Threat Management, Malware, Ransomware

Some cybercriminals consider laying off health care targets amid COVID-19 crisis

Certain members of the cybercriminal community, including a few malware developers and operators, have reportedly expressed a willingness to avoid attacking health care companies and other organizations that are key to battling the COVID-19 pandemic. Meanwhile, two cyber firms have pledged to offer free services to health care organizations hit by ransomware.

BleepingComputer this week contacted the cybercriminal gangs behind the Maze, DoppelPaymer, Ryuk, Sodinokibi, PwndLocker and Ako ransomware programs. Two of these actors, when asked, claimed that they would show mercy to entities specializing in health and medicine under the current circumstances.

The actors behind DoppelPaymer reportedly said that they don't target health care companies, local governments or 911 services, but if any such organizations accidentally become infected, they should contact the malware operators via DoppelPaymer's email or Tor webpage to receive a free decryptor.

However, they emphasized that they will check to make sure that victims aren't misrepresenting themselves in order to receive a break.

"...[S]ome companies usually try to represent themselves as something other: we have development company that tried to be small real estate, had another company that tried to be dog shelter)," the cyber gang reportedly responded. "So if this happens we'll do double, triple check before releasing decrypt for free to such a things. But about pharma - they earns lot of extra on panic nowdays, we have no any wish to support them. While doctors do something, those guys earns."

Meanwhile, the Maze cyber actors reportedly said that they would cease their activities against medical organizations until the coronavirus crisis stabilizes; however, they did not indicate if they would provide a free decryptor in case of accidental infection.

In recent months, Maze has been implicated in attacks against multiple law firms, cable manufacturer Southwire and the city of Pensacola, Fla. Both Maze's and DoppelPaymer's operators have adopted the increasingly popular strategy of threatening to publish victims' sensitive files on top of encrypting them.

BleepingComputer did not report any additional responses from the other ransomware groups.

Similar discussions appear to also be happening within the underground cybercriminal community and on the dark web. Digital Shadows, a digital risk protection firm, said that while monitoring the English language dark web forum Torum, its researchers came across a commenter who received negative responses from his or her fellow community members after inquiring how to best to exploit COVID-19.

"...[C]ybercriminals will find ways to take advantage of people's fears and uncertainties in the wake of major disasters and emergencies. However, the gravity of the COVID-19 pandemic has shown some benevolent reasoning has emerged on some platforms that are typically used for crime: Users urging others to avoid taking advantage of an already dire situation," wrote Alex Guirakhoo, Digital Shadows strategy and research analyst, in a company blog post on Thursday.

Other dark web denizens used various forums simply to provide the latest information on the virus' local impact and expressing concern for the health of members and their families, Guirakhoo further reported. The company also said that dark web searches on COVID-19 have generally trended similarly to clear web searches -- noting that in the past month there has been a 738 percent increase in the number of COVID-19-related terms on dark web sources. 

Even if some cybercriminals actually commit to laying off hospitals and other health care organizations, others will still likely seize the moment as an opportunity to get rich.

Brett Callow, a threat analyst at Emsisoft, reached out to SC Media, questioning Maze's sincerity about leaving health care organizations alone. He pointed to a screenshot of Maze's website, on which the group claims to have hit UK-based medical research company Hammersmith Medicines Research (HMR) on March 16.

Emsisoft and fellow cyber firm Coveware have pledged to provide free ransomware services to the health care industry during the coronavirus pandemic. Services will include ransomware technical analysis, decryption tool development (when possible), ransom negotiations (as a last resort) and more.

"Without a global pandemic, a ransomware attack on a critical care facility can cause grave danger to patients. With COVID-19, a ransomware attack on an overwhelmed hospital could tip the balance and result in a significant loss of life," said an Emsisoft blog post announcing the offer.

Emsisoft said that ransomware attacks tend to spike in the spring and summer, and if such trends hold this year, that could further complicate matters for health care providers already overwhelmed by the pandemic. "Further, the spikes may be more pronounced than in previous years due to security weaknesses resulting from hastily introduced work-from-home arrangements, personal device usage and staffing shortages," the blog post warns.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.