surge in phishing campaigns capitalizing on the pandemic scare that took root in January 2020. Crooks have been since spawning emails impersonating trusted healthcare institutions such as the World Health Organization (WHO) to get hold of users’ credentials and install info-stealing Trojans. Whereas these stratagems aren’t specifically aimed at hospitals, ransomware operators took the wickedness to the next level by orchestrating targeted attacks against the healthcare industry.


INTERPOL says ransomware raids against hospitals are on the rise


According to recent findings of INTERPOL, the International Criminal Police Organization, threat actors have ramped up their attempts to pollute the IT networks of hospitals with ransomware in spite of the COVID-19 crisis. The adverse outcome of such an incursion isn’t restricted to data damage. It can also hamper quick medical response and thus impact the physical well-being of the patients.


In light of the increase in ransomware attacks zeroing in on healthcare institutions, INTERPOL has given the police in 194 member states a heads up about the menace by issuing a Purple Notice. The organization emphasizes its commitment to providing technical support as well as mitigation and protection assistance to all the countries under its wide umbrella. Additionally, its Cyber Threat Response (CTR) team is amassing details on dubious Internet domains to further bolster in-depth analysis of ransomware incidents and adopt relevant countermeasures to safeguard the critical health infrastructure.


The law enforcement officials claim that emails with booby-trapped links or attachments are the dominating vector of ransomware distribution at this point. Therefore, phishing awareness of the medical personnel is half the battle. An extra recommendation is to keep all critical data backed up to storage isolated from the main systems. The regular software and hardware updates, strong passwords, and effective antivirus solutions will further strengthen the security posture of healthcare institutions.


You may also be interested to read How to Secure Your Remote Access from the Changing Threat Landscape

The word 'ethics' isn't in Ryuk ransomware authors' vocabulary


Ryuk, a long-standing strain that focuses on crippling enterprise networks, keeps attacking hospitals during the Coronavirus outbreak. One of such onslaughts was detected in late March 2020. According to security analysts at Sophos, the malefactors behind this threat hit an unnamed U.S. health organization. The infection was remotely deployed in the host network by means of the PsExec command-line tool. The predatory software then spread laterally across the digital environment, encrypted valuable data, and dropped a note with ransom demands onto the affected computers.


Furthermore, endpoint security software provider SentinelOne claims Ryuk ransomware has attempted to contaminate ten medical organizations since February 2020. One of the targets is a network of nine American hospitals involved in COVID-19 response. During the unprecedented period when people’s lives are at stake, this activity is particularly disgusting.


Dharma ransomware doesn't depart from its regular genre either


Another ransomware lineage known as Dharma follows in the footsteps of Ryuk by continuing to disrupt the work of healthcare facilities around the world. Having splashed onto the scene back in 2016, it is also one of the oldies in the extortion ecosystem. Its operators’ tactics have hardly changed ever since, and hospitals haven’t vanished from their radar despite the current global crisis.


The latest spinoff of this family is using the Coronavirus theme at different stages of its deployment inside a host network. Its primary payload is an executable named 1covid.exe that mimics a benign email attachment. If a recipient gets on the hook and runs this file, the ransomware gains a foothold on the machine and tries to expand the attack surface by looking for other devices on the same network and infecting them as well.


Then, by applying a combo of the asymmetric RSA cipher and symmetric AES-256 cryptosystem, Dharma renders all potentially important files inaccessible and triggers a rescue note listing the attackers’ contact details so that the victim can negotiate the decryption terms. By the way, the email address specified in this how-to document is coronavirus@qq.com, no matter how revolting it may sound. In case a large network is impacted, the criminals may demand dozens of Bitcoins (worth hundreds of thousands of dollars) for data recovery per victimized organization.


You may also be interested to read Five Considerations for a COVID-19 Ready Remote Workforce


Perpetrators with Russian roots compromising European pharma companies


Two high-profile hacker gangs carried out a series of attacks against pharmaceutical and manufacturing companies in Germany and Belgium in late January 2020. Group-IB security researchers attributed these raids to Russian-speaking threat actors representing notorious syndicates dubbed TA505 and Silence. Whereas the track record of the former group includes past breaches of healthcare institutions, the latter appears to have switched from hacking finance sector companies to the new range of targets.


The attacks reportedly piggybacked on two vulnerabilities documented as CVE-2019-1405 and CVE-2019-1322 to run harmful executables with elevated privileges inside the infiltrated networks. Although the analysts were unable to pinpoint the final-stage payload because the attacks were thwarted at an early stage, they found clues suggesting that these incursions could have been attempts to perform ransomware attacks disguised as classic breaches. This theory, in part, revolves around the fact that the TA505 group had previously distributed several mainstream ransomware programs, including the infamous Locky and Rapid lineages.


A few cybercriminal groups claim to be easing the grip


In contrast to the disgusting foul play highlighted above, some ransomware operators appear to follow an unspoken code of ethics – at least they claim to. In mid-March 2020, researchers at the Bleeping Computer cybersecurity portal tried to contact malicious actors behind today’s most active ransomware families. The question was whether they were going to stop infecting organizations that tackle the COVID-19 pandemic. Surprisingly, some black hats replied.


The felons in charge of the Clop ransomware campaign said they never zeroed in on hospitals and charities and would adhere to this practice further on. Another claim was that if they accidentally hit such an entity, they will provide the data decryption tool for free. Interestingly, the Clop gang stated that pharma companies don’t fit the mold of their “whitelist” because they benefit from the healthcare crisis and will have to pay the ransom if attacked.


The architects of another ransomware called DoppelPaymer also assured the analysts that they wouldn’t be targeting hospitals during the Coronavirus outbreak. If they infect such an institution by mistake, they will restore data for free. The only caveat is that the organization must prove that it’s involved in the healthcare industry. As is the case with Clop, though, DoppelPaymer will stick with ransom demands if a pharma company falls victim to it.


The gangs at the helm of the Nefilim and Netwalker ransomware nasties claimed that hospitals and nonprofits never were on their list of intended victims and it would stay that way. However, Netwalker operators said that if a health organization’s data is encrypted by accident, they won’t drop their demands and will insist on the ransom payment for the decryptor.


Although the extortionists deploying the prolific Maze ransomware confirmed their intention to cease attacks against hospitals, they aren’t too fair and square in terms of carrying through on this promise. Shortly after making the original statement about a non-attack strategy regarding “all kinds of medical organizations,” they published files previously stolen from a UK company called Hammersmith Medicines Research, which is going to perform clinical trials of Coronavirus vaccines. The spilled records include personal information of thousands of former patients. On a side note, threats to leak organizations’ data obtained during a ransomware attack is a recent approach used to pressure the victims into paying ransoms.




The current situation demonstrates how the real and digital worlds can overlap to such an extent that people’s physical condition depends on cybersecurity. Even though some ransomware actors purport to have temporarily excluded hospitals from their list of targets, everyone should keep in mind that those are double-dealing individuals who can make empty promises in a snap and prioritize financial gain over morals. Therefore, decision-makers in the healthcare industry need to enforce a proactive security model based on employee’s online hygiene, data backups, and reliable security software that will identify and block the attack before it affects critical data.


New Call-to-action

David Balaban David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Posted by: David Balaban
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts