Ransomware Gangs to Stop Attacking Health Orgs During Pandemic

By Lawrence Abrams March 18, 2020 06:36 PM 0






Some Ransomware operators have stated that they will no longer target health and medical organizations during the Coronavirus (COVID-19) pandemic.

Last night, BleepingComputer reached out to the operators of the Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako Ransomware infections to ask if they would continue targeting health and medical organizations during the outbreak.
DoppelPaymer Ransomware

DoppelPaymer was the first to respond and stated that they do not normally target hospitals or nursing homes and will continue this approach during the pandemic.


"We always try to avoid hospitals, nursing homes, if it's some local gov - we always do not touch 911 (only occasionally is possible or due to missconfig in their network) . Not only now.

If we do it by mistake - we'll decrypt for free. But some companies usually try to represent themselves as something other: we have development company that tried to be small real estate, had another company that tried to be dog shelter ) So if this happens we'll do double, triple check before releasing decrypt for free to such a things. But about pharma - they earns lot of extra on panic nowdays, we have no any wish to support them. While doctors do something, those guys earns."

When asked what happens if a medical organization gets encrypted, we were told that a victim should contact them on their email or Tor webpage to provide proof and get a decryptor.
Maze Ransomware

Today, the Maze operators responded to my questions by posting a "Press Release" that also states that they will stop all "activity" against all kinds of medical organizations until the end of the pandemic.


"We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus."

We have not received a reply as to whether a free decryptor would be provided if a healthcare organization mistakenly gets encrypted.
Security companies offer free help

For now, if any organizations get encrypted, both Emsisoft and Coveware announced today that they would be offering their ransomware services for free to healthcare organizations during the pandemic.

This includes the following:
Technical analysis of the ransomware.
Development of a decryption tool whenever possible.
As a last resort ransom negotiation, transaction handling and recovery assistance, including replacement of the decryption tool supplied by the criminals with a custom tool that will recover data faster and with less chance of data loss.

While this help is greatly appreciated, I hope other ransomware operators will stop targeting healthcare organizations after reading this article so that it is not needed.

As this is a global epidemic, anyone could become sick with this virus, including the ransomware operator's loved ones.

Right now healthcare workers need to focus on helping people, not decrypting their files.

EMSISOFT Free ransomware help for healthcare providers during the Coronavirus outbreak

As hospitals around the world struggle to respond to the COVID-19 crisis, ransomware presents a serious risk to their ability to provide urgent care are to the critically ill. In 2019, at least 764 healthcare providers were impacted by ransomware. 

Without a global pandemic, a ransomware attack on a critical care facility can cause grave danger to patients. With COVID-19, a ransomware attack on an overwhelmed hospital could tip the balance and result in a significant loss of life.
We’re here to help

In partnership with incident response company Coveware, we will be offering completely free help to critical care hospitals and other healthcare providers that are on the front lines of COVID-19 and have been impacted by ransomware. Subject to our own capacity, we aim to provide this service for the duration of the crisis to healthcare providers anywhere in the world.

The services offered will include:
Technical analysis of the ransomware.
Development of a decryption tool whenever possible.
As a last resort ransom negotiation, transaction handling and recovery assistance, including replacement of the decryption tool supplied by the criminals with a custom tool that will recover data faster and with less chance of data loss.

Our aim? Get affected healthcare providers operational in the shortest time possible so they can minimize disruption to patient care.

If you are a healthcare service provider that has experienced an attack, get in touch.
Ransomware attacks are likely to spike in the coming weeks

Ransomware has a seasonal aspect with the number of incidents spiking during the spring and the summer months.


Chart based on our data plus data from EPSRC EMPHASIS Ransomware Project

Whether these spikes are due to increases in the number of attacks or organizations being more susceptible to attacks at certain times of year is not clear. However, in either case, it is likely that there will be an increase in the number of healthcare providers impacted by ransomware in the coming months and, unfortunately, this increase may coincide with the peak of the COVID-19 outbreak. Further, the spikes may be more pronounced than in previous years due to security weaknesses resulting from hastily introduced work-from-home arrangements, personal device usage and staffing shortages.

