Ransomware in the Covid-19 era

| Floris van den Broek | Security

Ransomware has been a well-known phenomenon for a while, but in recent weeks, increased activity has been observed due to the corona crisis. It is currently very busy at healthcare institutions and staff are working overtime under stress. Attackers try to take advantage of the situation. For example, we received input from a hospital, where (fortunately limited) ransomware attacks had encrypted several small systems, such as laptops. They also informed us that the number of phishing emails received over the past few weeks is about five times as high as normal. Log-in data (credentials) may also have come into the wrong hands due to the large number of phishing emails. This data may not have been used for ransomware attacks yet, but may later be used in conjunction with other information as part of a ransomware attack or even an ‘Advanced Persistent Threat’. There are some initiatives against ransomware (see also this ICT Institute article), but the means of combating it afterwards are still limited.

It is believed that these are hackers who currently see more opportunities and take advantage of increased capabilities through Covid-19. There are also reports that ‘state actors’ could be behind this. However, that seems more likely for the attacks on the general health sector or ministries, such as the attack on the United States Department of Health.

‘Maze’ ransomware now also used for ‘reputation ransom’

We have known the concept of ransomware for some time now and it is simple. Data loss is a disaster for many organizations. New forms of ransomware, which also find and encrypt the backups, are therefore quite effective. But IT organizations also learn and store more and more offline backups, or do this in the form of writing on a ‘write once’ medium. In a new form, including applied by the Maze ransomware that works according to the principle ‘Steal, Lock and Inform’, the ransomware first copies the information from the victim’s system completely and stores it with the hacker. Then the information on the victim’s system is encrypted and then it is informed that the system is encrypted. In other words, the organisation’s fear of data loss is exploited, as well as the fear of damage to reputation. Maze threatens to publish the information if payment is not made and, in the event of non-payment, regularly publishes names of the companies that have been attacked via sites or social media messages.

In recent weeks, the IT-Outsourcing company Cognizant confirmed that it was affected. “Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack,” see also the statement on Cognizant’s website. Many parties in the healthcare sector admit that security in that sector has only recently received more attention. The original, open design of healthcare institutions was there also for good reasons. In the healthcare sector, sharing information can in many cases benefit the healing of the patient and there is often time pressure. Protecting information has only recently been given greater priority and correspondingly larger budgets, see also this Dutch article in Care Vision.

For more articles about information security, visit this page.

Image credit: Monkeybusiness

Author: Floris van den Broek
Dr. Floris van den Broek received his PhD in Computer Science at TU Delft and his Masters of business Administration at  University of California, Berkeley. He is a a co-founder and director of ICT Institute with a focus on sales and business development. Next to his work at ICT Institute, Floris is on the board of various ICT companies and has been active in private equity. He is also a certified ISO 27001 lead auditor.