Business Continuity Management / Disaster Recovery , COVID-19 , Cybercrime
COVID-19 Complication: Ransomware Keeps Hitting Healthcare
Cybercrime Continues Despite Pandemic IntensifyingAs governments attempt to marshal the right response to the COVID-19 outbreak, their efforts are being complicated by malware - including ransomware - attacks continuing to hit healthcare organizations. Some of those facilities are not only treating patients with the disease but also serving as frontline virus-testing labs.
See Also: Gartner Guide for Digital Forensics and Incident Response
With COVID-19 declared a pandemic by the World Health Organization, healthcare facilities in some countries have already been overwhelmed by the need to care for patients with severely compromised respiratory systems, as well as to rapidly test anyone they suspect of being infected.
Healthcare organizations continue to face hack attacks from criminals attempting to infect them with crypto-locking malware and then demand a ransom in return for the promise that they'll unlock forcibly encrypted files.
"I really hope that bad guys step back in the coming weeks," tweeted the administrator of the Swiss anti-malware service Abuse.ch.
I really hope that bad guys step back in the coming weeks and do not attack & encrypted hospitals with ransomware#coronavirus
— abuse.ch (@abuse_ch) March 13, 2020
HHS Network Attacked
Meanwhile, during a Trump administration press briefing on Monday, Alex Azar, secretary of the Department of Health and Human Services' confirmed a news report earlier in the day by media outlet Bloomberg that HHS systems had suffered an online attack over the weekend. Bloomberg reported that the incident involved a “campaign of disruption and disinformation” appearing to be aimed at undermining response to the coronavirus pandemic.
Azar said the incident involved "enhanced activity with [HHS] computers systems and website." However, "there was no penetration, no degradation of the function of the networks ... no data breach." Also, the attack did not impact the ability of HHS employees to telework, he says.
The source of the attack is still under investigation, he added.
“HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities," a HHS spokeswoman said in a statement provided late Monday to Information Security Media Group.
"On Sunday, we became aware of a significant increase in activity on HHS cyber infrastructure and are fully operational as we actively investigate the matter. Early on while preparing and responding to COVID-19, HHS put extra protections in place. We are coordinating with federal law enforcement and remain vigilant and focused on ensuring the integrity of our IT infrastructure.”
Crypto-Locked: Illinois Public Health District
Last Tuesday, Champaign-Urbana Public Health District, which serves about 210,000 people in central Illinois, was hit by Netwalker ransomware, aka MailTo. "We are working to get our website up and running," the organization reported via its Facebook page on Thursday, before announcing Friday that the website had been restored.
"CUPHD can confirm that our system was attacked by a ransomware virus [called] Netwalker," a spokeswoman last week told the Register.
The Netwalker ransomware-as-a-service offering, which was first spotted in August 2019, has also been tied to numerous other attacks, including a Feb. 10 infection at Australian transportation and logistics firm Toll Group (see: Australian Delivery Firm Confirms Ransomware Attack).
Despite CUPHD getting its website back up and running, a full fix might take weeks to accomplish. In the meantime, of course, there's a global pandemic to contend with, and on Sunday, CUPHD confirmed its first confirmed local case of COVID-19. "The resident is a female in her 50s and is in home isolation and recovering," it said.
In response to the outbreak, the Illinois state government announced that as of Tuesday, all schools will be closed. Some other states are doing likewise. Illinois has so far recorded 93 cases of COVID-19 inside the state.
As #COVID19 continues to spread, all Illinoisans should take commonsense social distancing measures to keep themselves and their neighbors safe.
— Governor JB Pritzker (@GovPritzker) March 14, 2020
Please read these guidelines and take them seriously.
Staying home will save lives. pic.twitter.com/9JlEQUiuS9
But O'Hare Airport in Chicago, was a scene of weekend chaos as airline travelers were forced to stand in dense lines for hours before clearing customs, the Chicago Tribune reported, noting that some other major airports - including Dallas/Fort Worth International Airport - saw similar conditions. Some epidemiology experts have warned that the petri-dish-like conditions will likely have a significant public heath impact and contribute to further spreading of the virus.
