The cybercriminal gang behind Maze ransomware has been extorting a UK-based clinical research organization that's been preparing to play a potential role in testing vaccine candidates for the novel coronavirus, despite assurances that they would not harm any health care organizations during the COVID-19 crisis.
SC Media first reported an attack on the medical center, Hammersmith Medicines Research (HMR), last week, citing intelligence from Emsisoft threat analyst Brett Callow, who provided a screenshot of Maze’s website that pointed to HRM as a victim. HRM, previously known for helping test Alzheimer's drugs and a vaccine for ebola, has since confirmed the March 14 attack to ComputerWeekly.
Reportedly, the initial attack was detected and halted in progress and systems were restored with no downtime. However, the perpetrators apparently had already exfiltrated data pertaining to thousands of former HRM patients who participated in testing trials between eight and 20 years ago. Thus, after failing to receive an extortion payment from HRM, the culprits raised the stakes by starting to publish the stolen details.
Compromised files include medical questionnaires, copies of passports, driving licenses and national insurance numbers, ComputerWeekly reported.
"The criminals almost certainly haven’t published all the data that was stolen. Their modus operandi is to first name the companies they've hit on their website and, if that doesn’t convince them to pay, to publish a small of the amount of their data (so-called 'proofs'), which is the stage this incident appears to be at," said Callow in another email to SC Media. "Should the company still not pay, more data is published sometimes on a staggered basis. In previous cases, the group has also published the data on Russian cybercrime forums with a note to 'Use this information in any nefarious ways that you want.'
Last week, BleepingComputer reported that it had reached out to the operators of major ransomware gangs to ask of they would cease their activities against medical organizations during the coronavirus crisis. Maze's operators reportedly responded by saying they would do so. While the initial attack took place before this conversation, the subsequent doxxing of information suggests the cybercriminals have no intention of keeping their word.
Since the emergence of the COVID-19 pandemic, cybercriminals have sought to take advantage, often via phishing schemes that use the promise of potentially life-saving medical information as a lure. But in this case, malicious actors launched an attack that in theory could have had a deleterious effect on the medical community's COVID-19 response. In an unrelated incident earlier this month, adversaries hit the U.S. Department of Health and Human Services (HHS) with a distributed denial of service attack that was designed to slow down their computer systems, but fortunately didn't have much impact.