Ransomware Reportedly Hits Ventilator MakerIncident Reflects Threats Facing Those Involved in COVID-19 Response
A manufacturer of transit communication systems that pivoted to build ventilators during the COVID-19 pandemic is reportedly the latest victim of the DoppelPaymer ransomware gang.
See Also: The Evolution of Email Security
Boyce Technologies Inc., based in Long Island City, New York, was targeted by the ransomware gang, which has threatened to leak data stolen in the incident unless the company pays a ransom, according to the news site Cointelegraph.
A screenshot provided by a source to Information Security Media Group of DoppelPaymer's blog on the darkweb showing examples of files the group claims it stole during the attack, including sales and purchase orders and assignment forms.
The incident reflects the cyberthreats facing medical device makers, medical researchers and others involved in the response to COVID-19.
"Ransomware gangs, such as DoppelPaymer, target those entities that they believe have the best chances of paying the ransom," says Kelly Rozumalski, director of secure connected health initiatives at consulting firm Booz Allen Hamilton.
"Every potential victim is measured by their estimated revenue. DoppelPaymer likely prioritizes its activities based on their estimation of who is most likely to pay the largest amount," she notes.
Boyce Technologies did not immediately respond to an ISMG request for comment on the alleged ransomware incident.
On its website, Boyce Technologies notes that until recently, the company was focused primarily on manufacturing network and communications products for subways and trains systems.
But in recent months, the company obtained approval from the Food and Drug Administration to manufacture ventilators to assist in COVID-19 response by New York hospitals, the company says. Now, the company is also producing ventilators for other areas for users around the world.
An FDA spokesperson tells ISMG that other than the targeting of Boyce Technologies, the agency is not aware of any other ransomware incidents targeting medical device manufacturers during the COVID-19 pandemic.
"While COVID-19 has obviously presented challenges for society in general and FDA in particular, FDA has remained vigilant and heavily involved in existing and emerging cybersecurity issues," the spokesperson says. "We have continued to work within the agency, and with partners ... to manage and respond to cybersecurity."
Nation-state groups and others are attempting to exploit the difficulties created by crises such as COVID-19, the FDA spokesperson adds.
"Increased vigilance is needed around cybersecurity and other concerns to try to mitigate the possibility that one threat may worsen or lead to other threats and potential impacts to already-strained systems," she says.
"For this reason, the FDA has not only maintained its previous, steady-state level of engagement on cybersecurity issues, but where necessary, increased engagement."
Lives at Stake
Threat analyst Brett Callow of the security firm Emisoft notes that ransomware attacks on the healthcare sector and its supply chain "are uniquely problematic because there is a very real risk that they could result in the loss of life."
"Some of the attacks that occurred last year resulted in hospitals effectively closing their doors and redirecting emergency patients to other hospitals, he notes. "And the risk is currently magnified as providers and suppliers are already stretched to their limits by COVID-19," he says.
DoppelPaymer has been implicated in several other recent ransomware attacks.
That includes a March incident targeting Visser Precision, which makes components for the automobile, aerospace and manufacturing industries and whose clients include Boeing, Telsa, Lockheed Martin and SpaceX (see DoppelPaymer Ransomware Clams Supplier to Boeing, Tesla).
In June, the mayor of Florence, Alabama, acknowledged that the city paid a ransom of 30 bitcoins in return for receiving a decryption key and not seeing any city data get leaked after being hit by attackers wielding DoppelPaymer ransomware (see: City Pays Ransom Despite Pre-Ransomware Outbreak).
Similar to other ransomware used by other cybercrime gangs - including NetWalker and REvil - "DoppelPaymer is human-operated and uses sophisticated attack mechanisms, but there is nothing unique about it," Callow says.
In the healthcare sector, "NetWalker is probably the main ransomware threat to healthcare providers at this point in time," he says. "The group has continued to attack healthcare providers throughout the pandemic."
Last month, the FBI issued an alert warning that attacks involving Netwalker had steadily increased since June, targeting government organizations, educational entities, healthcare firms and private companies in the U.S. and elsewhere (see FBI: COVID-19-Themed Phishing Spreads Netwalker Ransomware).
The FBI noted that the operators behind Netwalker are using COVID-19 themes as a lure to entice victims to open phishing emails that contain malicious attachments.
In recent weeks, other government agencies in the U.S. and in other countries, as well as the United Nations, have also issued warnings about the threats of cyberattacks on organizations involved in COVID-19 vaccination development and other pandemic response (see FBI: Hackers Targeting U.S. COVID-10 Research Facilities and WHO Reports Dramatic Increase in Cyberattacks).
"The stakes for the healthcare sector are higher than most others and especially now during COVID," says Motti Sorani, chief technology officer at security research firm CyberMDX.
"With many hospitals at their limits, any distraction from patient health and safety needs to be avoided at all costs to help our frontline workers continue to provide the very best care they can."
Rozumalski of Booz Allen Hamilton notes that the medical device industry and the broader healthcare ecosystem needs to continue to collaborate to enhance security. "Cross-stakeholder collaboration is needed to do this - regulators, healthcare delivery organizations, manufacturers - they all need to play a role," she says.
"As medical device manufacturers continue to prepare themselves to battle sophisticated cyberthreats, they need to work to address cybersecurity throughout the product lifecycle, including during the design phase, development and through end of life. Not only is it critical to have the proper cyber defenses in place, but it's also key that business continuity, back-up protection, and disaster recovery processes are in place so they can properly recover information if they do experience a cyberattack."