Ransomware gangs are changing targets again. That could make them even more of a threat

It's still business as usual for cyber criminals - and some are now paying more attention to hospitals than ever before.
Written by Danny Palmer, Senior Writer

The coronavirus pandemic has forced most organisations to rethink how they work. And it appears now that even cybercrooks and ransomware gangs are having to adapt their behaviour to adjust to the ongoing virus crisis.

Phishing attacks using coronavirus as a lure have grown rapidly in recent months as malicious hackers look to use it as a means of tricking victims into giving up usernames and passwords, personal information and bank details. And there is some evidence that ransomware groups have increased their attacks aimed at staff newly working from home. Some have even been launching ransomware attacks against hospitals, medical research facilities and other important healthcare operations, at a time when they're needed more than ever.

Such is the potential danger of ransomware attacks against healthcare, Interpol issued a warning over the potential damage that could be done by online extortionists, warning earlier this month it had detected a significant increase in the number of attempted ransomware attacks against key organizations working on virus response.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

"Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths," said Interpol Secretary General Jürgen Stock.

Hospitals aren't a new target for ransomware attacks and there's been a number of cases of healthcare falling victim in the past.  Most high profile of these cases was when the UK's National Health Service was hit by the WannaCry ransomware. But to go after healthcare bodies when they're needed more than ever marks a new low.

"Hackers are very financially motivated and healthcare and hospitals are extremely vulnerable and willing to pay right now because they can't afford to be shut down when they're at capacity and overflowing with coronavirus patients," says Charity Wright, cyber-threat intelligence advisor at IntSights. "They're very vulnerable right now, so hackers are definitely targeting healthcare and hospitals to take advantage".

But while it's business as usual for some ransomware gangs, others have claimed that they'll steer away from targeting healthcare during the coronavirus crisis.

One of these is the group behind Maze ransomware. Not only does this encrypt networks, but the authors of the malware also threaten to publish documents and other sensitive files they've gained access to while moving about the infected network. This group has claimed that it will not target medical organisations until the global situation around the virus had stabilised. 

And it seems that, for now at least, some other attackers have reduced their activity against hospitals.

"From our attack data, we noticed that healthcare, which is normally a top-three targeted vertical, was actually the seventh most frequently targeted industry in March," says Tom Kellermann, head cybersecurity strategist at VMware Carbon Black.

But that's not to say that the total number of ransomware incidents have gone away, but now attacks that may have targeted hospitals before coronavirus are being directed elsewhere.

"Attackers are shifting to other industries, specifically finance, during this pandemic," Kellermann adds.

And even if some ransomware gangs are shifting their targeting to avoid medical facilities as the world faces coronavirus, the healthcare sector doesn't operate in a bubble of its own. The supply chain requires manufacturers, logistics providers and more, which all provide products to hospitals – especially as companies switch tack and get involved in producing ventilators, protective personal equipment and other items that are in high demand right now.

That could mean that even if ransomware attackers really are attempting to avoid hitting healthcare, so as not to disrupt the coronavirus fight, they could still do so inadvertently. 

"It's not just attacks on healthcare that could be problematic; there's device manufacturers, testing labs, logistics companies responsible for deliveries – and we've seen attacks on all of these in recent weeks," says Brett Callow, threat analyst at Emsisoft.

It's also possible that ransomeware operations themselves will have to adapt their own processes and working behaviours to coronavirus, just like legitimate businesses. While cybercrime gangs do most of their work online – and in many cases, gang members will have never met outside of forums and messaging services – it's possible social-distancing and lockdown measures mean activity might be reduced, especially for those who share their home with flatmates or a family.

"Ransomware groups are limited by their available personnel and infrastructure and cannot rapidly scale up their operations," says Callow.

Nonetheless, ransomware and other malware threats still remain a threat to healthcare and the industries that support it and will continue be a threat throughout the coronavirus pandemic.

The success of ransomware attacks is based on the idea that victims give in and pay the ransom demand, but even now, when critical systems being taken down could could be catastrophic, organisations are still urged not to pay the ransom – because it'll only encourage more attacks.

"Despite the COVID-19 pandemic, the general recommendation is that companies should not give in and pay the ransom. There's no guarantee the attackers will release the files and systems held hostage, and it gives ransomware distributors confidence that organizations are willing to pay," says Kellermann.

However, because of the situation – and because lives are on the line – it's unfortunately understandable why some hospitals might choose to pay a ransom in order to keep patients safe.

"There are always exceptions to the rule, though, and it's unfortunate that so many people are left with a nearly impossible choice. As with most things, prevention is often the best cure," Kellermann says.

Hospitals and other organisations can help prevent falling victim to cyberattacks by ensuring the network is as secure and up-to-date as possible.

Even activities such as ensuring that the latest security patches have been applied can go a long way to keeping infrastructure safe, as they will prevent cyber criminals from exploiting known vulnerabilities to gain access to the network.

SEE: Coronavirus: Business and technology in a pandemic

For example, if the patch for EternalBlue had been applied across the whole NHS, rather than just part of it, it wouldn't have been hit so hard by WannaCry ransomware.

But that's not to say patching a hospital network is a simple task, as networks include a lot of dated software and there are some devices that can't go offline to be updated. However, ensuring as much of the network as possible has the latest security updates possible is a good start for a security plan.

Organisations should also ensure that their network is regularly backed up to offline backups, so if the worst does happen – and a ransomware attack impacts hospital systems – they don't need to negotiate with cyber criminals and they can restore the network from a recent point.

And as temporary hospitals spring up in stadiums and events centres to help meet the additional demand posed by COVID-19, those building these environments should ensure that the networks are robust enough to protect against any potential threats – and potentially devastating consequences.

"I'm really hopeful that when they set up mobile hospitals, they're using the same kind of secure infrastructure we use for cybersecurity conferences and hire experts who know what they're doing," says Wright.


Editorial standards