Threat Management, Malware, Ransomware

Maze ransomware attackers extort vaccine testing facility


The cybercriminal gang behind Maze ransomware has been extorting a UK-based clinical research organization that's been preparing to play a potential role in testing vaccine candidates for the novel coronavirus, despite assurances that they would not harm any health care organizations during the COVID-19 crisis.

SC Media first reported an attack on the medical center, Hammersmith Medicines Research (HMR), last week, citing intelligence from Emsisoft threat analyst Brett Callow, who provided a screenshot of Maze’s website that pointed to HRM as a victim. HRM, previously known for helping test Alzheimer's drugs and a vaccine for ebola, has since confirmed the March 14 attack to ComputerWeekly.

Reportedly, the initial attack was detected and halted in progress and systems were restored with no downtime. However, the perpetrators apparently had already exfiltrated data pertaining to thousands of former HRM patients who participated in testing trials between eight and 20 years ago. Thus, after failing to receive an extortion payment from HRM, the culprits raised the stakes by starting to publish the stolen details.

Compromised files include medical questionnaires, copies of passports, driving licenses and national insurance numbers, ComputerWeekly reported.

"The criminals almost certainly haven’t published all the data that was stolen. Their modus operandi is to first name the companies they've hit on their website and, if that doesn’t convince them to pay, to publish a small of the amount of their data (so-called 'proofs'), which is the stage this incident appears to be at," said Callow in another email to SC Media. "Should the company still not pay, more data is published sometimes on a staggered basis. In previous cases, the group has also published the data on Russian cybercrime forums with a note to 'Use this information in any nefarious ways that you want.'

Last week, BleepingComputer reported that it had reached out to the operators of major ransomware gangs to ask of they would cease their activities against medical organizations during the coronavirus crisis. Maze's operators reportedly responded by saying they would do so. While the initial attack took place before this conversation, the subsequent doxxing of information suggests the cybercriminals have no intention of keeping their word.

Since the emergence of the COVID-19 pandemic, cybercriminals have sought to take advantage, often via phishing schemes that use the promise of potentially life-saving medical information as a lure. But in this case, malicious actors launched an attack that in theory could have had a deleterious effect on the medical community's COVID-19 response. In an unrelated incident earlier this month, adversaries hit the U.S. Department of Health and Human Services (HHS) with a distributed denial of service attack that was designed to slow down their computer systems, but fortunately didn't have much impact.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.