In short, we may be looking at a near-perfect storm in which healthcare providers are disrupted at the very time they are needed the most.
A note to ransomware groups

While we will never condone criminal behavior, we understand why financially motivated cybercrime exists. We also know you are humans, and that your own family and loved ones may find themselves in need of urgent medical care. Make no mistake, an attack on a healthcare organization will have negative outcomes and may result in the loss of life. We ask for your empathy and cooperation. Please do not target healthcare providers during the coming months and, if you target one unintentionally, please provide them with the decryption key at no cost as soon as you possibly can. We’re all in this together, right?
A note to security companies and professionals

Got expertise? Got some free time? Willing to assist with this initiative? Shoot us an email at volunteer@emsisoft.com. We’d love your help.
A note to other organizations that may be affected by ransomware during these trying times

It breaks our hearts not to be able to extend a helping hand to everyone. We are all in the same boat together. Our priority at this time is to ensure we have the capacity to assist the healthcare organizations helping save the lives of COVID-19 patients. If we find the capacity to extend this offer to other industries, we will update this post and provide further guidance. Until then, please hunker down and stay safe.

COVID-19 Security Resource Library A compilation of tips and recommendations from NCSA and its partners on ways to stay safe online

The National Cyber Security Alliance, our board member companies, federal partners and non-profit collaborators have worked swiftly to provide organizations and individuals with relevant and helpful information to address security and privacy concerns surrounding the global COVID-19 outbreak.

To help individuals and organizations find resources they can use and share, NCSA has launched the COVID-19 Security Resource Library. This library features free and updated information on current scams, cyber threats, remote working, disaster relief, and more. NCSA will work diligently to update this page regularly as resources become available.

Looking for a specific type of resource that you don’t see here? Let us know: info@staysafeonline.org
NCSA Encourages Vigilance Against Coronavirus Scams, Best Cybersecurity Practices for Remote Workers
NCSA’s Security Tips for Remote Workers

Avoiding Cyber Threats and Scams


CISA: Defending Against COVID-19 Cyber Scams
CISA: CISA Alerts and Recommendations
CISA: Recommendations on VPN Security
Cofense: Coronavirus Phishing Infocenter
ESET: Beware Scams Exploiting Coronavirus Fears
FTC: Tips for Avoiding Coronavirus Scams
NCSA: NCSA Statement on Coronavirus
NortonLifeLock: Coronavirus Phishing Emails: How to Protect Against COVID-19 Scams
Wells Fargo: Beware of Coronavirus Phishing Scams

Security Tips for Working Remotely


Cyber Readiness Institute: Securing A Remote Workforce
EDUCAUSE: Resources for Business Continuity and Alternative Education Delivery
EDUCAUSE: Corporate Resources for COVID-19
ESET: COVID‑19 and the Forced Workplace Exodus
Facebook: Business Resource Hub
Facebook: Small Business Resilience Toolkit
LogMeIn: Remote Work Toolkit
MediaPRO: Coronavirus Sucks: Working From Home Doesn’t Have To
NCSA: NCSA Tipsheet – Best Practices for Remote Workers
NIST: Preventing Eavesdropping and Protecting Privacy on Virtual Meetings
NortonLifeLock: Seven Tips to Help Keep Your Connections Secure

Government Assistance and Resources


CDC: What You Need to Know About COVID-19
IRS: Coronavirus Tax Relief
SBA: SBA Disaster Assistance in Response to Coronavirus
WHO: Coronavirus Disease (COVID-19) Outbreak

Hackers Created Thousands of Coronavirus (COVID-19) Related Sites As Bait

Hackers Created Thousands of Coronavirus (COVID-19) Related Sites As Bait



March 18, 2020Ravie Lakshmanan
As the world comes to grips with the coronavirus pandemic, the situation has proven to be a blessing in disguise for threat actors, who've taken advantage of the opportunity to target victims with scams or malware campaigns.

