COVID-19: Ruthless Ransomware Authors Attack Hospitals

This is a guest article written by David Balaban. The author’s views are entirely his own and may not reflect the views of IT Governance USA.

The coronavirus outbreak continues to hold the world hostage, and health care facilities are at the forefront of the struggle. Hospitals and pharmaceutical labs are overwhelmed making them more vulnerable to malware attacks than ever before. Saving lives is the health care sector’s top priority, but malicious actors don’t care as they wage a cyber war against medical organizations.

The wake-up call that signaled cyber crime’s indifference was a dramatic surge in phishing campaigns capitalizing on the pandemic. Crooks have been spawning emails impersonating trusted health care institutions such as the WHO (World Health Organization) to get hold of users’ credentials and install info-stealing Trojans. Whereas these stratagems aren’t specifically aimed at hospitals, ransomware operators took it to the next level by orchestrating targeted attacks against the health care industry.

Ransomware Raids Against Hospitals Are on the Rise

According to recent findings by INTERPOL (the International Criminal Police Organization), threat actors have ramped up their attempts to pollute hospitals’ IT networks with ransomware. The adverse outcome isn’t restricted to data damage. It can also hamper quick medical response and thus impact patients’ physical well-being.

In light of the increase in ransomware attacks zeroing in on health care institutions, INTERPOL has given the police in 194 member states a heads-up by issuing a Purple Notice. Additionally, its Cyber Threat Response team is amassing details on dubious Internet domains to further bolster in-depth analysis of ransomware incidents and adopt relevant countermeasures to safeguard critical health infrastructure.

The organization claims that emails with booby-trapped links or attachments are the dominating vector of ransomware distribution. Therefore, medical personnel’s phishing awareness is half the battle. An extra recommendation is to keep all critical data backed up to storage isolated from the main systems. Regular software and hardware updates, strong passwords, and effective antivirus solutions will further strengthen the security of health care institutions’ systems.

The Word “Ethics” Isn’t in Ryuk Ransomware Authors’ Vocabulary

Ryuk, a long-standing ransomware strain that focuses on crippling enterprise networks, has targeted hospitals throughout the coronavirus outbreak. One such onslaught was detected in late March 2020. According to security analysts at Sophos, the malefactors hit an unnamed U.S. health organization. The infection was remotely deployed in the host network by means of the PsExec command-line tool. The predatory software then spread laterally across the digital environment, encrypted valuable data, and dropped a note with ransom demands onto the affected computers.

Furthermore, endpoint security software provider SentinelOne claims Ryuk ransomware has attempted to contaminate ten medical organizations since February 2020. One target is a network of nine American hospitals involved in the COVID-19 response. During this unprecedented period when people’s lives are at stake, this activity is particularly worrying.

Dharma Ransomware Continues to Target Health Care Institutions

Another ransomware known as Dharma is also continuing to disrupt the work of health care facilities around the world. Having splashed onto the scene back in 2016, it is one of the oldies in the extortion ecosystem. Its operators’ tactics have hardly changed since, and hospitals are still on their radar despite the global health crisis.

The latest spin-off uses the coronavirus theme at different stages of its deployment inside a host network. Its primary payload is an executable named ‘1covid.exe’ that mimics a benign email attachment. If a recipient opens and runs this file, the ransomware gains a foothold on the machine and tries to expand the attack surface by looking for other devices on the same network and infecting them as well.

Then, by applying a combo of the asymmetric RSA cipher and symmetric AES-256 cryptosystem, Dharma renders all potentially important files inaccessible and triggers a rescue note listing the attackers’ contact details so that the victim can negotiate the decryption terms. If a large network is impacted, the criminals may demand dozens of bitcoins (worth hundreds of thousands of dollars) for data recovery per victimized organization.

Perpetrators with Russian Roots Compromising European Pharma Companies

Two high-profile criminal hacker gangs carried out a series of attacks against pharmaceutical and manufacturing companies in Germany and Belgium in late January 2020. Group-IB security researchers attributed these raids to Russian-speaking threat actors representing notorious syndicates TA505 and Silence. Whereas TA505 has a track record of attacking health care institutions, the focus on the medical industry represents a change for Silence, which has until now only hacked finance sector companies.

The attacks reportedly piggybacked on two vulnerabilities (documented as CVE-2019-1405 and CVE-2019-1322) to run harmful executables with elevated privileges inside the infiltrated networks. Although the analysts were unable to pinpoint the final-stage payload because the attacks were thwarted at an early stage, they found clues suggesting that these incursions could have been attempts to perform ransomware attacks disguised as classic breaches. This theory, in part, revolves around the fact that the TA505 group had previously distributed several mainstream ransomware programs, including the infamous Locky and Rapid lineages.

A Few Cybercriminal Groups Claim to Be Easing the Grip

In contrast to the behavior highlighted above, some ransomware operators appear to follow an unspoken code of ethics – at least they claim to. In mid-March 2020, researchers at BleepingComputer tried to contact malicious actors behind the most active ransomware families to ask whether they were going to stop infecting health and medical organizations tackling COVID-19. Surprisingly, some replied.

The operators of the CLOP ransomware said they never zeroed in on hospitals and charities, and would adhere to this practice further on. They also claimed that if they accidentally hit such an entity, they would provide the data decryption tool for free. Interestingly, the CLOP gang stated that pharmaceutical companies don’t fit the mold because they benefit from the health care crisis and will have to pay the ransom if attacked.

The architects of another ransomware, DoppelPaymer, also assured the analysts that they wouldn’t be targeting hospitals during the outbreak and would restore data for free if they accidentally infected such an institution. The only caveat is that the organization must prove that it’s involved in the health care industry. As is the case with CLOP, though, DoppelPaymer will stick with ransom demands if a pharmaceutical company falls victim.

The gangs at the helm of the Nefilim and Netwalker ransomware claimed that hospitals and nonprofits were never on their list of intended victims and it would stay that way. However, Netwalker operators said that if a health organization’s data is encrypted by accident, they won’t drop their demands and will insist on the ransom payment for the decryptor.

Although the extortionists deploying the prolific Maze ransomware confirmed their intention to cease attacks against hospitals and “all kinds of medical organizations”, shortly after making the statement they published files stolen from a UK company called Hammersmith Medicines Research, which is going to perform clinical trials of coronavirus vaccines. The records included personal information of thousands of former patients. On a side note, threats to leak organizations’ data obtained during a ransomware attack is a recent approach used to pressure the victims into paying ransoms. 


The real and digital worlds can overlap to such an extent that people’s physical safety depends on cybersecurity. Even though some ransomware actors purport to have temporarily excluded hospitals and other health care organizations from their list of targets, everyone should keep in mind that these could be empty promises, abandoned as they prioritize financial gain over morals. Therefore, decision-makers in the health care industry need to enforce a proactive security model based on employees’ online hygiene, data backups, and reliable security software that will identify and block attacks before they affect critical data.