Unity and Opportunism in the Time of Coronavirus

As Shakespeare noted, “Adversity makes strange bedfellows.” So it is in the Time of Coronavirus. Who would have thought that cybersecurity firms would have the same goals as hackers? Some cybersecurity firms have agreed to offer their services free to hospitals and healthcare workers while they battle COVID-19. At the same time, some major ransomware hacking groups have agreed to suspend their attacks on the healthcare sector.

There is a coalition building against a common enemy. Cybersecurity firms Emisoft and Coveware have offered to decrypt any ransomware or negotiate with any attackers free of charge. In Europe, a group of cybersecurity volunteers, called C-19, organized to “facilitate and enable a Volunteer Matchmaking service to give healthcare services access to a pool of cyber security experts.” A number of ransomware groups claimed they would not target hospitals or healthcare workers during the pandemic, but admitted that these institutions could be attacked by accident. This is because most ransomware is indiscriminately delivered via emails through botnets. Some of these hacking groups claimed that if they accidentally hacked and encrypted a healthcare service, they would decrypt the files for free. Who would have thought it would take a virus to unite the world?

Now, you might think this is the end of the story. Unfortunately, it is not. Hackers have never been known to care much about their victims. On numerous occasions, hackers have driven their victims to suicide without blinking an eye. How is it possible for human beings to justify such behavior? According to psychologists, Sykes and Matza, they do this through a defense mechanism they term, “denial of responsibility”, through which the hackers see themselves as victims of their environment. The conditions they find themselves in, not they, themselves, are responsible for their actions. This is especially true of hackers from third world countries who often justify their actions by pointing to their poverty as giving them no choice. Of course, they fail to notice that most people in the same country, who are even poorer than they are, do not resort to crime to stay alive. Such selective blindness to the cruelty of their acts actually entices them to seek out and monetize misery.

So even though a few organized ransomware groups may suspend their attacks on healthcare, individuals and other less ethically motivated groups will not only continue to operate, but will relish the opportunity to put the squeeze on the overworked and stressed healthcare sector. Attackers figure that most hospitals will be more than willing to pay a ransom rather than lose control of their networks during this difficult time.

Recently, more amateur hackers have been getting involved in the lucrative ransomware business. This is due to the offering of ransomware-as-a-service (RaaS), which allows even novice hackers a way to make a good income by becoming an affiliate of a known ransomware attack group. All they have to do is pay a participation fee.

Attacks are also being launched by major ransomware hacking groups. One of the largest of these groups, Ryuk, is, in fact, ramping up its attacks on healthcare at this time. As Vitali Kremez, Head of SentinelOne, told Bleeping Computer, “Not only has their healthcare targeting not stopped but we have also seen a continuous trend of exploiting healthcare organizations in the middle of the global pandemic. While some extortionist groups at least acknowledged or engaged in the discourse of stopping healthcare extortionists, the Ryuk operators remained silent pursuing healthcare targeting even in light of our call to stop,”. CrowdStrike identifies Ryuk as a Russian hacking group, more than likely affiliated with the Russian government. With plummeting oil prices and, by extension, plummeting income, the Russian government probably sees healthcare attacks as a good way to cushion their fall into recession.

But Russia is not the only nation-state interested in exploiting COVID-19 to attack healthcare networks, This week (March, 30th) the F.B.I. posted a warning about the information gathering malware, Kwampirs.


This is a sophisticated malware with the ability to gain control of and move through an organization’s network to exfiltrate valuable information to the attackers. And who do the experts think is behind these attacks? Our old friend, Iran.

Many of the attacks on the healthcare sector have probably not even been discovered yet. They may remain hidden for many months before they are detected.  Let’s face it. Healthcare organizations have more important things to worry about at the moment, and don’t think that hackers don’t realize this.

Here are a few recent attacks that seem to be profiting from the coronavirus pandemic. The World Health Organization (WHO) has seen cyber attacks on it double since the pandemic began. A UK vaccine research unit, working on testing COVID-19 vaccines, was compromised and, although they repelled the ransomware attack and no ransom was paid, sensitive information was stolen. The bad news is that it was stolen by Maze, one of the ransomware groups that claimed it wouldn’t attack healthcare-related firms. So much for honor among thieves.

Last month in the Czech Republic, Brno University Hospital, which was doing coronavirus testing, was partially knocked offline by a cyber attack. The entire hospital network, including those of the affiliated Children’s Hospital and Maternity Hospital, was forced to shut down. Severely ill patients had to be turned away and surgeries had to be postponed.

Keep in mind that the firms volunteering to help healthcare workers and healthcare facilities can only do so much. They may be able to decrypt some ransomware, negotiate with the hackers, or offer advice. In the final analysis, however, they really can’t stop irresponsible employees or associates from being fooled by a well-prepared spearphishing email. The vulnerability of endpoints to such attacks has increased due to the large number of people forced to work from home. Are those endpoints protected? These remote working employees must certainly have access to the networks of the organizations they work for; otherwise, how would they be able to work from home? In other words, vulnerabilities have increased in proportion to the number of employees working from home. This change has occurred so quickly that most healthcare facilities didn’t have the time or the money to check on the safety of each endpoint. Without quality endpoint protection, they are simply disasters waiting to happen.

My guess is that most healthcare organizations attacked during this pandemic will simply pay whatever ransom is necessary to get their network up and operating. However, there is no guarantee that paying a ransom will resolve the situation. In addition, it is even more likely that a quick payment will send a message to the attackers that they have found an easy target and there is a good chance they will encrypt the network once again. Keep in mind that not only healthcare facilities will be targeted, but any institution connected to COVID-19 research or vaccine development. No target is considered sacred. So, in the end, it seems that the real victim during the Time of Coronavirus will be that of basic human decency.






Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s