No Honor Among Thieves: Ransomware Targeting COVID-19 Frontlines

On March 18, 2020, Lawrence Abrams of Bleeping Computer reached out to a number of prolific cyber-criminal groups including Maze, DoppelPaymer, Sodinokibi, and Ryuk, and asked, “Will you continue to target healthcare and/or medical organizations during the COVID-19 pandemic?” To the surprise of many, Maze and DoppelPaymer indicated they would not. However, many asked the question—how long would this good faith last? Unfortunately we now are starting to see the answer.

Despite good intentions, two facts still remain. Ransomware attacks are one of the most profitable and therefore popular tactics used by cyber criminals and blossom in times of national emergencies. Second, cyber criminals are predatory in nature and base their attacks on opportunity to create higher, faster ransomware demands, which COVID-19 offers plenty of.

Notable Attacks

Within one month of Abrams’s interview, Interpol (International Criminal Police Organization) reported a significant increase in the number of ransomware attacks against key organizations and infrastructure engaged in the virus response.

The Maze group, who intially pledged not to target healthcare organizations, is reported to have attacked Hammersmith Medicines Research, a British COVID-19 vaccine test center. The attack stole records of patients who participated in testing trials from the past 20 years and published the data on the dark web with a ransom demand. The research lab was able spot the attack in progress and restore their systems without paying the ransom.  

One of the organizations who did not respond to Abrams’s initial inquiry was Ryuk. Shortly after, a healthcare organization reported a ransomware attack through PsExec, a method associated with Ryuk. According to CPO Magazine, Ryuk has gone on to target more than 10 other healthcare providers including a network of at least nine hospitals, with one reportedly in a state severely impacted by COVID-19. 

The Sodinokibi group also did not respond to Abrams initial inquiry, but was indicated in an attack. Abrams reported, “A strain of Sodinokibi, tracked by Microsoft as REvil, was attempting to exploit weaknesses in VPN server security to encrypt data found in hospital servers and machines.” Many groups including Sodinokibi are preying on weaknesses such as the improper configuration of company VPNS during the shift to remote workforces.

The Worlds’ Response

Interpol recently issued a purple notice (to seek or provide information on modus operandi, objects, devices and concealment methods used by criminals) to the 194 member countries and their law enforcement agencies alerting them of the COVID-19 cyber threats. Accompanying the notice was a statement outlining the severe consequences of these types of attacks from Interpol Secretary General Jürgen Stock stating that “Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths.”

Recently, the U.S. government appointed America’s first COVID-19 fraud coordinator, Shaun Sweeney, to oversee the fraud prosecution of coronavirus attackers. In addition, the U.S. also announced they are waiving the threshold for initiating fraud causes related to coronavirus-related scams. To find out how to report COVID-19 related crimes and cyber best practices relating to COVID-19, refer to https://www.justice.gov/usao-wdpa/covid-19-fraud-page.

Related Articles

How Can Schneider Downs Help?

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact us at cybersecurity@schneiderdowns.com.

In addition, our Incident Response Team is available around the clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Evolving Cyber Threats of the New Normal
Cybersecurity Update: Twitter and Garmin
Important Update on the Paycheck Protection Program under the CARES Act
Extension of the Main Street Lending Program
Temporary 100% Deduction of Business Meals Proposed by Senate Republicans
Garmin Hit with $10M Ransomware Attack

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102