WatchPoint Security Blog

Ransomware Attacks Continue to Rise During Coronavirus (COVID-19) Pandemic

Written by Jordan Kadlec | April 14, 2020

Cybercriminals continue to cash in on the chaos of the coronavirus pandemic as targeted ransomware attacks have increased significantly over the last couple of weeks.

Hospitals and Healthcare Organizations are Big Targets

According to INTERPOL, the International Crime Police Organization, there has been a substantial increase in ransomware attacks against hospitals throughout the world that are actively engaged in the coronavirus response. Remember when several ransomware gangs pledged not to target hospitals and healthcare organizations? I guess the saying, “no honor amongst thieves,” holds quite true here.

As if these organizations don’t have enough to worry about as they battle to save lives and keep their staff safe, they now must worry about a crippling ransomware attack.

“As hospitals and medical organizations around the world are working non-stop to preserve the well-being of individuals stricken with the coronavirus, they have become targets for ruthless cybercriminals who are looking to make a profit at the expense of sick patients,” INTERPOL Secretary General Jurgen Stock said.

While all other organizations are certainly being heavily targeted during a time when a large percentage of employees are working remotely, hospitals and healthcare organizations are prime victims as they are more likely to pay a ransom. These organizations can’t afford to have their systems down when they are overwhelmed with coronavirus patients. As such, it’s more probable than not that they will pay the ransom to get their systems back up and running as soon as possible after a ransomware attack.

Research Firm Targeted by Ransomware Attack

Hackers recently hit biotech research firm 10x Genomics with a ransomware attack amid their effort to work on a potential coronavirus treatment. The ransomware attack involved the theft of sensitive information. However, 10x Genomics was able to isolate the source of the attack and restore normal operations without any impact on the firm’s ability to access their data.

The REvil ransomware gang claimed credit for the attack, claiming they were able to take about 1TB of data. The group actively scans the internet for vulnerable systems and will typically leverage the updater features of VPN clients to deploy the ransomware.

10x Genomics is the second research firm focused on a coronavirus vaccine to be hit by a ransomware attack in the past month. The Maze ransomware group successfully infected Hammersmith Medicines Research and published data stolen from the attack.

INTERPOL and Microsoft Fight Against Coronavirus Ransomware Issues

According to INTERPOL, the ransomware attacks are primarily spreading through emails that appear to contain information or advice about the coronavirus from a government agency. US Federal agencies have also reported a surge in fraud schemes related to COVID-19. In response, the INTERPOL Cybercrime Threat Response team is monitoring all coronavirus related threats and working with cybersecurity partners to gather data and provide support to organizations targeted with ransomware.

INTERPOL is also assisting in police investigations related to ransomware cases and providing technical support to member countries and ransomware insights to help combat attacks against medical facilities.

As of April 9th, Microsoft has joined the fight against ransomware attacks. Microsoft revealed that they have intensified monitoring and takedown of threats that exploit the ongoing pandemic. The team at Microsoft is responsible for protecting hospitals and healthcare facilities from human-assisted ransomware attacks. Analysts have been tracing the previously mentioned REvil ransomware variant as part of their research on human-operated ransomware attacks.

“Intel on ransomware campaigns shows an overlap between the malware infrastructure that REvil was observed using last year and the infrastructure on more recent VPN Attacks. This indicates an ongoing trend among attackers to repurpose old tactics, techniques, and procedures for new attacks that take advantage of the current crisis. We haven’t seen technical innovations in these new attacks, only social engineering tactics tailored to prey on people’s fears and urgent need for information,” according to Microsoft.

Simply put, cybercriminals aren’t coming up with any new, revolutionary attacks; they’re banking on individuals trying to stay up to date on the latest coronavirus information. A recent example of a scam was a website posing as the World Health Organization website for coronavirus relief. The fake website urged users to donate Bitcoin as “coronavirus relief funds,” so the scammers could pocket the money instead of giving it to organizations in need.

Photo courtesy of falanx.com