As hospitals globally grapple with the ongoing coronavirus pandemic, cybercriminals are intensifying their attacks on vulnerable healthcare institutions. The latest report from Palo Alto Networks reveals that threat actors are exploiting this crisis, targeting organizations at the forefront of pandemic response with ransomware and data-stealing malware.
According to the report shared with The Hacker News, “Threat actors will go to extreme lengths, including targeting medical facilities and governmental organizations working tirelessly amid the pandemic.” While specific victims were not disclosed, the cybersecurity firm highlighted recent ransomware incidents involving a Canadian healthcare organization and a medical research university within Canada, both exploited by criminal groups seeking financial gain during this critical time.
These attacks were identified between March 24 and March 26 and are linked to a surge in coronavirus-themed phishing campaigns that have proliferated in recent months. This surge in cyberattacks is concurrent with similar incidents reported by the U.S. Department of Health and Human Services and various healthcare entities in Europe, emphasizing the extensive targeting of the healthcare sector.
The research outlines how the attackers are utilizing malicious emails impersonating the World Health Organization, with one such email distributing a deceptive document titled “20200323-sitrep-63-covid-19.doc.” This file aimed to deploy EDA2 ransomware by exploiting a known vulnerability (CVE-2012-0158) within Microsoft’s ActiveX controls. Upon execution of the ransomware, it contacts a command-and-control server to facilitate the encryption of files on infected systems.
It is noteworthy that the malware did not utilize current dates in its file naming conventions, which raises questions about the attackers’ operational security. Moreover, the rapid execution process indicates a planned strategy hinging on exploiting real-time vulnerabilities without attempting to establish legitimacy.
Given this context, suitable tactics from the MITRE ATT&CK Framework could include initial access through phishing, exploitation of public-facing applications via the noted CVE, and possibly privilege escalation to maximize impact once inside the network. These tactics reveal a standard pattern in ransomware deployment, where the goal is to encrypt critical data and extract ransom payments to regain access.
The uptick in ransomware incidents is reflective of a broader trend linked to the pandemic, characterized by a rise in phishing attempts leveraging crises to manipulate individuals into downloading malware. This has been compounded by Check Point Research’s findings that mobile phishing incidents have also surged, as individuals increasingly rely on mobile devices for pandemic-related information.
With hospitals facing immense pressure to maintain operations amid the crisis, cybercriminals are banking on their urgency to compel quick ransom payments. A recent report by RiskIQ indicates that ransomware attacks on healthcare facilities surged by 35% from 2016 to 2019, with demands often exceeding $59,000. Hackers appear to target smaller hospitals that may lack robust cybersecurity defenses, heightening their vulnerability.
In light of the escalating threat landscape, Interpol has issued warnings regarding the targeting of healthcare institutions, stressing the critical need for enhanced cybersecurity protocols. Organizations are urged to remain vigilant for phishing schemes, strengthen their data encryption practices, and ensure regular backups are maintained offline to mitigate the risks posed by these evolving threats.
This situation underscores the imperative for business leaders within the healthcare sector to fortify their cybersecurity measures and develop comprehensive incident response strategies equipped to handle the complexities of modern cyber threats. Continual education and awareness of potential vulnerabilities are crucial in safeguarding sensitive patient information in such precarious times.
