Business Continuity Management / Disaster Recovery , COVID-19 , Cybercrime

COVID-19 Complication: Ransomware Keeps Hitting Healthcare

Cybercrime Continues Despite Pandemic Intensifying
COVID-19 Complication: Ransomware Keeps Hitting Healthcare
Ransom note for Netwalker ransomware, tied to a recent attack against Champaign-Urbana Public Health District in Illinois (Source: Carbon Black)

As governments attempt to marshal the right response to the COVID-19 outbreak, their efforts are being complicated by malware - including ransomware - attacks continuing to hit healthcare organizations. Some of those facilities are not only treating patients with the disease but also serving as frontline virus-testing labs.

See Also: Gartner Guide for Digital Forensics and Incident Response

With COVID-19 declared a pandemic by the World Health Organization, healthcare facilities in some countries have already been overwhelmed by the need to care for patients with severely compromised respiratory systems, as well as to rapidly test anyone they suspect of being infected.

Healthcare organizations continue to face hack attacks from criminals attempting to infect them with crypto-locking malware and then demand a ransom in return for the promise that they'll unlock forcibly encrypted files.

"I really hope that bad guys step back in the coming weeks," tweeted the administrator of the Swiss anti-malware service Abuse.ch.

HHS Network Attacked

Meanwhile, during a Trump administration press briefing on Monday, Alex Azar, secretary of the Department of Health and Human Services' confirmed a news report earlier in the day by media outlet Bloomberg that HHS systems had suffered an online attack over the weekend. Bloomberg reported that the incident involved a “campaign of disruption and disinformation” appearing to be aimed at undermining response to the coronavirus pandemic.

Azar said the incident involved "enhanced activity with [HHS] computers systems and website." However, "there was no penetration, no degradation of the function of the networks ... no data breach." Also, the attack did not impact the ability of HHS employees to telework, he says.

The source of the attack is still under investigation, he added.

“HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities," a HHS spokeswoman said in a statement provided late Monday to Information Security Media Group.

"On Sunday, we became aware of a significant increase in activity on HHS cyber infrastructure and are fully operational as we actively investigate the matter. Early on while preparing and responding to COVID-19, HHS put extra protections in place. We are coordinating with federal law enforcement and remain vigilant and focused on ensuring the integrity of our IT infrastructure.”

Crypto-Locked: Illinois Public Health District

Last Tuesday, Champaign-Urbana Public Health District, which serves about 210,000 people in central Illinois, was hit by Netwalker ransomware, aka MailTo. "We are working to get our website up and running," the organization reported via its Facebook page on Thursday, before announcing Friday that the website had been restored.

"CUPHD can confirm that our system was attacked by a ransomware virus [called] Netwalker," a spokeswoman last week told the Register.

The Netwalker ransomware-as-a-service offering, which was first spotted in August 2019, has also been tied to numerous other attacks, including a Feb. 10 infection at Australian transportation and logistics firm Toll Group (see: Australian Delivery Firm Confirms Ransomware Attack).

Despite CUPHD getting its website back up and running, a full fix might take weeks to accomplish. In the meantime, of course, there's a global pandemic to contend with, and on Sunday, CUPHD confirmed its first confirmed local case of COVID-19. "The resident is a female in her 50s and is in home isolation and recovering," it said.

In response to the outbreak, the Illinois state government announced that as of Tuesday, all schools will be closed. Some other states are doing likewise. Illinois has so far recorded 93 cases of COVID-19 inside the state.

But O'Hare Airport in Chicago, was a scene of weekend chaos as airline travelers were forced to stand in dense lines for hours before clearing customs, the Chicago Tribune reported, noting that some other major airports - including Dallas/Fort Worth International Airport - saw similar conditions. Some epidemiology experts have warned that the petri-dish-like conditions will likely have a significant public heath impact and contribute to further spreading of the virus.

Infected: Czech Hospital

Just as the COVID-19 outbreak is global, of course, so too is cybercrime.

