Healthcare Organizations Attacked by Coronavirus-Related Ransomware

Healthcare organizations struggling to cope with the COVID-19 public health crisis now face another big threat triggered by the pandemic: ransomware attacks delivered by fake coronavirus-themed email. The attacks have already disabled systems at some hospitals. They spread primarily via emails that entice users to click on infected links or attachments by claiming to contain coronavirus information from government agencies or other sources, according to Interpol, the international police organization.[1]

Ransomware attacks can cause near-catastrophic disruption as well as significant financial losses for hospitals that are struggling to handle a flood of patients stricken by the COVID-19 pandemic. In March 2020, the Champaign-Urbana Public Health District in Illinois reportedly paid a $350,000 ransom after attackers disabled its website; another attack paralyzed a Czech hospital’s systems as it was caring for its first coronavirus patients.[2] Interpol warned police forces worldwide about ransomware threats to healthcare organizations after receiving reports of seven attempted ransomware attacks on medical facilities since March this year, Craig Jones, Interpol’s director of cybercrime, told The Wall Street Journal.[3]

Ransomware Attacks Threaten All Industries

The ransomware attacks on healthcare providers are part of a broader surge in cybercrime that opportunistically exploits users’ current appetite for information about the coronavirus pandemic. “There is an increase in opportunistic cyber-crime, and ransomware is a threat to the healthcare industry—but it also remains a threat to all vertical industries,” said Phillip Hay, Mimecast Threat Intelligence Analyst.

Unfortunately, many healthcare organizations are vulnerable to malware attacks, including ransomware attacks. Nine out of ten healthcare organizations experienced an email-borne threat last year, and one in four said those attacks were very or extremely disruptive, according to a March 2020 report from Mimecast and HIMSS Media. Furthermore, hospitals and other healthcare providers listed ransomware/malware as one of the three attack vectors to which they felt most vulnerable in a survey by Mimecast and the College of Healthcare Information Management Executives (CHIME).

The Mimecast State of Email Security report found that global ransomware attacks increased significantly over previous years, causing millions of dollars in financial damage due to the cost of recovering lost data, brand damage, operational costs, insurance, and other related costs. More than half of the surveyed organizations said they had experienced a ransomware attack that directly impacted business operations, and 86% of those impacted organizations suffered at least two days of downtime as a result.

Emotet Opens the Door to More Ransomware

Many recent ransomware attacks have been linked to the Emotet malware, which operates via a botnet of infected machines. Emotet is “dropper” malware; once it infects a system, it uses the system to deliver other malware, including ransomware. The Emotet botnet is available to attackers as malware-as-a-service, which magnifies the threat because it provides criminals with an easy way to conduct ransomware campaigns even if they lack technical expertise.

After a period of inactivity, Emotet was deployed at unprecedented scale in the second half of 2019—causing cybersecurity problems worldwide, according to the Mimecast Threat Intelligence Report, RSA Conference Edition 2020. Mimecast Global Threat Intelligence detected Emotet across all sectors and regions during the fourth quarter. Due to the sophistication of the attacks and the variety of businesses targeted, it is highly likely these exploits were carried out by organized criminal groups for monetary gain. Those attacks included at least three campaigns against U.S. health-sector organizations; in one of those attacks, Mimecast detected more than 22,000 Emotet-infected files.

Emotet detections subsided throughout February 2020 as attackers turned their attention to an even easier way to target a high volume of users: coronavirus-themed spam or phishing emails designed to steal users’ credentials, according to Carl Wearn, Head of Risk & Resilience, E-Crime & Cyber Investigation, Mimecast. However, ransomware remains a key threat for all organizations.

How Healthcare Organizations Can Resist Ransomware Attacks

In addition to scanning email for malicious threats, organizations can take a number of steps to reduce the likelihood of damage due to ransomware attack, according to Mimecast’s Hay:   

• Increase user awareness. Since human error is a factor in most successful attacks, ensuring users are aware of current ransomware and phishing campaigns will help the organization resist compromise.
• Use strong passwords and multifactor authentication (MFA). Emotet attempts to gain access to systems with a “brute force” approach using commonly used and weak passwords. Organizations can therefore harden their networks by employing strong user passwords and MFA, and ensuring that all administrative passwords have been changed from their default settings.
• Stop using vulnerable software. Organizations should aim to stop using software that is outdated or vulnerable to malware for other reasons, such as Microsoft’s now-superseded Windows 2007 and Internet Explorer.
• Patch promptly. Patching software at the earliest opportunity to eliminate vulnerabilities remains key to maintaining network security.
• Examine third party risks. Organizations should be alert to potential threats delivered via business partners and other third parties—including transportation companies, which have been specifically targeted by attackers.
• Consider blocking image files. Mimecast has detected that threat actors are increasingly using image file formats to conceal malware and evade detection.
• Maintain frequent backups to preserve copies of data in case ransomware makes operational systems inaccessible.

The Bottom Line

While struggling to contain the coronavirus pandemic, hospitals and other medical providers now also have to fight coronavirus-related ransomware threats initiated via phishing emails.

Basic precautions to minimize ransomware threats include increasing user awareness, enforcing the use of strong passwords and multifactor authentication, and promptly eliminating known software vulnerabilities.

[1] “Cybercriminals targeting critical healthcare institutions with ransomware,” Interpol

[2] “Cybercriminals Sweep In to Take Advantage of Coronavirus,” The Wall Street Journal

[3] “Interpol Says Hospitals Targeted With Array of Ransomware,” The Wall Street Journal