Cybercrime Continues Despite Pandemic Intensifying
Ransom note for Netwalker ransomware, tied to a recent attack against Champaign-Urbana Public Health District in Illinois (Source: Carbon Black)
As governments attempt to marshal the right response to the COVID-19 outbreak, their efforts are being complicated by malware – including ransomware – attacks continuing to hit healthcare organizations. Some of those facilities are not only treating patients with the disease but also serving as frontline virus-testing labs.
With COVID-19 declared a pandemic by the World Health Organization, healthcare facilities in some countries have already been overwhelmed by the need to care for patients with severely compromised respiratory systems, as well as to rapidly test anyone they suspect of being infected.
In the meantime, healthcare organizations continue to face hack attacks from criminals attempting to infect them with crypto-locking malware and then demand a ransom in return for the promise that they’ll unlock forcibly encrypted files.
“I really hope that bad guys step back in the coming weeks,” tweeted the administrator of the Swiss anti-malware service Abuse.ch.
I really hope that bad guys step back in the coming weeks and do not attack & encrypted hospitals with ransomware#coronavirus
— abuse.ch (@abuse_ch) March 13, 2020
Crypto-Locked: Illinois Public Health District
On Tuesday, Champaign-Urbana Public Health District, which serves about 210,000 people in central Illinois, was hit by Netwalker ransomware, aka MailTo. “We are working to get our website up and running,” the organization reported via its Facebook page on Thursday, before announcing Friday that the website had been restored.
“CUPHD can confirm that our system was attacked by a ransomware virus [called] Netwalker,” a spokeswoman last week told the Register.
The Netwalker ransomware-as-a-service offering, which was first spotted in August 2019, has also been tied to numerous other attacks, including a Feb. 10 infection at Australian transportation and logistics firm Toll Group (see: Australian Delivery Firm Confirms Ransomware Attack).
Despite CUPHD getting its website back up and running, a full fix might take weeks to accomplish. In the meantime, of course, there’s a global pandemic to contend with, and on Sunday, CUPHD confirmed its first confirmed local case of COVID-19. “The resident is a female in her 50s and is in home isolation and recovering,” it said.
In response to the outbreak, the Illinois state government announced that as of Tuesday, all schools will be closed. Some other states are doing likewise. Illinois has so far recorded 93 cases of COVID-19 inside the state.
As #COVID19 continues to spread, all Illinoisans should take commonsense social distancing measures to keep themselves and their neighbors safe.
Please read these guidelines and take them seriously.
Staying home will save lives. pic.twitter.com/9JlEQUiuS9
— Governor JB Pritzker (@GovPritzker) March 14, 2020
But O’Hare Airport in Chicago, was a scene of weekend chaos as airline travelers were forced to stand in dense lines for hours before clearing customs, the Chicago Tribune reported, noting that some other major airports – including Dallas/Fort Worth International Airport – saw similar conditions. Some epidemiology experts have warned that the petri-dish-like conditions will likely have a significant public heath impact and contribute to further spreading of the virus.
Infected: Czech Hospital
Just as the COVID-19 outbreak is global, of course, so too is cybercrime.
On Friday, a hospital in the Czech Republic’s second largest city, Brno, suffered an infection that traced to an as-yet-undisclosed strain of malware. University Hospital Brno runs one of the country’s largest COVID-19 testing labs, and the country confirmed its first known case of the disease on March 1, and as of Monday, said the number of known cases of COVID-19 within its borders had reached 298.
The Czech Republic’s National Office for Cyber and Information Security – aka NÚKIB – on Friday dispatched a team of cybersecurity specialists from the government’s computer emergency readiness team, together with police, to assist the hospital with its recovery efforts.
As a result of the malware attack, the hospital was forced to deactivate all IT systems as well as cancel all planned operations and divert incoming, acute patients to the city’s St. Anne’s University Hospital. The hospital’s two other branches – comprising a children’s hospital and a Maternity Hospital – were also hit, ZDNet reports.
The attack occurred at about 2 a.m. local time, Jaroslav Štěrba, the hospital’s director, told public television broadcaster Česká Televise, adding that numerous computers remain down, and staff are having to record patient notes with paper and pen.
“Laboratories for hematology, microbiology and biochemistry – and more sophisticated laboratories for tumor diagnostics and radiological systems – are still working, but there is no ability to transfer information from these laboratories to the patient database system,” Štěrba said. “We are able to examine patients, but we are not yet able to store data. But patient care is being maintained and we are working to be able to store the data soon.”
Cybercrime Undercuts Pandemic Response
Despite the global risk posed by COVID-19, security experts say they have seen few signs that cybercrime gangs might stand down from targeting healthcare facilities. Some, however, have promised to do so, although how far such promises go remains to be seen.
Last December, the Maze ransomware gang promised to avoid hitting “socially significant services” such as 911, telling Bleeping Computer: “We don’t attack hospitals, cancer centers, maternity hospitals and other socially vital objects, up to the point that if someone uses our software to block the latter, we will provide a decrypt for free.”
That claim, which is impossible to verify, also obscures the bigger-picture damage still being done by all ransomware attackers.
“The Maze group has exfiltrated and encrypted the data of governments, medical practices and medical testing labs. The group has also exfiltrated and encrypted the data of logistics companies which, at a time like this, are critically important to the supply chain,” Brett Callow, a threat analyst with security firm Emsisoft, tells Information Security Media Group.
“Even if Maze does avoid targeting ‘social objects’ such as hospitals – a claim which I’d view with extreme skepticism – their actions may nonetheless indirectly interfere the provision of critical services. At a time like this, governments need to be able to communicate, all medical facilities need to be available and supply chains need to be functioning as smoothly as possible,” he says.” Maze and other ransomware groups interfere with those essential functions and their criminal actions may well result in the loss of life.”