Hospitals Forced to Fight Another Pandemic
The current upsurge in hackers looking to take advantage of the COVID-19 pandemic has been well-documented, be they scammers and financially motivated hackers or well-funded and skilled state-sponsored groups. This in itself does not say much about the ethical foundation those hackers have. But, this has come to be expected by much of the criminal class. What is more repellent is the active targeting of hospitals and those on the frontlines of combatting the COVID-19 pandemic. Almost daily news reports show the struggle experienced by many hospitals and healthcare professionals just to keep fighting the good fight. You would think many hackers, especially those behind “human-operated” ransomware operations, would leave hospitals alone, at least just for the time being. Sadly, this is not the case, as reports continually emerge of hospitals falling victim to ransomware attacks.
A Show of ‘Compassion’
Lawrence Abrams of Bleeping Computer reached out to some of the most prolific ransomware gangs currently carving out names—and lots of victims—for themselves to ask if they would be targeting hospitals and other healthcare organizations combatting the pandemic while it raged across the globe. Gangs asked included Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker and Ako Ransomware. Some of the answers displayed a certain amount of goodwill. The CLOP ransomware gang stated:
“we never attacked hospitals, orphanages, nursing homes, charitable foundations, and we won’t. commercial pharmaceutical organizations are not suitable for this list; they are the only ones who benefit from the current pandemic…the international health organization conducts vaccine tests, we follow the news, if there is actual evidence of the laboratory working on the vaccine, of course, we will give the key for free, we are not enemies of humanity, but commercial laboratories that are trying to trick us will never get the key. our goal is money, not harm.”
The gang behind DoppelPaymer shared similar sentiments stating,
“We always try to avoid hospitals, nursing homes, if it’s some local gov – we always do not touch 911 (only occasionally is possible or due to missconfig in their network) . Not only now…If we do it by mistake – we’ll decrypt for free. But some companies usually try to represent themselves as something other: we have development company that tried to be small real estate, had another company that tried to be dog shelter ) So if this happens we’ll do double, triple check before releasing decrypt for free to such a things. But about pharma – they earns lot of extra on panic nowdays, we have no any wish to support them. While doctors do something, those guys earns.”
The Maze ransomware gang also rather tersely stated,
“We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus.”
Nefilim and Netwalker were the two gangs that said that they would not target hospitals during this time—or even went so far as to state that they never targeted hospitals. The latter said that they believed no one would ever target a hospital on purpose but later said that if any organization funds its data encrypted they must pay for decryption. Further, a couple of security firms said they would provide free assistance to those in need during these unprecedented times.
There were two glaring omissions from the article: Ryuk and Sodinokibi, both of which were determined to the major drivers in doubling the costs associated with ransomware incidents in the space of one quarter. Data from the Q3 to Q4 2019 shows that costs have increased to $84,116 USD from $41,198 USD. Both Ryuk’s and Sodinokibi’s silence could be interpreted in two ways: They didn’t receive the communication from Lawrence Abrams or that troubling times would follow. Unfortunately, it was to be a sign of troubling times.
Shortly after no response was received, a security researcher posted on Twitter that a U.S. healthcare organization had just suffered a ransomware attack. The researcher determined, based on known indicators of compromise, that the offending piece of ransomware was indeed Ryuk. The operators behind the attack deployed the ransomware through PS Exec, a common tactic used by Ryuk operators. The attack was discovered March 26; however, there may have been 10 other incidents of Ryuk infecting hospitals and other healthcare organizations that month. This included a healthcare provider that oversees a network of nine hospitals.
SentinelOne’s head of research division, Vitali Kremez, noted that Ryuk’s targeting of hospitals has continued despite numerous calls to stop during these troubled times when hospitals and healthcare professionals are being pushed to the brink. There is a very real threat that encrypting hospital data may affect a doctor’s ability to save lives, as medical records are necessary for determining appropriate treatment.
On April 1, a day normally reserved for April Fool’s jokes including fictitious articles but tastefully ignored by media outlets given the current state of misery of the world, Microsoft issued an alert warning healthcare organizations of numerous ransomware campaigns targeting the industry. In this instance, operators are targeting the thing designed to increase privacy for employees working remotely to stop the spread of the disease: VPN services. Like other security firms, the Redmond tech giant has placed a greater emphasis on protecting hospitals during this time to hopefully help lessen the load on staff.
