“Our message to ransomware gangs is: stay the hell away from hospitals”
By MATT BURGESS
On March 13, the Brno University Hospital started turning away new patients suffering serious conditions. Urgent surgeries were postponed and the hospital, which is a key Covid-19 testing site in the Czech Republic, shutdown all computers as a cyberattack took hold.
“The hospital public announcement system started to repeat the message that all personnel should immediately shut down all computers due to ‘cybernetic security’,” one cybersecurity researcher who was waiting in the hospital for surgery has said. While the cyberattack didn’t impact the work being done around the coronavirus it did cause disruption at an exceptionally busy and chaotic time.
The Czech hospital is not the only medical institution to be targeted by cybercriminals as the novel coronavirus has spread around the world. In the United States, the website for a public health department in Illinois that has more than 200,000 people registered with it has been taken offline following a ransomware attack. France’s French cybersecurity agency has also published a warning that its seeing ransomware targeting its local authorities.
As the total number of global cases of Covid-19 has swelled above 250,000, hackers have increased their activity as they look to capitalise on the crisis. “We’re seeing concerted targeting against manufacturing, pharmaceutical, travel, healthcare and insurance,” explains Sherrod DeGrippo, a senior director in threat research and detection at cybersecurity firm Proofpoint says. “When I say manufacturing, a lot of times it seems to be targeted against a subset of manufacturing, which is manufacturers that create hospital beds, medical equipment, those things you would associate with healthcare.”
It’s no surprise that cybercriminals have upped their attempts to hack into more computer networks. Whenever there’s a large news event those trying to break into computer networks and devices go into overdrive. In the past, the Olympics and the introduction of GDPR have provoked onslaughts of increased hacking activity. This predominantly happens though exploiting human weaknesses.
Malicious actors know that people will open emails that look convincing but actually act as ways to deliver malware or ransomware onto their machines. Amid the rush of daily life – and despite the best efforts of cybersecurity trainers – people are still hugely susceptible to a convincing email that looks like it’s from their boss, or one that has an enticing attachment to download or a link to click.
“The things that are working right now are coronavirus lures: coronavirus as the email for the social engineering, coronavirus filenames, coronavirus domain names,” DeGrippo explains. People want to read and learn about Covid-19. DeGrippo says she has seen phishing emails that claim to have a coronavirus vaccine contained within an attachment, tempting spreadsheets that claim to include lists of people’s neighbours who have been infected, faked company emails asking for errands to be run by people’s colleagues, and suggestions that banks have created anti-bacterial credit cards. “This is the biggest shift in social engineering lures that I have ever seen,” she says.
All of the scams have one goal: to get people to open them and click the link or download an attachment. Once this is done, a machine or network can be infected if there are unpatched vulnerabilities. Corporate data can be put at risk or, in the worst case scenarios, ransomware that can lock entire networks can be deployed. Security researchers says they’ve seen phishing campaigns from all types of hacking groups, large and small. Hackers believe to be tied to national governments have also been getting involved.
“We’re not seeing them in massive volumes yet, but we are seeing a great variety of them coming through,” says Kiri Addison, the head of data science at email management company Mimecast. “They’re changing as the coronavirus response has progressed.” When the coronavirus started to spread, Addison says, phishing emails impersonating doctors were the starting point. They’ve progressed to impersonating health authorities, governments and financial institutions. There’s been phishing efforts trying to exploit the name of the World Health Organisation and the US Centers for Disease Control and Prevention.
But the cybersecurity industry is fed up with hackers attempting to attack medical institutions – especially at a time of global crisis. “All of the standard operating procedures in many ways are being thrown out the window,” DeGrippo says. “Even organisations who have planned their ransomware response, have planned it under day-to-day regular operations in the world.”
Hospitals and public sector organisations that deal with health and social care can be particularly vulnerable to cyberattacks. “The computer networks used in many hospitals are not secured as well as they could be,” says Mikko Hypponen, the chief research officer of security firm F-Secure. “This is often because of budgeting restrictions.” At a time when hospital and medical services are stretched it is more likely that those hit by ransomware may opt to try and pay money to the criminals who have locked their systems.
The WannaCry ransomware that crippled the NHS in 2017 cost the health organisation around £100 million. At the time many of the infected machines were running outdated operating systems and even now Windows 7 is commonly used within medical environments, despite Microsoft no longer issuing patches for it. “Ruthless ransomware attackers know about these problems, and we have seen medical organisations targeted on purpose many times over last years,” Hypponen says. “But enough is enough.”
“Our message to ransomware gangs is: stay the hell away from hospitals,” he adds. “The response from the collective cybersecurity community has been clear on this: the world is in crisis, and we’ll do whatever we need to do in order to protect the work of our doctors, nurses and first responders.” It’s not just talk – some cybersecurity companies, such as Emsisoft and Coveware, are making their ransomware tools free to healthcare providers. But there are also less corporate, volunteer organisation efforts.
Lisa Forte, a partner Red Goat Cyber Security, and Daniel Card, from PwnDefend, have setup Cyber Volunteers 19 – an effort to provide support to healthcare services in the UK and Europe who are responding to cybersecurity incidents. “The key message we want to send to cyber criminals is that we are standing in solidarity with public services,” Forte explains. “Attacking a hospital at any time is disgraceful but during times of pandemic chaos it is repulsive.
So far around 3,000 people have expressed interest in volunteering, Forte says, with those offering their services through a LinkedIn group. “This is primarily led by the healthcare providers and charities,” Forte adds. “They know what they need help with. We want them to know they have a totally free pool of talent and skill they can use.”
As for the criminal groups behind ransomware attacks, there may have been some realisation that they shouldn’t try to exploit the healthcare industry. As first reported by BleepingComputer, some hacking groups have said they’ll stop hitting the industry for the time being. A “press release” posted to the website of the Maze Team hacking group says it is offering “exclusive discounts” to the “partners” whose systems it has locked with ransomware.
“We also stop all activity versus all kinds of medical organisations until the stabilisation of the situation with virus,” the group writes. However, among the list of companies it claims to have exploited with ransomware there’s a London-based medical research group, which it says was compromised on March 16, right in the middle of the Covid-19 outbreak.
Read more about it here: https://www.wired.co.uk/article/coronavirus-hackers-cybercrime-phishing