Now, according to a new report published by Check Point Research today and shared with The Hacker News, hackers are exploiting the COVID-19 outbreak to spread their own infections, including registering malicious Coronavirus-related domains and selling discounted off-the-shelf malware in the dark web.


"Special offers by different hackers promoting their 'goods' — usually malicious malware or exploit tools — are being sold over the darknet under special offers with 'COVID19' or 'coronavirus' as discount codes, targeting wannabe cyber-attackers," the cybersecurity firm said.


COVID-19 Discounts: Exploit Tools for Sale
The report comes following an uptick in the number of malicious coronavirus-related domains that have been registered since the start of January.



"In the past three weeks alone (since the end of February 2020), we have noticed a huge increase in the number of domains registered — the average number of new domains is almost 10 times more than the average number found in previous weeks," the researchers said. "0.8 percent of these domains were found to be malicious (93 websites), and another 19 percent were found to be suspicious (more than 2,200 websites)."

Some of the tools available for purchase at a discounted price include "WinDefender bypass" and "Build to bypass email and chrome security."



Another hacking group, which goes by the moniker "SSHacker," is offering the service of hacking into Facebook account for a 15 percent discount with "COVID-19" promo code.


What's more, a seller that goes by the name of "True Mac" is selling a 2019 MacBook Air model for a mere $390 as a "corona special offer." It goes without saying the offer is a scam.


A Long List of Coronavirus-Themed Attacks
The latest development adds to a long list of cyberattacks against hospitals and testing centers, distribute malware such as AZORuIt, Emotet, Nanocore RAT and TrickBot via phishing campaigns using malicious links and attachments, and execute malware and ransomware attacks that aim to profit off the global health concern.



APT36, a Pakistani state-sponsored threat actor that targets the defense, embassies, and the government of India, was found running a spear-phishing campaign using Coronavirus-themed document baits that masqueraded as health advisories to deploy the Crimson Remote Administration Tool (RAT) onto target systems.
Researchers from security firm IssueMakersLab uncovered a malware campaign launched by North Korean hackers that used boobytrapped documents detailing South Korea's response to the COVID-19 epidemic as a lure to drop BabyShark malware. Recorded Future observed, "at least three cases where reference to COVID-19 has been leveraged by possible nation-state actors."
A COVID-19-themed malspam campaign targeting the manufacturing, industrial, finance, transportation, pharmaceutical, and cosmetic industries via Microsoft Word documents that exploits a two-and-a-half-year-old Microsoft Office bug in Equation Editor to install AZORult malware. The AZORult info stealer has also been distributed using a fraudulent version of the Johns Hopkins Coronavirus Map in the form of a malicious executable.
A fake real-time coronavirus tracking Android app, called "COVID19 Tracker," was found to abuse user permissions to change the phone's lock screen password and install CovidLock ransomware in return for a $100 bitcoin ransom.
Another phishing attack, uncovered by Abnormal Security, targeted students and university staff with bogus emails in a bid to steal their Office 365 credentials by redirecting unsuspecting victims to a fake Office 365 login page.
Comment spamming attacks on websites that contained links to a seemingly innocuous coronavirus information website but redirected users to dubious drug-selling businesses.
Aside from malware-laden spam emails, F-Secure researchers have observed a new spam campaign that aims to capitalize on the widespread mask shortage to trick recipients into paying for masks, only to send them nothing.


