Although cyber criminals looking to take advantage of the COVID-19 global pandemic might first target corporations, they will also look to capitalize on vulnerabilities exposed within healthcare organizations, according to a new analysis.
The report from cybersecurity company RiskIQ noted that the primary focus for cyber criminals during this health crisis will be corporations, as most rely heavily on markets and supply chains originating in China and other affected regions. As such, “they will be laser-focused on the developments related to the virus.”
But a secondary target, they added, could include “health organizations involved in tracking the spread, finding a cure, or providing associated public service functions. Targets of opportunity could consist of any institution or individual seeking general information about the spread and impact of the virus,” the report’s researchers stated.
The two likely methods of attack both include phishing campaigns, according to the analysis. The first involves the AZORult malware, which attackers used to deploy ransomware on at least three different occasions since 2018. The second phishing campaign relies on the Emotet Trojan. Victims in Japan have received emails claiming to contain important information about the coronavirus, but clicking on the link activates Emotet, the report stated.
Since the World Health Organization (WHO) declared the coronavirus a public emergency on January 30, RiskIQ said it’s been observing a malicious spam campaign seeking to capitalize on this worldwide interest in the spread and impact of the virus.
According to a second report from the firm, “Cyber criminals are capitalizing on coronavirus concerns, which has led to a spike in malicious online activity that we assess will increasingly impact healthcare facilities and COVID-19 responders.”
The report noted that BleepingComptuer found that on March 24, cybercriminals targeted hospitals with Ryuk ransomware. Likewise, Forbes reported on March 23 that Hammersmith Medicines Research, a British medical facility on standby to test COVID-19 vaccines, was attacked by a ransomware group called Maze. Fortune also reported a rise in ransomware attacks against medical facilities, the report detailed.
Working remotely has also changed the attack surface, researchers said. “In the past few weeks, security protocols have completely changed—firewalls, DLP, and network monitoring are no longer valid. Attackers now have far more access points to probe or exploit, with little-to-no security oversight. Meanwhile, IT is feverishly standing up new systems, new access, and new channels and, in many cases succumbing to human error, such as critical misconfigurations.”
To further hone in on their victims, attackers look for entry points such as unknown, unprotected, misconfigured, and unmonitored digital assets. Microsoft, for example, has seen one operation known as REvil, which targets vulnerabilities in VPN devices and gateway appliances to breach networks, and many other groups are operating the same way, the report revealed.
Related to cyberattacks occurring during a health crisis, RiskIQ stated that one campaign criminals have had success with involves conspiracy theories claiming the existence of “unreleased cures” being kept from the public. The email urges recipients to click on an embedded link to receive information about the “cure,’ at which point the link then leads users to a fake DocuSign page, the analysis showed. Another attempt is via fake domains designed to look like the U.S. Centers for Disease Control and Prevention (CDC) and the WHO.
What’s more, many of the attack methods cybercriminals are using have been deployed during previous international health scares, with the one key difference being the improvement in attack tools, according to the report.
For instance, in 2016, during the Zika virus outbreak, researchers discovered an email purporting to be from Saúde Curiosa, a health and wellness website in Brazil. Within the email were links and attachments that contained malware, claiming to be instructions on how to eliminate the virus and the mosquitoes that spread it. Similarly, in 2014, cyber criminals sent emails with an attached report on Ebola that also had malware.
An increase in attacks
RiskIQ studied 127 ransomware attacks between 2016 and 2019, finding that attacks on healthcare facilities are up 35 percent in this timeframe. Cybercriminals tend to go after direct patient care facilities such as hospitals or healthcare centers (51 percent), medical practices (24 percent), and health and wellness centers (17 percent). Researchers believe that attackers prefer these facilities because they are more likely to pay to prevent disruption to patient care.
Small facilities are also singled out, likely due to their lean security support; 70 percent of the attacks we reviewed were directed at facilities with fewer than 500 employees.
While most facilities that researchers examined did not disclose paying a ransom, 16 percent did. However, the researchers importantly noted that paying the ransom does not guarantee the recovery keys will be provided or, if they are, that they will work. In fact, in 2019, the FBI issued an alert urging private and public organizations not to pay ransoms, noting some victims were never provided the decryption key after paying.
The cost of these attacks are high and often long-lasting, the report further revealed. The average ransom demand is $59,000, according to the cases this study looked at, but that is often just the beginning of the costs associated with an attack, as system downtime can sometimes last months.
Even worse, hospitals that have been hit by a data breach or ransomware attack can expect to see as many as 36 additional deaths per 10,000 heart attacks per year, according to a recent study by researchers at Vanderbilt University’s Owen Graduate School of Management.