Ransomware Attackers Pledge to Stop Targeting Hospitals During the Coronavirus Crisis
The COVID-19 pandemic has brought to light both good and bad sides in people. We see that in times of crisis, some individuals easily give in to panic, making them act irrationally. People tend to overstock on goods they probably won't even need, and they do that either for a hypothetical worst-case scenario or to profit by reselling the products for a much higher price. In both cases, they are causing chaos and even more panic in times where we, as a people, need to unite and help each other.
Of course, not all is bad. The crisis has also shown that there's good in people too. With the ongoing global epidemic, it's crucial for healthcare workers to remain focused on helping people and not deal with malware attacks. The question is, can we rely on hackers to show mercy and stop attacks on medical organizations during the Coronavirus outbreak? And, if they promise to do that, can we take their word for it? It appears we will soon find out, as some ransomware gangs have already pledged not to target hospitals for the duration of the pandemic.
DoppelPaymer, Netwalker, and Maze ransomware groups promise to avoid hospitals attacks
DoppelPaymer actors have stated that as a rule, they leave out medical organizations when they execute attacks, 911 included too. Of course, mistakes happen due to misconfigurations in their network. In such cases, they promise to provide the affected hospitals with a free decryption tool. However, the DopplePaymer gang comments that as far as pharmaceutical companies are concerned, they do not wish to support them, since they earn the most during the Coronavirus crisis.
Representatives of the Netwalker ransomware gang commented that attacking hospital systems was never in their plans. However, when approached with the question about free decryption for hospitals that got hit with Netwalker by accident, they claimed that in such cases, victims must still pay for the decryption tool, regardless if they are a medical organization or not.
The Maze malware group also confirmed that they would stop targeting healthcare organizations but only until the situation is stabilized. It's still unknown if they'll offer to decrypt affected medical systems for free, should an attack happen by accident. Sadly, a few days after they made that promise publicly, malicious actors used Maze ransomware to attack a British company called Hammersmith Medicines Research (HMR), leaking the personal information of over 2000 former patients between the age of 8 to 20. The data contains copies of passports (some of which are still active), driving licenses, insurance numbers, medical surveys, etc.
Cybercriminals targeted one of the Czech Republic's biggest hospitals
Speaking of malware attacks on healthcare, a hospital in the Czech Republic's second-largest city, Brno, was hit with malware. The hospital tweeted: “Basic operation has been preserved, some computer systems are limited,” adding that some scheduled operations got postponed due to the attack. The University Hospital Brno was running tests for the novel Coronavirus. It's still unknown if the cyber attack would affect the regularity of conducting the COVID-19 tests. People were quick to point out that the main cause of the rising attacks on healthcare is the outdated systems used in hospitals.
Are cybercriminals capable of keeping their word?
Even if the creators of DoppelPaymer, Maze, and Netwalker wanted to exclude healthcare organizations from their attacks, it's important to note that they may not have the full power to make that decision. You see, threats like these are often used as a RaaS (Ransomware-as-a-Service) model. In reality, the malicious code gets developed by the creators, who then sell it to their affiliates. It is up to the affiliates to initiate the attack through scam emails (or other distribution methods), deploy the malware, extract valuable information from the infected machine, and at the end – pay the creators. And, in most cases, the affiliates don't target specific organizations by name. Instead, they search for the most vulnerable systems. That being said, their attacks can easily reach hospital systems by accident.
The attack on HMR was declared such a mistake, and the Maze team took down the stolen private information from their site. Still, the damage was done, and many people consider their promise to be broken. Even if hackers want to keep their word, it seems like they may not be in a position to make such promises in the first place.