Staying Secure in the Time of COVID-19
It's amply that these attacks exploit coronavirus fears and people's hunger for information about the outbreak. Given the impact on the security of businesses and individuals alike, it's essential to avoid falling victim to online scams and practice good digital hygiene:



Businesses should ensure that secure remote access technologies are in place and configured correctly, including the use of multi-factor authentication, so that employees can conduct business just as securely from home.
Individuals should keep away from using unauthorized personal devices for work, and ensure "personal devices will need to have the same level of security as a company-owned device, and you will also need to consider the privacy implications of employee-owned devices connecting to a business network."
Watch out for emails and files received from unknown senders. Most importantly, check a sender's email address for authenticity, don't open unknown attachments or click on suspicious links, and avoid emails that ask them to share sensitive data such as account passwords or bank information.
Use trusted sources, such as legitimate government websites — for up-to-date, fact-based information about COVID-19.

The effects of climate change on cybersecurity

AWARENESS
The effects of climate change on cybersecurity

Posted: March 13, 2020 by Pieter Arntz


Outside the coronavirus pandemic and its related healthcare and economic fallout, climate change and cybersecurity are seen by many as the two most urgent problems facing our planet now and in the near future. They are two distinct and separate problems, to be sure. There are some areas, however, where security and climate change overlap, interlock, and influence one another. Let’s have a look.

To understand how climate change and the methods to counteract its rapid ascent will affect cybersecurity, we first have to look at how computing contributes to global warming. Your first instinct about their relationship is probably right: computing involves energy consumption and heat production. As long as we cannot produce enough “clean energy” to satisfy our needs for electricity, the energy consumed by computing—and security within it—will continue to contribute to global warming.
The big energy consumers

There are a few fields in computing and cybersecurity that guzzle up huge amounts of energy and produce heat as a byproduct:
Supercomputers
Blockchain mining
Data centers
The Internet as a whole

Before you dismiss the problem of the supercomputers (because you assume there are only a few of them)—even I was astounded to find out that there are over 500 systems that deliver a petaflop or more on the High Performance Linpack (HPL) benchmark. Most of these supercomputers consume vast amounts of electrical power and produce so much heat that large cooling facilities must be constructed to ensure proper performance. But in recent years, vendors have started to produce supercomputers that are more energy efficient.

In 2019, the mining of Bitcoin alone consumed more energy than the entire nation of Switzerland, which equals about one quarter percent of the world’s entire energy consumption. There are many more blockchains and cryptocurrencies, although Bitcoin is by far the largest energy consumer among them. This is mostly due to their operation on the proof-of-work concept and the high value of Bitcoin.

While cybercrime experienced a huge jolt in cryptomining in 2018, the frenzy has mostly died down as Bitcoin value dipped and plateaued. However, cryptomining continues as both a legitimate and illegitimate activity—especially because miners can switch to other cryptocurrencies when Bitcoin drops off.

An even bigger impact on energy consumption are data centers, which already use over 2 percent of the world’s total energy consumption, and that number is expected to rise fast. The prediction is based on the growing number of content delivery networks (CDN), more Internet of Things (IoT) devices, the growth of the cloud, and other colocation services. So, not only do computer centers consume massive amounts of energy, their use is expected to grow astronomically.

The Internet can’t be completely separated from the data centers that enable it. But despite the overlap, it’s still worth mentioning that the total energy consumption of the Internet as a whole lies at around 10 percent, which is more than the world’s total energy production from renewable sources such as wind and solar.

However, it’s fair to note that the Internet has taken over a lot of tasks that would have cost more energy or created a greater carbon footprint if they had been performed in the “old ways.” Consider, for example, the energy saved by working remote: the energy expended on the Internet and inside one’s home is far less damaging than the carbon monoxide released into the atmosphere by fossil fuels from a daily commute to the office.
Global warming’s trickle down effects

Conversely, global warming and its effects on the climate, environment, and economy do have a direct impact on our everyday lives, and that trickles down to cybersecurity. Some of the projected dangers include:
Flooding of certain areas
Prolongation of the wild-fire season
Spread of diseases
Economic costs
Scarcity of fresh water in certain areas

By 2030, climate change costs are projected to cost the global economy $700 billion annually, according to the Climate Vulnerability Monitor. And The International Organization for Migration estimates that 200 million people could be forced to leave their homes due to environmental changes by 2050.

