Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/24/2020
11:45 AM
50%
50%

Cybercriminals' Promises to Pause During Pandemic Amount to Little

As pandemic worsens, online profiteering -- from fraudsters to ransomware operators to cybercriminal hacking -- continues unabated, despite some promises from the underground.

Pandemics make for strange bedfellows.

In mid-March, ransomware gangs claimed to be pausing operations against healthcare organizations for the duration of the coronavirus pandemic, following pleas from some security firms and questions from journalists. The group behind the Maze ransomware operation, for example, pledged that "we [will] stop all activity versus all kinds of medical organizations until the stabilization of the situation with the virus."

But the sincerity of such promises is suspect. The Maze Team reportedly was, at the same time they were pledging to stop activity, in the process of extorting money from a UK medical research facility, Hammersmith Medicines Research. The University Hospital of Brno in the Czech Republic reportedly suffered an outage on March 20 due to a cyberattack, possibly ransomware. Other groups have rapidly increased phishing attacks that leverage the subject of the coronavirus, and the COVID-19 disease it causes, as a lure. And outright fraud has increased as well, such as e-mail campaigns collecting "donations" for coronavirus-fighting charities, according security services firm CrowdStrike.

The chaos and fear created by the coronavirus pandemic is just too enticing for cybercriminals to resist, says Adam Meyers, vice president of intelligence at CrowdStrike. "When you have something this widely recognized, and you have people, frankly, freaking out about it, then it becomes an effective way to exploit those fears," he says. "The threat is definitely there, and it's something we are paying close attention to."

As countries struggle to respond to the coronavirus pandemic, some cybercriminals and security firms have advised against exploiting the chaos.

Security firm Emisoft addressed ransomware groups directly in a March 18 statement urging them to — at the very least — leave healthcare organizations alone: "Make no mistake, an attack on a healthcare organization will have negative outcomes and may result in the loss of life. We ask for your empathy and cooperation. Please do not target healthcare providers during the coming months and, if you target one unintentionally, please provide them with the decryption key at no cost as soon as you possibly can."

Chatter in underground forums appear to show that some operators may have similar sympathies. When one would-be fraudster asked how they could take advantage of the COVID-19 chaos, other forum participants criticized them, in an exchange seen by threat intelligence firm Digital Shadows.

"As we've seen time and time again, cybercriminals will find ways to take advantage of people's fears and uncertainties in the wake of major disasters and emergencies," Alex Guirakhoo, a threat research analyst with Digital Shadows, wrote in a blog post. "However, the gravity of the COVID-19 pandemic has shown some benevolent reasoning has emerged on some platforms that are typically used for crime: Users urging others to avoid taking advantage of an already dire situation."

Still, such sentiments seem to be a rarity. Moreover, pledging to forgo attacks against healthcare institutions may be a ploy to gain some goodwill and convince other companies that the cybercriminal group is trustworthy.

"For most attackers, a time of crisis is in reality a time to expand their businesses," Tim Mackey, principal security strategist for software-security firm Synopsys, said in a statement. "They know that with businesses operating with either remote workers or with limited IT staffing levels that defenses will be weakened. Since the attackers define their rules of attack, it's worth noting that even a pledge to not target healthcare providers by ransomware teams may in actuality be part of their strategy."

And for nation-state actors, stealing information about another nation's reaction to the crisis could be good politics, says Patrick Coughlin, CEO for threat intelligence platform provider TruSTAR Technology.

"It's hard to know whether the major nation-states or known major threat actors have ordered a detente or a truce — it's hard to know," he says. "But it doesn't really matter because the noise from the scammers continues to grow, and they can use all the noise as cover."

In addition to the increased activity from cybercriminals groups, the fact that most companies now have to deal with many more remote workers aids attackers. The pandemic and the move to remote working has caused massive changes in the patterns of life for workers, which may cause many organizations to struggle to redefine a new baseline "normal" pattern of behavior, Coughlin says.

"The baseline signal that a security organization would have of what is normal activity has been thrown out the window," he says. "That loss of the normal pattern of life is providing cover for the bad guys. They have a whole different layer of noise that they can hide in."

Many cybersecurity firms have offered to help healthcare organizations and critical groups with responding to ransomware incidents and other cyberattacks.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Three Ways Your BEC Defense Is Failing & How to Do Better."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.
CVE-2020-5132
PUBLISHED: 2020-09-30
SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organization’s internal domain names in the SSL-VPN au...
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.