INTERPOL has issued a warning to organizations at the forefront of the global response to the COVID-19 outbreak that have also become targets of ransomware attacks, which are designed to lock them out of their critical systems in an attempt to extort payments.
INTERPOL’s Cybercrime Threat Response team at its Cyber Fusion Centre has detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response. Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid.
A few weeks ago, Lawrence Abrams (the creator of BleepingComputer), reached out to the operators of the Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako Ransomware infections to find out if they would cease to target Healthcare organizations during this time of dire crises.
Cybercriminals promise that they will stop attacking health organizations during coronavirus outbreak. The cybercrime groups behind two of the most prolific ransomware threats have issued statements that they will not attack healthcare and medical targets during the coronavirus crisis.
Since then, Maze released data stolen from a drug testing company encrypted before their statement of not targeting healthcare, while Ryuk continues to attack hospitals despite most of them being flooded with new COVID-19 cases every day.
Russian-speaking threat actors have also attacked two European companies in the pharmaceutical and manufacturing industries in incidents suspected to involve ransomware.
Last week, Microsoft said that it has started to send targeted alerts to dozens of hospitals regarding vulnerable public-facing VPN devices and gateways located on their networks to help them prevent REvil (Sodinokibi) ransomware attackers from breaching their networks.
INTERPOL is also providing first-hand technical support to member countries, as well as mitigation and protection advice to help safeguard their critical medical infrastructure. Additionally, INTERPOL is collecting a list of suspicious Internet domains related to COVID-19 and undertaking further analysis and evaluation, and will work with the relevant countries to take action.
Defend against ransomware attacks
Healthcare orgs’ networks are currently targeted by ransomware operators via spam campaigns delivering malware payloads via malicious attachments.
The attackers camouflage these attachments as documents issued by health and government agencies, containing vital information or advice regarding the pandemic.
The INTERPOL recommends hospitals and healthcare orgs to always keep their software and hardware up to date, and to back up their data onto offline storage devices to block potential attacks from reaching them.
Hospitals and other organizations targeted by ransomware attacks are advised by the INTERPOL to take the following measures to protect their systems:
• Only open emails or download software/applications from trusted sources;
• Do not click on links or open attachments in emails which you were not expecting to receive, or come from an unknown sender;
• Secure email systems to protect from spam which could be infected;
• Backup all important files frequently, and store them independently from your system (e.g. in the cloud, on an external drive);
• Ensure you have the latest anti-virus software installed on all systems and mobile devices, and that it is constantly running;
• Use strong, unique passwords for all systems, and update them regularly.