On Friday, a hospital in the Czech Republic's second largest city, Brno, suffered an infection that traced to an as-yet-undisclosed strain of malware. University Hospital Brno runs one of the country's largest COVID-19 testing labs, and the country confirmed its first known case of the disease on March 1, and as of Monday, said the number of known cases of COVID-19 within its borders had reached 298.

The Czech Republic's National Office for Cyber and Information Security - aka NÚKIB - on Friday dispatched a team of cybersecurity specialists from the government's computer emergency readiness team, together with police, to assist the hospital with its recovery efforts.

As a result of the malware attack, the hospital was forced to deactivate all IT systems as well as cancel all planned operations and divert incoming, acute patients to the city's St. Anne's University Hospital. The hospital's two other branches - comprising a children's hospital and a Maternity Hospital - were also hit, ZDNet reports.

The attack occurred at about 2 a.m. local time, Jaroslav Štěrba, the hospital's director, told public television broadcaster Česká Televise, adding that numerous computers remain down, and staff are having to record patient notes with paper and pen.

"Laboratories for hematology, microbiology and biochemistry - and more sophisticated laboratories for tumor diagnostics and radiological systems - are still working, but there is no ability to transfer information from these laboratories to the patient database system," Štěrba said. “We are able to examine patients, but we are not yet able to store data. But patient care is being maintained and we are working to be able to store the data soon."

Cybercrime Undercuts Pandemic Response

Despite the global risk posed by COVID-19, security experts say they have seen few signs that cybercrime gangs might stand down from targeting healthcare facilities. Some, however, have promised to do so, although how far such promises go remains to be seen.

Last December, the Maze ransomware gang promised to avoid hitting "socially significant services" such as 911, telling Bleeping Computer: "We don’t attack hospitals, cancer centers, maternity hospitals and other socially vital objects, up to the point that if someone uses our software to block the latter, we will provide a decrypt for free."

"That is good news, if only Ryuk, Defray, REvil and others follow suit," says John Fokker, head of cyber investigations and red teaming for McAfee Advanced Threat Research, via Twitter (see: Ransomware Gangs Hit Larger Targets, Seeking Bigger Paydays).

Maze's self-promotion and claim, which is impossible to verify, downplays the bigger-picture damage still being done by all ransomware attackers.

“The Maze group has exfiltrated and encrypted the data of governments, medical practices and medical testing labs. The group has also exfiltrated and encrypted the data of logistics companies which, at a time like this, are critically important to the supply chain," Brett Callow, a threat analyst with security firm Emsisoft, tells Information Security Media Group.

"Even if Maze does avoid targeting 'social objects' such as hospitals - a claim which I’d view with extreme skepticism - their actions may nonetheless indirectly interfere the provision of critical services. At a time like this, governments need to be able to communicate, all medical facilities need to be available and supply chains need to be functioning as smoothly as possible," he says. "Maze and other ransomware groups interfere with those essential functions and their criminal actions may well result in the loss of life.”

Expect Criminals to Keep Taking Advantage

Cybercrime remains a business, and unfortunately disasters can create new money-making opportunities for the criminally inclined. “The stereotype of a cybercriminal is that of a bored teenager who is computer literate and socially maladjusted. This is far from the truth and every time there is a crisis we can see that cybercriminals are in reality ruthless and heartless individuals looking to inflict suffering on their victims in whatever way they can, and if a global crisis, such as COVID-19, plays to their advantage they will do so," says Brian Honan, head of Dublin-based consultancy BH Consulting.

"Contrary to popular belief, there are no common, decent criminals in the online world."
—Brian Honan

"I expect many medical facilities and emergency services will be targeted by criminals with ransomware attacks demanding large ransoms as the criminals know how critical those services are now," Honan tells ISMG. "We should not relax any of our defenses but be more aware of criminals looking to leverage the crisis to spread misinformation, set up scams, launch phishing attacks and launch cyberattacks. Contrary to popular belief, there are no common, decent criminals in the online world.”


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.