In one of the campaigns targeting hospitals, researchers discovered that a strain of Sodinokibi, tracked by Microsoft as REvil, was attempting to exploit weaknesses in VPN server security to encrypt data found in hospital servers and machines. As with Ryuk, Sodinokibi forms part of a group of ransomware strains known as big-game hunters, which target large organizations to demand higher ransoms as there is likely more pressure to pay the ransom. Recently, researchers have been using the term “human-operated ransomware” to describe these strains. They are deemed to be human-operated, as they employ tactics used by state-sponsored groups rather than heavily automated attacks favored by those looking to infect as many machines as possible in the shortest amount of time.
Human-operated ransomware will look for specific targets and then, by employing a number reconnaissance tactics, develop a clear plan to the target’s network and system administration as well as security flaws to exploit before launching the attack. This allows for a greater success rate, as the weaknesses were determined pre-attack. This is evident in the Sodinokibi campaigns targeting hospitals, as many of their traditional tactics have been repurposed to take advantage of discovered flaws in VPN products.
VPNs increasingly have been targeted by a variety of different hackers during the pandemic for several reasons that have made them susceptible to exploitation. Orders from both governments and companies that employees stay home unless they form part of an essential service have forced many to work remotely, which has led to a spike in VPN usage as companies look to try and protect their data from outside the organization. Often in the rush, VPN products have been incorrectly configured or not kept up to date. Hospitals’ primary aim is to save the lives of those infected with COVID-19, so cybersecurity is forced to take a back seat during the crisis. This, unfortunately, leaves primary caregivers susceptible to attack. Both the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and Department of Commerce National Institute of Standards and Technology (NIST) have published advisories on how to best secure VPN connections to prevent exploitation.
Response From Interpol
It can be safely assumed that these attack campaigns will continue despite any public plea for them to stop. On April 4, the international crime-fighting organization Interpol weighed in on the matter. In a public statement, warned it had detected a surge in attack attempts on hospitals with hackers looking to deploy various ransomware strains. Interpol issued a purple notice to all its 194 member countries and included law enforcement organizations alerting them of the threat.
In response to the threat, Interpol is working with private security firms to provide added support during the pandemic. Further, assistance is being provided to regional law enforcement agencies to help mitigate risks. This involves the international agency collecting data pertaining to suspicious internet domains looking to leverage the pandemic for malicious purposes. Interpol Secretary General Jürgen Stock stated,
“As hospitals and medical organizations around the world are working non-stop to preserve the well-being of individuals stricken with the coronavirus, they have become targets for ruthless cybercriminals who are looking to make a profit at the expense of sick patients…Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths. INTERPOL continues to stand by its member countries and provide any assistance necessary to ensure our vital healthcare systems remain untouched and the criminals targeting them held accountable.”
Interpol also placed an emphasis on the role that prevention and mitigation play in helping defend hospitals from the threat. Many of the campaigns been tracked by the organization rely on malicious emails to spread the malware. The emails falsely claim to provide advice on the pandemic and are spoofed to appear from government or healthcare agencies. To that extent Interpol has advised healthcare organizations take the following steps to protect their systems from ransomware attacks:
- Only open emails or download software/applications from trusted sources.
- Do not click on links or open attachments in emails you were not expecting to receive or come from an unknown sender.
- Secure email systems to protect from spam, which could be infected.
- Back up all important files frequently and store them independently from your system (e.g. in the cloud, on an external drive).
- Ensure you have the latest anti-virus software installed on all systems and mobile devices and that it is constantly running.
- Use strong, unique passwords for all systems, and update them regularly.
Difficult Times Ahead
Once the dust of the current crisis settles and hard lessons learned, one of those lessons learned will be of the uncaring nature of hackers during a time of crisis. Their continued assault on hospitals, where incidents were reported even before the pandemic reached its current state, has shown that certain ransomware operators place profit over human life. At the time of writing, some countries including France have extended their lockdown conditions indefinitely with other countries expected to follow suit; this is an indication that the crisis is not over. As a result, hospitals will be forced to fight not only the pandemic but also hackers looking to turn a quick profit.