Pandemics make for strange bedfellows.
In mid-March, ransomware gangs claimed to be pausing operations against healthcare organizations for the duration of the coronavirus pandemic, following pleas from some security firms and questions from journalists. The group behind the Maze ransomware operation, for example, pledged that "we [will] stop all activity versus all kinds of medical organizations until the stabilization of the situation with the virus."
But the sincerity of such promises is suspect. The Maze Team reportedly was, at the same time they were pledging to stop activity, in the process of extorting money from a UK medical research facility, Hammersmith Medicines Research. The University Hospital of Brno in the Czech Republic reportedly suffered an outage on March 20 due to a cyberattack, possibly ransomware. Other groups have rapidly increased phishing attacks that leverage the subject of the coronavirus, and the COVID-19 disease it causes, as a lure. And outright fraud has increased as well, such as e-mail campaigns collecting "donations" for coronavirus-fighting charities, according security services firm CrowdStrike.
The chaos and fear created by the coronavirus pandemic is just too enticing for cybercriminals to resist, says Adam Meyers, vice president of intelligence at CrowdStrike. "When you have something this widely recognized, and you have people, frankly, freaking out about it, then it becomes an effective way to exploit those fears," he says. "The threat is definitely there, and it's something we are paying close attention to."
As countries struggle to respond to the coronavirus pandemic, some cybercriminals and security firms have advised against exploiting the chaos.
Security firm Emisoft addressed ransomware groups directly in a March 18 statement urging them to — at the very least — leave healthcare organizations alone: "Make no mistake, an attack on a healthcare organization will have negative outcomes and may result in the loss of life. We ask for your empathy and cooperation. Please do not target healthcare providers during the coming months and, if you target one unintentionally, please provide them with the decryption key at no cost as soon as you possibly can."
Chatter in underground forums appear to show that some operators may have similar sympathies. When one would-be fraudster asked how they could take advantage of the COVID-19 chaos, other forum participants criticized them, in an exchange seen by threat intelligence firm Digital Shadows.
"As we've seen time and time again, cybercriminals will find ways to take advantage of people's fears and uncertainties in the wake of major disasters and emergencies," Alex Guirakhoo, a threat research analyst with Digital Shadows, wrote in a blog post. "However, the gravity of the COVID-19 pandemic has shown some benevolent reasoning has emerged on some platforms that are typically used for crime: Users urging others to avoid taking advantage of an already dire situation."
Still, such sentiments seem to be a rarity. Moreover, pledging to forgo attacks against healthcare institutions may be a ploy to gain some goodwill and convince other companies that the cybercriminal group is trustworthy.
"For most attackers, a time of crisis is in reality a time to expand their businesses," Tim Mackey, principal security strategist for software-security firm Synopsys, said in a statement. "They know that with businesses operating with either remote workers or with limited IT staffing levels that defenses will be weakened. Since the attackers define their rules of attack, it's worth noting that even a pledge to not target healthcare providers by ransomware teams may in actuality be part of their strategy."
And for nation-state actors, stealing information about another nation's reaction to the crisis could be good politics, says Patrick Coughlin, CEO for threat intelligence platform provider TruSTAR Technology.
"It's hard to know whether the major nation-states or known major threat actors have ordered a detente or a truce — it's hard to know," he says. "But it doesn't really matter because the noise from the scammers continues to grow, and they can use all the noise as cover."
In addition to the increased activity from cybercriminals groups, the fact that most companies now have to deal with many more remote workers aids attackers. The pandemic and the move to remote working has caused massive changes in the patterns of life for workers, which may cause many organizations to struggle to redefine a new baseline "normal" pattern of behavior, Coughlin says.
"The baseline signal that a security organization would have of what is normal activity has been thrown out the window," he says. "That loss of the normal pattern of life is providing cover for the bad guys. They have a whole different layer of noise that they can hide in."
Many cybersecurity firms have offered to help healthcare organizations and critical groups with responding to ransomware incidents and other cyberattacks.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Three Ways Your BEC Defense Is Failing & How to Do Better."