It's only been a couple weeks since our team at Business Insights predicted that healthcare organizations would still be targeted by cybercriminals amid the COVID-19 outbreak. The prognostications are proving sadly accurate. Pandemic or no, healthcare cyberattacks keep coming—in spite of some cybercriminals' promises to the contrary.
Since our last update on threat pressure against healthcare and pharmaceutical organizations, news outlets reported that several criminal actors in the ransomware world had vowed to take it easy on hospitals and public health organizations.
A story from Lawrence Abrams of Bleeping Computer on March 18 reported that he'd reached out to five major ransomware operators to ask if they'd keep targeting health and medical organizations during the pandemic. Four of the five—CLOP, DoppelPaymer, Maze and Nefilim—said they'd either avoid targeting these organizations or offer free decryption if they 'mistakenly' get encrypted.
Tellingly, within days of the pledge, the operators behind Maze were reported by Computer Weekly to have broken their promise by publishing patient data from a UK medical organization that refused to pay a ransom to the group after it hit them with an attack.
Whether there really is honor among thieves is up for debate, but the fact is that there have been a steady spate of high-profile attacks against healthcare orgs in mid- to late-March. Here are some of the notable examples.
Champaign-Urbana Public Health District in Illinois
Just as public health officials in Champaign, Illinois were scrambling to disseminate early information on local government response to the pandemic, they were struck with a major ransomware attack. According to a March 11 report from local paper The News-Gazette, Champaign-Urbana Public Health District's website was taken out by NetWalker ransomware. The health district worked with the FBI, U.S. Department of Homeland Security and global risk consulting service Kroll in the aftermath of the attack, according to MSSP Alert, and it had its site up within two days.
U.S. Health and Human Services (HHS)
On March 16th, Bloomberg reported that the U.S. Health and Human Services (HHS) was the victim of a foiled cyber incident that included increased DDoS attack pressure that was intended to sow the seeds of "disruption and disinformation" to interrupt coronavirus pandemic response. The National Security Council acknowledge the attack without divulging details of the attack or motivations behind it, thought Bloomberg suggested it may have been the work of a foreign actor. The incident is under investigation, but HHS officials say that no data was taken from the agency.
“We had no penetration into our networks, we had no degradation of the functioning of our networks,” said HHS Secretary Alex Azar, according to Bloomberg.
World Health Organization (WHO)\
Meantime, Reuters reported on March 23 that the World Health Organization (WHO) was experiencing a two-fold increase in cyberattacks against its systems. As a part of this uptick, WHO was targeted by 'elite' hackers that were running malicious sites impersonating internal WHO email systems.
"I realized quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic," said Alexander Urbelis, a cybersecurity professional and attorney with Blackstone Law Group, telling Reuters of his discovery of one attack. WHO CISO Flavio Aggio told Reuters that particular malicious site had been used to try to trick WHO staffers into divulging passwords.
Ryuk Attacks Multiple Hospitals
One of the ransomware outfits that didn't respond to Bleeping Computer's healthcare amnesty pledge was Ryuk, which multiple security researchers found to be relentlessly targeting hospitals in recent weeks, including nine hospitals in the U.S. Among the victim organizations was at least one hospital "located in a state that is being heavily affected by the coronavirus at this time."
"Not only has their healthcare targeting not stopped but we have also seen a continuous trend of exploiting healthcare organizations in the middle of the global pandemic," one researcher, Vitali Kremez told Bleeping Computer. "While some extortionist groups at least acknowledged or engaged in the discourse of stopping healthcare extortionists, the Ryuk operators remained silent pursuing healthcare targeting even in light of our call to stop."
Hammersmith Medicines Research (HMR)
Medical research firm Hammersmith Medicines Research (HMR) was the company that Maze attackers targeted with ransomware attack and public exposure of patient records. The clinical trials company has been on the frontlines of vaccine testing and according to Computer Weekly is on standby to carry out trials for future COVID-19 vaccines. HMR experienced the initial incursion on March 14, but told Computer Weekly that it was able to stop it and restore systems within the day of attack. A week later, Maze attackers published sensitive information about former HMR patients online to turn the screws to the organization in its extortion efforts.
Malcolm Boyce, managing and clinical director and doctor at HMR, told reporter Bill Goodwin, " We have no intention of paying. I would rather go out of business than pay a ransom to these people."
Paris AP-HP Hospital Authority
Bloomberg reported that on March 22 Paris hospital authority AP-HP was targeted by an unknown DDoS attacker seeking to take down its systems, according to the National Cybersecurity Agency of France (ANSSI). AP-HP manages 39 public hospitals in France and also coordinates research, disease prevention, and education. The attack was an hour-long ordeal that was "managed by the AP-HP provider" and never impacted its infrastructure, according to a statement by ANSSI.
Kwampirs Supply Chain Attacks
On March 30th the FBI issued its third alert this year about ongoing attacks by state-sponsored attackers using Kwampirs malware to attack targeted industry, reports ZDNET. This time the feds particularly advised healthcare organizations and global software supply chain stakeholders against long-term adversarial plays.
"Kwampirs operations against global healthcare entities have been effective, gaining broad and sustained access to targeted entities," wrote FBI officials "Targeted entities range from major transnational healthcare companies to local hospital organizations. The scope of infections has ranged from localized infected machines to enterprise infections."
In other words, even if the attackers take a pause for the pandemic, they've still well and truly owned many healthcare organization networks already.