06.17.2020

Ransomware, COVID-19, and Double Extortion

By Emily Short

Ransomware, COVID-19, and double extortion. OH MY!

Ransomware attacks continue to thwart businesses during the chaos of the COVID-19 pandemic.  According to Beazley, ransomware attacks were up 25% in Q1 2020 compared to Q4 2019, based upon incidents reported to their breach response teams.  The financial sector and healthcare industries accounted for half of all incidents reported.

Ransomware, a type of malicious software, also known as malware, allows attackers to extort companies for financial gain by blocking access to files on a computer or network until the company pays the ransom demand.  This type of malware generally is self-proliferating and encrypts data on the network, rendering it inaccessible and essentially useless.  Generally, a company has two choices: it can either pay the attacker a ransom to de-crypt the data or it can attempt to recreate or restore the data from backups.  Neither option is ideal.

Healthcare

Although the potential impact to patient care of a ransomware attack was front and center for those in the healthcare industry, the pandemic has increased the urgency to recover, and strained resources for these entities.

Recognizing this risk, INTERPOL issued a warning in early April saying it detected “a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response.”  Unfortunately, many cybercriminals are preying on the fear, uncertainty, and urgency by targeting those at the front lines of the pandemic.

At the beginning of the pandemic, some top ransomware groups pledged not to attack healthcare facilities and hospitals during the crisis.  Maze, one of the more prominent cybercriminal groups, said “we also stop all activity versus all kinds of medical organizations until the stabilization of the situation with the virus.”  They even committed to providing a free decryptor if one of these types of organizations is encrypted by accident.  However, it’s hard to trust professed cybercriminals, and the data shows an overall rise in these attacks.

Double Extortion

The FBI urges against paying ransom demands, and many companies would agree with this approach.  But that was before cybercriminals adjusted their business model to include double extortion.  Many top ransomware groups, including Maze, have threatened to leak the data (as opposed to just encrypting it) unless payment is made.  Now companies fear the business interruption from a ransomware attack and the potential data breach if they choose not to pay.

The ransomware groups utilizing the double extortion method often have websites that list the names of those companies who refused to pay the ransom after an attack.  These sites also generally publish a sample of the exfiltrated data to show they mean business.  This puts added pressure on the companies to pay the ransom even if they could have restored the data from back-ups.

Although the Maze ransomware group has allegedly committed to avoiding targeting healthcare entities, it hasn’t stopped them from hitting other critical infrastructure entities.  In June, Westech International, a U.S. military contractor, suffered a ransomware attack and a data breach at the hands of the Maze group.  The hackers compromised the company’s internal systems, then encrypted and exfiltrated data.  Unfortunately for Westech, the hackers have already begun to leak the data online, which includes personal employee information and potentially classified military information.  *Maze has been exceptionally busy over the last couple of months, allegedly targeting Conduent, Cognizant, Pitney Bowes, and others.

In March, U.S. pharmaceutical company ExecuPharm experienced a ransomware attack, and notified the Vermont attorney general’s office that Social Security numbers, financial information, driver’s license numbers, passport numbers, and other personally identifiable information may have been accessed.  Their servers were encrypted, and a ransom was demanded in exchange for a decryption key.

Unfortunately, the suspicion that personally identifiable information was accessed became a reality when the ransomware group recently published data stolen from ExecuPharm’s network.  Although ExecuPharm restored its servers from backups and upgraded its network security to protect against future incidents, it now has to handle the fallout from the loss of this sensitive information.  This is another example of why companies cannot rely solely on a back-up strategy when faced with ransomware.

Even with the alleged promises from some cybercriminal groups, healthcare entities must remain on alert.  Plenty of other groups are willing to prey upon the overstressed hospitals and patient care centers.  In early May, Fresenius, Europe’s largest private hospital operator, reportedly fell victim to a ransomware attack.  According to Fresenius, some operations were impacted, but patient care was able to continue.  By late-May, a number of Fresenius patient records were up for sale on the dark web, allegedly stolen during the ransomware attack.

Conclusion

Ransomware attacks are not slowing down; they will likely continue to increase in frequency and severity because these attacks work.  In the past, many entities were able to avoid paying the ransom demand and recreate their data from back-ups.  Unfortunately, the “double extortion” tactic adds a whole new dimension to the ransomware saga.  Whether this will lead to an increase in ransom demands being paid remains to be seen, but one thing is for certain – the risks associated with cyber-attacks must be taken seriously.  Check out our blog post on ransomware best practices to learn more.