Infected: Czech Hospital
Just as the COVID-19 outbreak is global, of course, so too is cybercrime.
On Friday, a hospital in the Czech Republic's second largest city, Brno, suffered an infection that traced to an as-yet-undisclosed strain of malware. University Hospital Brno runs one of the country's largest COVID-19 testing labs, and the country confirmed its first known case of the disease on March 1, and as of Monday, said the number of known cases of COVID-19 within its borders had reached 298.
The Czech Republic's National Office for Cyber and Information Security - aka NÚKIB - on Friday dispatched a team of cybersecurity specialists from the government's computer emergency readiness team, together with police, to assist the hospital with its recovery efforts.
As a result of the malware attack, the hospital was forced to deactivate all IT systems as well as cancel all planned operations and divert incoming, acute patients to the city's St. Anne's University Hospital. The hospital's two other branches - comprising a children's hospital and a Maternity Hospital - were also hit, ZDNet reports.
The attack occurred at about 2 a.m. local time, Jaroslav Štěrba, the hospital's director, told public television broadcaster Česká Televise, adding that numerous computers remain down, and staff are having to record patient notes with paper and pen.
"Laboratories for hematology, microbiology and biochemistry - and more sophisticated laboratories for tumor diagnostics and radiological systems - are still working, but there is no ability to transfer information from these laboratories to the patient database system," Štěrba said. “We are able to examine patients, but we are not yet able to store data. But patient care is being maintained and we are working to be able to store the data soon."
Cybercrime Undercuts Pandemic Response
Despite the global risk posed by COVID-19, security experts say they have seen few signs that cybercrime gangs might stand down from targeting healthcare facilities. Some, however, have promised to do so, although how far such promises go remains to be seen.
Last December, the Maze ransomware gang promised to avoid hitting "socially significant services" such as 911, telling Bleeping Computer: "We don’t attack hospitals, cancer centers, maternity hospitals and other socially vital objects, up to the point that if someone uses our software to block the latter, we will provide a decrypt for free."
"That is good news, if only Ryuk, Defray, REvil and others follow suit," says John Fokker, head of cyber investigations and red teaming for McAfee Advanced Threat Research, via Twitter (see: Ransomware Gangs Hit Larger Targets, Seeking Bigger Paydays).
Maze's self-promotion and claim, which is impossible to verify, downplays the bigger-picture damage still being done by all ransomware attackers.
“The Maze group has exfiltrated and encrypted the data of governments, medical practices and medical testing labs. The group has also exfiltrated and encrypted the data of logistics companies which, at a time like this, are critically important to the supply chain," Brett Callow, a threat analyst with security firm Emsisoft, tells Information Security Media Group.
"Even if Maze does avoid targeting 'social objects' such as hospitals - a claim which I’d view with extreme skepticism - their actions may nonetheless indirectly interfere the provision of critical services. At a time like this, governments need to be able to communicate, all medical facilities need to be available and supply chains need to be functioning as smoothly as possible," he says. "Maze and other ransomware groups interfere with those essential functions and their criminal actions may well result in the loss of life.”
Expect Criminals to Keep Taking Advantage
Cybercrime remains a business, and unfortunately disasters can create new money-making opportunities for the criminally inclined. “The stereotype of a cybercriminal is that of a bored teenager who is computer literate and socially maladjusted. This is far from the truth and every time there is a crisis we can see that cybercriminals are in reality ruthless and heartless individuals looking to inflict suffering on their victims in whatever way they can, and if a global crisis, such as COVID-19, plays to their advantage they will do so," says Brian Honan, head of Dublin-based consultancy BH Consulting.
"Contrary to popular belief, there are no common, decent criminals in the online world."
—Brian Honan
"I expect many medical facilities and emergency services will be targeted by criminals with ransomware attacks demanding large ransoms as the criminals know how critical those services are now," Honan tells ISMG. "We should not relax any of our defenses but be more aware of criminals looking to leverage the crisis to spread misinformation, set up scams, launch phishing attacks and launch cyberattacks. Contrary to popular belief, there are no common, decent criminals in the online world.”