Several cybercrime gangs have promised to halt their attacks on healthcare organizations during the ongoing coronavirus epidemic. Other ransomware operators said they would be offering free decryption services for healthcare organizations that mistakenly become encrypted. However, one gang promised to continue their activities against big pharma companies that capitalize on epidemics and “earn a lot of extra on panic.” Despite their assurances, we remain skeptical whether the cybercriminal gangs will keep their word.
Cybercrime gangs exploiting the epidemic
While some cybercrime gangs gave a promise to exclude health organizations from their attacks, others have taken advantage of the COVID-19 outbreak to spread malware. U.S. Attorney, Scott Brady, has raised a warning against COVID-19 scams. One of the most common attacks involves cybercrime gangs spreading malware through infected coronavirus distribution maps.
The promise to healthcare organizations
When the founder of BleepingComputer, Lawrence Abrams, reached some of the cybercrime gangs responsible for ransomware threats, DoppelPaymer ransomware said they avoid healthcare organizations, nursing homes, and 911 services when attacking the local government. They promised to decrypt for free in case healthcare organizations mistakenly get caught in the crossfire.
Maze ransomware said they would stop attacking healthcare organizations until the stabilization of the situation.
Promises not based on good intentions
According to Cyjax CISO, Ian Thornton-Trump, the promise to halt all cyber-attack activities is an act of self-preservation. Thornton-Trump says any cybercrime against health organization during such a time of crisis would attract a disproportionate incident response from law enforcement agencies. This includes military action and special forces operations by nation states. He added that cybercrime gangs would not like the federal government to throw every capability it has against them. Thornton-Trump noted that the promise is hard to keep because forward-looking IP addresses do not have indicators whether they belong to healthcare organizations or other types of businesses. He also pointed out that the supply chain for healthcare organizations is so complex that an attack on any other organization ends up affecting them.
Erich Kron, a Security Awareness Advocate at KnowBe4, shared similar sentiments.
“While this is welcome news, let’s not let this think these are good people running these ransomware gangs. More likely, they are probably aware that targeting these sorts of places during a global pandemic would push them straight into the spotlight of the most hated people in the world and would bring law enforcement and global pressure on them in ways they do not want. Let’s face it, these groups already walk a tight line, and being responsible for the loss of human lives during a time like this would open up the hunt for them with additional resources they do not want to deal with. Most are in the business to make money, and they weigh that with the risk of being caught. Causing issues now in healthcare would simply tip those scales to the ‘too risky’ side of the equation.”
Chris Clements, the Vice President of Security at Cerberus Sentinel, said healthcare organizations should not trust cybercrime gangs because their promises would only delay the cyberattacks but not stop them altogether.
“Healthcare organizations should absolutely not trust cyber criminals to halt operations during the COVID-19 pandemic,” Clements said. “Information we are seeing is that malware authors and hacking forum administrators are asking the hackers they support not to stop breaking into businesses, but rather to delay launching their ransomware or other extortion tools until the pandemic passes.”
Clements noted the stopping of attacks was based on financial viability instead of concerns of public safety. He also indicated that healthcare organizations should be vigilant because such promises only allow criminals to install backdoors before launching them later.
“The motivation is not altruistic, but instead selfishly concerned that the criminals won’t be paid while their victims are shut down in responding to the pandemic,” Clements warned. “Healthcare organizations especially, should remain vigilant that attackers may be resident with backdoors in their networks for weeks or months before launching their ransomware tools.”
He also warned that the promises might allow the cybercrime gangs to solidify their presence within the system.
“Because of this extended delay between breaching and extorting, the backdoors used to maintain access can be copied into the organization’s backups, meaning that restoring from them restores cybercriminals access.”
An ESET cybersecurity expert, Jake Moore, warns that its dangerous to rely on such promises. He indicated that there were thousands of cybercrime gangs with varying degrees of conscience and ethics. He noted how the WannaCry attack crippled the NHS despite healthcare organizations just being collateral damage.
Javvad Malik, a Security Awareness Advocate at KnowBe4, noted that crises such as the current epidemic produced the best in people.
“These are strange times indeed we are living in. It is not the first time though that a ransomware operator has shown leniency towards victims or targets. In the past, there have been cases where ransomware has been removed for free when the victim demonstrated they were genuinely unable to afford the ransom or it hit some critical service.”
He, however, cautioned that not all cybercriminals shared the same temperaments and that it was technically challenging for them to keep their promises.
“And while some criminal gangs may be trying to be honest in their intentions to not target health and medical organizations, there is no guarantee that all criminal organizations or lone operators share the same values,” Malik said. “It is also not always possible to correctly identify medical institutes, and they still may be inadvertently targeted.”
“Just because ransomware operators are agreeing to avoid attacks on medical facilities does not mean other attackers are not trying to benefit from this event, so organizations cannot leave their guard down,” Kron retorted. “As a matter of fact, here at KnowBe4, we have seen the number of reported coronavirus-themed phishing and scams explode since Monday, March 16th.”
Kron reiterated that organizations in all industries should ensure that they are training people to spot and report these attacks, even if ransomware operators were stepping back these kinds of attacks because other forms of attacks would persist.
Malik advised that it was risky to depend on the goodwill of cybercrime gangs, and medical organizations should always be prepared.
“Ultimately, medical, and all other organizations cannot rely on the goodwill of criminals to not target them during the time of weakness,” Malik said. “Rather, organizations should be prepared at all times for attacks, both by having the right technologies in place, and also providing the right security awareness and training to employees to help them identify and report any potential ransomware attacks.”
Cyber risks remain spectacularly high during this period when most computer system experts are expected to work at home. The inability to physically access computer systems might hamper their abilities to respond in time. Instead of the cybercrime gangs promising to stop targeting healthcare organizations, the only promise most people would welcome is to stop all their illegal activities against all organizations and individuals permanently.