As healthcare providers and public health agencies around the world find themselves pressed at capacity to deliver care during the novel coronavirus pandemic, attackers show no signs of mercy as they still target healthcare websites and IT systems — further stressing a system already taxed as patients seek critical care.
According to reports, the Champaign-Urbana Public Health District was struck by a ransomware attack on March, 10 and found its website unable to keep the public informed about local Cornonavirus updates. The attack apparently only downed the website and the access to certain records. According to Doug Olenick’s report, the website (which is operational again) was hit by the Netwalker ransomware. The attack did not affect email, environmental health records or patient electronic medical records, Olenick reported.
Days later, the Brno University Hospital in Brno, Czech Republic, also came under cyberattack. According to reporting from Catalin Cimpanu, “the hospital was forced to shut down its entire IT network during the incident, and two other of the hospital's branches, the Children's Hospital and the Maternity Hospital, were also impacted.”
According to Cimpanu’s reporting in Czech hospital hit by cyberattack while in the midst of a COVID-19 outbreak, the attack started at 5am local time, and surgeries were cancelled at 8am. “The incident is considered a severe one and treated with the utmost urgency because the Brno University Hospital is one of the Czech Republic's biggest COVID-19 testing laboratories,” Cimpanu reported.
Unfortunately, there’s no reason to believe such attacks will let up any time soon. And attackers are likely to continue exploit the novel coronavirus while it remains high in the headlines. According to a report from security firm RiskIQ, attackers are to be expected to continue to use coronavirus in ransomware attacks.
The firm’s analysis of previous attacks during global epidemics (novel coronavirus is officially a pandemic) and contemporary phishing campaigns based on novel coronavirus, RiskIQ predicts attackers will eventually begin using ransomware against victims they infect with the AZORult and Emotet varieties of malware.
RiskIQ predicts these opportunistic attacks will target large corporations that rely on markets and supply chains that originate in China and other coronavirus-affected regions. “Personnel at these organizations have heightened interest in news and developments related to the virus, potentially making them more susceptible to social engineering that tricks them into clicking on malicious links,” the company said in a statement.
"In the past, cybercriminals have found success using disasters and global epidemics in ransomware and other malware attacks and developed a pattern we expect will continue with the coronavirus," Aaron Inness, protective intelligence analyst at RiskIQ said in the statement. "They execute layered attack campaigns, first with phishing and social engineering to infect users with malware, then taking over the entire system with ransomware or other malware," he said.
RiskIQ’s analysts concluded that attackers may use the AZORult malware, a malware that was used earlier to target the maritime industry on several occasions and to spread ransomware. Another likely tool in the malware arson is the Emotet Trojan. “Victims in Japan have received emails claiming to contain important information about the coronavirus, but clicking on the link activates Emotet. In September 2019, criminals partnered Emotet with TrikBot and Ryuk ransomware to take over an organization's network, a scenario that could play out similarly over the coming weeks and months,” RiskIQ wrote.
RiskIQ believes additional targets for attack will include health organizations tracking the spread of and potential cure and management coronavirus. "Company executives, mid-level managers, administrators of local governments, and, of course, healthcare professionals all have a vested interest in following the latest developments around the spread of coronavirus," Inness continued. "It only takes one tired or overworked individual to click on what they believe is a legitimate alert or update."
That’s the ultimate rub: while the cost to society in resources, and in the age of the pandemic, lives is high — the cost to attackers is low and the gain potentially significant. As long as that equation remains in place, these attacks will continue no matter how many lives they place at risk.