Climate change and its implications will act as a destabilizing factor on society. When livelihoods are in danger, this will spark insecurity and drive resource competition. This does not only have implications for physical security, but in modern society, this also has an impact on cybersecurity and its associated threats.

From a big picture, worst-case-scenario perspective, climate change could trigger profound international conflicts, which go hand-in-hand with cyberwar. Beyond nation-state activity, individuals that have no other means of providing for their families could turn to cybercrime, which is often seen as a low-risk activity with a potentially high yield.

But on a smaller scale, we’re already seeing the impacts of climate change on cybersecurity, whether via social engineering scare tactics embraced by threat actors or disruptions to Internet-connected home heating and cooling devices meant to track energy consumption.
Global warming scams

NO, we’re not saying that climate change is a hoax or a scam. But we want to issue a warning related to the subject. As with any newsworthy topic, there are and will be scammers trying to make a profit using the feeling of urgency that gets invoked by matters like climate change.

For example, the Intergovernmental Panel on Climate Change (IPCC) issued a warning against several scams abusing their name.


“IPCC has been made aware of various correspondences, being circulated via e-mail, from Internet Web sites, and via regular mail or facsimile, falsely stating that they are issued by, or in association with, IPCC and/or its officials. These scams, which may seek to obtain money and/or in many cases personal details from the recipients of such correspondence, are fraudulent.”

Natural disaster scams are increasing in the same frequency as natural disasters themselves, often claiming to be collecting donations for a particular cause but putting money in their own pockets instead. We’ve seen social engineering tricks ranging from phishing emails and malspam to social media misinformation campaigns on hurricanes, tornadoes, fires, and flooding. Expect this sort of gross capitalization on tragedy and fear to continue as the effects of climate change become more dramatic.
Improving efficiency and preparing for changes

The number of datacenters is down, but their size has grown to meet the demand. This is potentially a step in the right direction since it decreases the power needed for the overhead, but not as big as the step that could be made if they would actually work on their power efficiency.

Online companies typically run their facilities at maximum capacity around the clock, regardless of the demand. As a result, data centers are wasting 90 percent or more of their power. Smart management could make a substantial difference in energy consumption and costs.

Cryptomining could improve on energy consumption if the most popular currencies would not be based on proof of work but proof of stake. Proof of work rewards the largest number of CPU cycles with that the highest energy consumption.

NEO and Hyperledger are next generation blockchain technologies with much lower electricity cost. NEO uses what it calls delegated Byzantine Fault Tolerance (dBFT), which is an optimized proof-of-stake model. Hyperledger Fabric centralizes block creation into a single resource pool and has multiple validators in the participants. It’s an enterprise collaboration engine, using blockchain smart contracts, where validation is much easier than creation, and creation will be centralized on a single, optimized platform.

More effective methods of cooling would both help supercomputers and large data centers. At the moment, we are (ironically) using electricity to power cooling systems to control the heat caused by electricity usage. In fact, cooling gobbles up about 35 percent of the total power in high performance computing with air cooled systems. Hot-water liquid cooling might be a key technology in future green supercomputers as it maximizes cooling efficiency and energy reuse.
Interaction between climate change and cybersecurity

As we have seen, there are opportunities for those in security and computing to slow the progression of climate change. But there are also opportunities for those in cybercrime to take advantage of the destabilization caused by climate change, as some already have through related scams and malware campaigns. As long as we don’t drop security in attempts to counteract global warming, we’ll be able to protect against some of the more advanced threats coming down the pike. But while we still can, let’s rein in our carbon footprint, improve on computing efficiency, and remember our cybersecurity lessons when criminals come calling.

Stay safe, everyone!