How Ransomware Attackers are Exploiting the COVID-19 Crisis
Hackers are exploiting companies’ loosened cybersecurity, particularly as many employees are now relying on ad hoc work-from-home setups. Some ransomware strains are even being named after COVID-19 as they infiltrate hospitals and essential businesses around the world.
In this post, we take a closer look at the attacks we’ve seen so far – and how to thwart them.
Exploiting the COVID-19 Crisis: Who’s being targeted?
No business is immune to ransomware. And on any given day, companies fall victim to ransomware roughly every 14 seconds, on average. But as the coronavirus has swept over the world, so too have new strains of file-locking malware that appear to be targeted specifically to the most vulnerable organizations.
Targets have included:
- Hospitals & medical facilities
- COVID-19 testing sites
- Public health departments
- Research firms
These targets are in addition to the countless other businesses, in virtually every industry, experiencing ransomware attacks every day.
Hospitals upended by ransomware
Hospitals have long been a preferred target for ransomware, because of the valuable nature of medical data.
Hackers know that medical facilities will be more willing to pay larger ransoms to restore their critical operations. COVID-19 has made the situation even worse. As front-line organizations battle an increase in patients infected with the novel coronavirus, they are also now coming under increased attack from ransomware.
The problem has become so widespread that law enforcement agencies like the FBI and INTERPOL have been forced to issue warnings across the globe.
“As hospitals and medical organizations around the world are working non-stop to preserve the well-being of individuals stricken with the coronavirus, they have become targets for ruthless cyber-criminals who are looking to make a profit at the expense of sick patients,” INTERPOL wrote in a statement. “Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths.”
Patients turned away
In March, ransomware severely disrupted operations at Brno University Hospital, one of many critical healthcare facilities facing attacks around the world.
The Czech Republic hospital is the second largest in the country and also a major COVID-19 testing hub. But when ransomware struck, everything was upended.
With its computer systems completely locked, the hospital was forced to turn away patients, including those suffering serious conditions. Surgical procedures were also canceled, and the chaos delayed test results for those waiting to hear if they tested positive for the virus.
Attacks on the rise
Remember that ransomware is a business model. It’s an entire market comprised of not only the actors behind the attacks, but also coders, developers, resellers of DIY ransomware kits and other middle men. And the data suggests that business is very good right now.
Fortune has identified dozens of successful attacks on hospitals and other medical facilities worldwide. Europol, the E.U.’s law enforcement agency, has said that all of its 27 member countries have reported an increase in attacks. One security firm reported a 4,000% increase in ransomware emails during COVID-19.
In the U.S., the Department of Homeland Security (DHS) released a joint statement with the UK’s National Cyber Security Centre (NCSC), warning that “Cybercriminals are using the pandemic for commercial gain, deploying a variety of ransomware and other malware … Hospitals and health organizations in the United States, Spain, and across Europe have all been recently affected by ransomware incidents.”
Labs and research firms are also being hit
Hospitals aren’t the only facilities being targeted right now.
In March, hackers struck a medical lab in California that has been researching treatments for COVID-19.
10x Genomics Inc., which makes tools for the researchers to combat the coronavirus, reported in a regulatory filing that it had been the victim of a targeted ransomware attack. Fortunately, the company was able to restore its systems, so there was “no material day-to-day impact,” however the hackers allegedly managed to steal a lot of data.
The attackers reportedly used REvil/Sodinokibi ransomware and publicly claimed to have stolen 1TB of data, a portion of which they posted online as proof of their theft.
Illinois public-health agency taken down
In another attack, hackers disrupted a public-health agency that serves more than 200,000 people in central Illinois.
The ransomware infection took down the website for the Champaign-Urbana Public Health District and temporarily cut off employees from accessing medical files.
This particular attack used a strain of ransomware known as NetWalker, which targets enterprises running on Microsoft Windows 10. The health agency was able to maintain access to its email systems, but it was forced to establish an emergency backup website so that it could keep the public updated on COVID-19.
Every business is a target
To be clear, it’s not just the healthcare industry that needs to be vigilant right now. In the months prior to the coronavirus outbreak, we were already in the midst of a global rise in ransomware.
Attackers know that businesses are especially vulnerable right now, during a period of massive transition for many companies. The panic and confusion surrounding COVID-19 are exactly what hackers prey upon.
Consider the most common method that attackers use to infiltrate a business: deceptive spam and phishing emails.
The deception is even more effective when people are unfamiliar with new systems or anxious in general about their situation. Some phishing emails are very sophisticated and designed to look exactly like messages that users would ordinarily receive from trusted senders. But when users click the links to enter their logins, or open the attachments, that’s when hackers make their move …
What an attack looks like
In the case of infected attachments and malicious websites, the destruction can happen almost immediately. The ransomware is downloaded onto the user’s computer, self-executing and spreading outward across the network.
In other scenarios, the infection is slower and more insidious. With phishing emails, hackers steal the users’ credentials, giving them access to otherwise secure systems. From there, the hackers can steal data within the system and deliver malware as needed over time. Sometimes the ransomware runs silently in the background, worming its way across the network, infecting as many devices as possible before the full attack happens.
By the time users know what has happened, it’s too late. Files are encrypted, and entire servers are effectively bricked. In the process, operations grind to a halt, resulting in costly downtime.
How to protect your organization
Cybersecurity and data protection are more important than ever.
In an interview with ZDNet, CEO Flavius Plesu of risk intelligence firm OutThink said, “At times of increased risk, security teams must be extra vigilant and understand that the risk of a cyberattack is much higher than usual as hackers try to take advantage of tired, overstretched staff that potentially have their guards down.”
Here are some critical defensive measures that every business should implement:
- Back up your data constantly: Don’t become lax about backups if employees are now working remotely. In a ransomware attack, only a robust backup and disaster recovery solution will enable you to recover encrypted data. We recommend the Datto SIRIS, which delivers business continuity with full infrastructure backups, rapid restore options and built-in ransomware detection.
- Update all software and operating systems: Some ransomware is designed to exploit vulnerabilities in outdated applications. Be sure that all systems are updated with the latest patches.
- Educate employees on cybersecurity: Train users how to spot potentially malicious emails, as well as safe practices for using the Internet.
- Set access controls: Apply the principle of “least privilege” to all systems and services: users should only have access to the folders and systems they need. This will help prevent a ransomware infection from spreading unimpeded across directories.
- Restrict unknown applications from running: Use application whitelisting to prevent all applications from executing except for those on the approved list.
- Strengthen firewalls: If you’re using remote workers or making other infrastructure changes due to COVID-19, make sure your firewall settings haven’t been loosened in the process. Block access to known malicious IP addresses and revisit all port-forwarding rules to eliminate any non-essential open ports.
- Check your spam filters: The vast majority of malicious emails can be blocked before they ever reach your inboxes. Enable strong spam filtering and authenticate inbound email to prevent email phishing and spoofing.
- Scan for malware: Use a strong antimalware solution to detect threats before they’re executed. Enable server scanning as well as endpoint protection. Be sure that the software is set to load updates and start scans automatically.
We don’t yet know when things will return to normal for businesses, but one thing is certain: the threat of ransomware will remain long after COVID-19 is gone.
Organizations in every industry need to be proactive about strengthening their cybersecurity and business continuity systems to keep the next disaster at bay.
To see how your organization can effectively combat ransomware with today’s best BC/DR solutions, request a free demo or contact our business continuity experts at Invenio IT. Call (646) 395-1170 or email us at success@invenioIT.com.