Hacker stealing information with laptop showing Ryuk ransomware still active during the coronavirus pandemic

Ryuk Ransomware Still Targeting Hospitals During the Coronavirus Pandemic

Ryuk Ransomware continues to target hospitals and medical organizations despite the ongoing coronavirus pandemic. A few weeks ago, BleepingComputer contacted various ransomware groups and asked them whether they intended to continue targeting medical and health organizations during the crisis.

Maze and DoppelPaymer promised to avoid targeting hospitals and other healthcare organizations as they battle the spread the viral infection. They also promised to decrypt healthcare data accidentally encrypted during that period. They, however, promised to keep attacking pharma companies that capitalize on epidemics. Since then, one of the ransomware developers, Maze, has released encrypted data stolen from a drug testing company. The cybercrime gang had stolen the data before the onset of the COVID-19 pandemic.

Ryuk Ransomware responds in action

When contacted by Lawrence Abrams, the creator of BleepingComputer, Ryuk Ransomware did not respond. However, their silence was not to be confused with tacit compliance. Since then, the cybercriminal gang had continued to target health care providers during the critical moment when healthcare professionals were overwhelmed with the rising cases of COVID-19.

According to PeterM of Sophos, Ryuk Ransomware has attacked a healthcare provider in the United States. PeterM noted that the criminals deployed the attack through PsExec, a method consistent with the Ryuk Ransomware attack.

Over the past month, Ryuk Ransomware has targeted over 10 healthcare providers including a healthcare network of nine hospitals. One of the hospitals targeted by Ryuk Ransomware is in a state profoundly affected by the COVID-19 pandemic.

SentinelOne’s head of research division, Vitali Kremez, indicated that Ryuk Ransomware had persisted its efforts of exploiting healthcare organizations in the middle of the crisis. Other threat actors have also capitalized on the epidemic by spreading COVID-19 distribution maps laced with viruses. According to Reason Labs, such maps can steal users’ passwords, credit card numbers, and other sensitive information.

The attack by Ryuk Ransomware and other cybercriminal gangs comes as medical professionals battle to contain the contagion amidst dwindling supplies and staff shortage. Such attacks not only reduce the ability to address the spread of the disease but also puts patients’ lives at risk.

According to Patrick Hamilton, Cybersecurity Evangelist at Lucy Security, cybercriminals do not consider the patients’ safety when carrying such attacks because their primary interest is making money.

“Cybercriminals don’t care whether you survive COVID-19 or not. They care about one thing: gaining from your exposure,” Hamilton said. “We know how to stop these guys because we know lack of awareness is the greatest vulnerability.”

Warning by security experts

Various experts had warned about becoming complacent because of the promises made by the ransomware operators. They indicated that the promises made by the ransomware gangs were not binding.

Additionally, technical difficulties would not allow them to identify which forward-looking IP addresses belonged to a healthcare organization. Therefore, such providers would get caught in the crossfire. The experts also noted that an attack on any organization involved in any part of the supply chain would eventually hurt the health care organizations.

Security experts had also specified that other threat actors would not stop their activities against healthcare organizations.  Currently, it remains unclear whether other ransomware operators are keeping to their word, or they are busy installing backdoors waiting for the right time to attack. This would make it more challenging to eliminate the threat when it has already taken over core parts of the system.

The attack by Ryuk Ransomware comes as no surprise. According to Colin Bastable, CEO of Lucy Security, the healthcare industry is a rich target, and criminals would not waste the opportunity created by the pandemic.

“Healthcare is the richest target for hackers, who are never going to let the proverbial crisis go to waste,” Bastable said. “The pandemic is going to be a big payday for many cybercriminals and state-backed bad actors.”

He added that the only method to mitigate the threat was by conducting training, “Using security awareness training in a holistic, work-centered context, security teams can minimize the risks of successful ransomware attacks by patching people as well as systems. Regular training through simulated, realistic attacks reduces peoples’ vulnerability 10-fold.”

Salah Nassar, Vice President of Marketing at CipherCloud, said that the healthcare industry was at its most vulnerable point.

“The sudden influx of remote workers due to the coronavirus pandemic has put a strain on every business, including healthcare. As most employees transition to work from home, the number one problem healthcare organizations are struggling with is ensuring healthcare data integrity and HIPAA compliance.”

Nassar noted that healthcare professionals needed to be more vigilant in protecting data against threats posed by various cybercriminals,  “IT teams need to get visibility into the data and user activity of remote workers to ensure sensitive data and PII is protected. Now is the time for healthcare organizations to be especially vigilant.”