Researchers caution that hospitals are at risk of new ransomware attack threat
A new report published by Check Point Research today cautions hospitals regarding the rise of what it refers to as a double extortion cyber threat. Although first spotted during the latter stages of 2019, the threat actors behind several ransomware groups have now pivoted to using the same attack methodology. In what Check Point calls a rising trend, this ransomware tactic involves extracting large quantities of sensitive data before applying the encryption lock that requires a ransom to be paid in order for the key to be made available. Some of that data is published to the dark web and linked to in the ransom demand, to prove to the victim that the attackers are serious. Do not pay the ransom, or delay paying it, and more data is published.
The collateral damage that this type of double extortion ransomware threat can cause has been displayed in the case of an attack against a specialist parts supplier called Visser Precision. The DoppelPaymer ransomware actors published various documents related to customers, including Lockheed Martin, SpaceX and Tesla so as to exert pressure to pay up.
Many of the attacks will be using concerns about the current COVID-19 pandemic as bait during the initial threat targeting. This should come as no great surprise as cybercriminals are known to favor high profile current affairs, and if there is a fear element surrounding those, then even better. Nor, sadly, am I surprised that Check Point Research is urging hospitals on the frontline of dealing with the pandemic to beware. “Check Point Research issues caution to hospitals, as they are prime targets for ransomware attacks given their inundation with the coronavirus,” the report states. A Check Point spokesperson told me that it had “deployed several teams and resources to scan the health care sector” for any double-extortion ransomware attacks.
Ransomware gangs promise not to attack healthcare targets
DoppelPaymer and Maze ransomware operators made a promise not to target healthcare or medical institutions during the COVID-19 pandemic. How’s that going? Not so good is the unsurprising answer. I have already written about a medical facility on standby to help test any COVID-19 vaccine that got hit by one of those very groups that made the no attacks promise. The first attack was before the “ceasefire,” but the extortion efforts continued after it. Maze has since issued a press release reaffirming it will refrain from future attacks against “medical organizations” and has even offered ransom discounts to those attacked beforehand. Color me totally unimpressed.
More questions than answers
Lotem Finkelstein, the threat intelligence manager at Check Point, told me that there are still worrying questions: “Who decides when this ceasefire ends and is this ceasefire global or limited to areas of crisis?” Then there is the small matter of how these ransomware businesses, and that is what they are, plan to compensate for the exclusion of the healthcare sector? If it is by targeting manufacturers, the whole collateral damage argument fires up once more. Is it not the same, Finkelstein asks, if the groups hit protection equipment manufacturers? What he would like to see is “a ceasefire at least until after we gain control of COVID-19.” That, I am afraid to say, is wishful thinking. I have said it before, and I will say it again, cybercriminals have no functional moral compass. Other threat actors were also spotted towards the end of 2019 pivoting to this change in terms of attack methodology for ransomware operators. The operators of these groups have not made any promises to refrain from targeting healthcare organizations.
The Check Point report, complete with mitigation advice, can be found here.