Hackers armed with Ryuk ransomware refuse to back off attacking hospitals despite a number of other crews pledging to leave alone medical institutions struggling to treat people stricken with the coronavirus.
It’s a reminder for managed security service providers (MSSPs) not to let their guard down and not to count on the cyber decency of threat groups even in these perilous, pandemic times.
Hackers With A Heart?
Still, it’s not all bad. While there are some that see opportunity in the pandemic and aren’t hesitating to hit healthcare organizations at their most vulnerable, a call around by Bleeping Computer to a few crews found some vowing not to target healthcare organizations.
For example, the Ryuk cyber extortionists, which earlier this year disabled three hospitals in Alabama, have targeted at least 10 healthcare organizations in the last month, SentinelOne’s security researcher Vitali Kremez told BleepingComputer. Two of the targets are independent medical facilities while another is the hub of nine U.S. hospitals, Kremez reportedly said. "Not only has their healthcare targeting not stopped but we have also seen a continuous trend of exploiting healthcare organizations in the middle of the global pandemic,” he said. With Covid-19 sweeping the world and overwhelming hospitals a ransomware attack could easily make the difference between life and death.
On the other hand, while not a shining example of cyber civility, operators behind a number of ransomware groups BleepingComputer contacted said they would no longer target hospitals during the pandemic. Among those that BleepingComputer reached out to were CLOP, DoppelPaymer, Maze, Netilimer and Netwalker. Others contacted without a response included Sodinokibi/REvil, PwndLocker, and Ako.
More Hacker Insights
Here’s what a few had to say to BleepingComputer about attacking hospitals:
- CLOP."We never attacked hospitals, orphanages, nursing homes, charitable foundations, and we won’t. commercial pharmaceutical organizations are not suitable for this list; they are the only ones who benefit from the current pandemic." Clop said they will provide a free decryptor if a healthcare organization is jailed by accident.
- DoppelPaymer."We always try to avoid hospitals, nursing homes, if it's some local gov - we always do not touch 911 (only occasionally is possible or due to missconfig in their network) . Not only now...If we do it by mistake - we'll decrypt for free.”
- Maze."We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus."
- Nefilim."We work very diligently in choosing our targets. We never target non-profits, hospitals, schools, government organizations. If we ever encrypted one of those organizations by accident we would provide decryption for free and would delete all data downloaded...we believe that hospitals are off limits in any situation."
- Netwalker. "Hospitals and medical facilities? do you think someone has a goal to attack hospitals? we don't have that goal -it never was. it coincidence. no one will purposefully hack into the hospital."
Clop, DoppelPaymer and Nefilim said they will provide free decryptors if necessary. Security providers Emsisoft and Coveware are offering free of charge ransomware decryption and negotiation services to healthcare providers during the Coronavirus pandemic, the companies recently said. Services include: Technical analysis of the ransomware, development of a decryption tool whenever possible and, if necessary, transaction handling and recovery assistance.