COVID-19 Complication: Ransomware Keeps Hitting Healthcare

Business Continuity Management / Disaster Recovery , Cybercrime , Fraud Management & Cybercrime

Cybercrime Continues Despite Pandemic Intensifying

COVID-19 Complication: Ransomware Keeps Hitting Healthcare Ransom note for Netwalker ransomware, tied to a recent attack against Champaign-Urbana Public Health District in Illinois (Source: Carbon Black)

As governments attempt to marshal the right response to the COVID-19 outbreak, their efforts are being complicated by malware – including ransomware – attacks continuing to hit healthcare organizations. Some of those facilities are not only treating patients with the disease but also serving as frontline virus-testing labs.

See Also: Tenable Research: How Lucrative Are Vulnerabilities?

With COVID-19 declared a pandemic by the World Health Organization, healthcare facilities in some countries have already been overwhelmed by the need to care for patients with severely compromised respiratory systems, as well as to rapidly test anyone they suspect of being infected.

In the meantime, healthcare organizations continue to face hack attacks from criminals attempting to infect them with crypto-locking malware and then demand a ransom in return for the promise that they’ll unlock forcibly encrypted files.

“I really hope that bad guys step back in the coming weeks,” tweeted the administrator of the Swiss anti-malware service Abuse.ch.

Crypto-Locked: Illinois Public Health District

On Tuesday, Champaign-Urbana Public Health District, which serves about 210,000 people in central Illinois, was hit by Netwalker ransomware, aka MailTo. “We are working to get our website up and running,” the organization reported via its Facebook page on Thursday, before announcing Friday that the website had been restored.

“CUPHD can confirm that our system was attacked by a ransomware virus [called] Netwalker,” a spokeswoman last week told the Register.

The Netwalker ransomware-as-a-service offering, which was first spotted in August 2019, has also been tied to numerous other attacks, including a Feb. 10 infection at Australian transportation and logistics firm Toll Group (see: Australian Delivery Firm Confirms Ransomware Attack).

Despite CUPHD getting its website back up and running, a full fix might take weeks to accomplish. In the meantime, of course, there’s a global pandemic to contend with, and on Sunday, CUPHD confirmed its first confirmed local case of COVID-19. “The resident is a female in her 50s and is in home isolation and recovering,” it said.

In response to the outbreak, the Illinois state government announced that as of Tuesday, all schools will be closed. Some other states are doing likewise. Illinois has so far recorded 93 cases of COVID-19 inside the state.

But O’Hare Airport in Chicago, was a scene of weekend chaos as airline travelers were forced to stand in dense lines for hours before clearing customs, the Chicago Tribune reported, noting that some other major airports – including Dallas/Fort Worth International Airport – saw similar conditions. Some epidemiology experts have warned that the petri-dish-like conditions will likely have a significant public heath impact and contribute to further spreading of the virus.

Infected: Czech Hospital

Just as the COVID-19 outbreak is global, of course, so too is cybercrime.

On Friday, a hospital in the Czech Republic’s second largest city, Brno, suffered an infection that traced to an as-yet-undisclosed strain of malware. University Hospital Brno runs one of the country’s largest COVID-19 testing labs, and the country confirmed its first known case of the disease on March 1, and as of Monday, said the number of known cases of COVID-19 within its borders had reached 298.

The Czech Republic’s National Office for Cyber and Information Security – aka NÚKIB – on Friday dispatched a team of cybersecurity specialists from the government’s computer emergency readiness team, together with police, to assist the hospital with its recovery efforts.

As a result of the malware attack, the hospital was forced to deactivate all IT systems as well as cancel all planned operations and divert incoming, acute patients to the city’s St. Anne’s University Hospital. The hospital’s two other branches – comprising a children’s hospital and a Maternity Hospital – were also hit, ZDNet reports.

The attack occurred at about 2 a.m. local time, Jaroslav Štěrba, the hospital’s director, told public television broadcaster Česká Televise, adding that numerous computers remain down, and staff are having to record patient notes with paper and pen.

“Laboratories for hematology, microbiology and biochemistry – and more sophisticated laboratories for tumor diagnostics and radiological systems – are still working, but there is no ability to transfer information from these laboratories to the patient database system,” Štěrba said. “We are able to examine patients, but we are not yet able to store data. But patient care is being maintained and we are working to be able to store the data soon.”

Cybercrime Undercuts Pandemic Response

Despite the global risk posed by COVID-19, security experts say they have seen few signs that cybercrime gangs might stand down from targeting healthcare facilities. Some, however, have promised to do so, although how far such promises go remains to be seen.

Last December, the Maze ransomware gang promised to avoid hitting “socially significant services” such as 911, telling Bleeping Computer: “We don’t attack hospitals, cancer centers, maternity hospitals and other socially vital objects, up to the point that if someone uses our software to block the latter, we will provide a decrypt for free.”

That claim, which is impossible to verify, also obscures the bigger-picture damage still being done by all ransomware attackers.

“The Maze group has exfiltrated and encrypted the data of governments, medical practices and medical testing labs. The group has also exfiltrated and encrypted the data of logistics companies which, at a time like this, are critically important to the supply chain,” Brett Callow, a threat analyst with security firm Emsisoft, tells Information Security Media Group.

“Even if Maze does avoid targeting ‘social objects’ such as hospitals – a claim which I’d view with extreme skepticism – their actions may nonetheless indirectly interfere the provision of critical services. At a time like this, governments need to be able to communicate, all medical facilities need to be available and supply chains need to be functioning as smoothly as possible,” he says.” Maze and other ransomware groups interfere with those essential functions and their criminal actions may well result in the loss of life.”

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips