Skip to content
Right-Side-Virsec-Large Group-Dots-Light Sections
Mar 24, 2020 11:10:20 PM

Ransomware Groups Say They Won’t Attack Hospitals

Even as threat actors announce temporary cease-fire on healthcare & medical facilities, we’re still hearing of attacks. 

On Wednesday March 18, the Maze ransomware gang made the commitment below during the rising COVID-19 pandemic:

"We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus."

It comes when hospitals, urgent care facilities and other health agencies are strained and stressed to maximum levels.

Medical facilities have been an increasing target in recent years, causing security vendors to fear that coronavirus-related threats could bring ransomware attacks. That could drive an overtaxed system to its knees.

Before pledging this measure of restraint, Maze has been making a name for themselves wreaking incredible havoc on many organizations, including healthcare. If ransoms weren’t received, they upped the threats by threatening to embarrass their victims by releasing and making public sensitive data they had stolen. But now, they are saying they will refrain from this activity, promising to “stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus,” according to an announcement on its website.

Hard to say whether this is the latest variation of honor among thieves or a form of self-preservation or something else. While not law abiding members of the human race, these attackers are still every bit as susceptible to a human-borne virus as anyone else. Should they or their families become ill, they would need help from the very same healthcare professionals that everyone would. The very last thing that healthcare system needs now is a ransomware threat to complicate their already very over-burdened situation.

Can We Trust the Promises of Extortionists?

The very day the Maze team promised a ceasefire, news emerged that they had previously struck a medical organization. In Texas, a walk-in urgent care center – Affordacare Urgent Care Clinic - was hit with Maze ransomware. Their website doesn’t indicate whether they’ve tested or treated COVID-19 patients. The Maze operators used their usual MO, threatening to publicize data they’d stolen, in this case patient data, unless the ransom demand was paid. Per, the infection happened on February 1, after the hackers stole 40GB+ of data from the urgent care system, including protected health information.

While AffordaCare hasn’t confirmed the theft, neither did they pay the ransom. And Maze, following its usual methods, publicized data both of patients and of staff. Samples of personal patient information leaked by the Maze Team included patient’s names, addresses and phone numbers, Social Security numbers, DOB, diagnosis and treatment codes, medical history, billing and insurance information. Staff information included payroll data and other information.

More Threat Actors Also Promise Restraint

Additional groups of bad actors have also made promises to stop their nefarious deeds against medical facilities. This is according to BleepingComputer’s Laurence Abrams, who contacted several malware operators – those behind Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako Ransomware infections. Abrams inquired whether they would cease targeting health organizations during the Coronavirus (COVID-19) pandemic.

Similar to the Maze ransomware group’s response and actually the first to respond, DoppelPaymer’s reply stated that their normal practice is to avoid striking medical facilities. They said, "We always try to avoid hospitals, nursing homes…we always do not touch 911 (only occasionally is possible or due to missconfig in their network). If we do it by mistake – we'll decrypt for free."

Other malware operators have given some kind of pledge to avoid healthcare organizations during the virus outbreak. How much we can depend on any of these promises remains to be seen. The group behind Netwalker ransomware has said they never intentionally target hospitals but if one is hit by accident, unlike DoppelPaymer, they will still require payment to decrypt files.

Organizations Emsisoft and Coveware are offering free assistance to health organizations for decryption and negotiation services.

Attacks on Anyone Else Remain on the Table

While we hope some measure of restraint prevails against overloaded medical facilities, other organizations should not expect a reprieve on attacks. Though perhaps the Maze gang will offer "exclusive discounts" on ransoms to both current and future ransomware victims, per their press release last week.

Maze press release not to attack hospitals

Maze press release:

“Due to situation with incoming global economy crisis and virus pandemic, our Team decided to help commercial organizations as much as possible. We are starting exclusive discounts season for everyone who have faced our product. Discounts are offered for both decrypting files and deleting of the leaked data. To get the discounts our partners should contact us using the chat or our news resource.

In case of agreement all the info will be deleted and decryptors will be provided.

The offer applies to both new partners and the archived ones. We are always open for cooperation and communication.

We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus.”

Still More Attacks on Medical Facilities Reported

Despite the above commitments, announcements of attacks continue to emerge.

The AffordaCare breach described above was on February 1, before Maze’s recent promise to “do no harm” to medical facilities. The governments of City of Durham and Durham County recently learned they had been hit by a ransomware attack on Sunday March 8. The State Bureau of Investigation employees received an email notifying them the Ryuk ransomware attack was the work of a Russian hacker group. Ryuk ransomware typically launches through a phishing email. The IT department acted quickly in response to the malware and appears to have mitigated its impact.

A third attack was against another medical site, the Hammersmith Medicines Research facility in the UK. The facility was preparing to be a test center for COVID-10 vaccine trials had data stolen and posted online in a cyber attack. Once again, it’s the Maze group behind this one, doing their usual stealing and publishing of stolen data as a way to coerce payment. They’ve published samples of the information on the dark web, labeling Hammersmith Medicines Research as a “new client” – Maze’s favored way of referring to new victims.

Hammersmith Medicines Research’s clinical director relayed that the cyberattack was noticed, halted and systems restored with no ransom paid. Fortunate news, despite some patient records from years past now published online. Likely not everything has been published in hopes ransom money can be extracted.

The attack happened on March 14, a few days before the Maze group’s pledge to avoid health orgs. But the timing of this attack well into the timeframe of the Coronavirus spreading and gripping the world. More are likely to come. The FBI is warning of spikes in COVID-19 scams, preying on fears. The drive to extract money from its victims is the overriding force behind their actions. But it appears neither Hammersmith Medicines Research nor AffordaCare caved to the ransomware demands and hopefully others can withstand such attacks as well.

A little help is always welcome as well. Brett Callow with Emsisoft also warns ransomware remains a high threat, perhaps even a greater threat than usual. And again, Emsisoft has offered free help to hospitals and healthcare providers should they find themselves victims of a ransomware attack.

Sharing Tools and Methods Among Thieves

Like burglars who might loan or sell each other tools for breaking and entering into buildings, hackers share or sell malicious code. RaaS (ransomware as a service) is an available service model where malware is developed and after, cybercriminals, referred to as affiliates, purchase it. These affiliates can carry out attacks, network invasions and data theft. They too commonly use phishing emails and may have a specific organization in mind as a target, or they can go after whichever networks seem most vulnerable at any given time. This makes promises from Maze, DoppelPaymer and additional gangs even less reliable because they may not have control over who uses their malware or against whom it may be targeted.

Still more disquieting information in these days where that seems to be the new norm.

Virsec has a vaccine against the ransomware epidemic

Virsec takes a unique approach to guard-railing applications. It’s ability to protect applications and memory during runtime counters a broad spectrum of cyber attacks, including ransomware attacks.

Virsec Security Platform Delivers:

  • Protection of application workflows, processes, file systems, libraries, memory and more at runtime
  • Precise attack remediation and automation early in the attack cycle without need for expert analysis or machine learning
  • Deterministic threat detection based on request deviations initiated by malicious code, remote hackers, files and trusted processes no matter how attacks originate.

Don’t leave your organization’s future to chance. Learn more about Virsec now.

Further resources:

Solution Brief: Protection Against the Ransomware Epidemic

White Paper: Making Applications Truly Self-Defending

Maze Ransomware Attacks Surge in 2020, Demand Ransom, Expose Data

The Year of Rising Ransomware, Ryuk Wields its Own Unique Nastiness

MegaCortex Ransomware Worsens — Hackers Change Users’ Passwords & Make Blackmail Demands

MegaCortex Malware Strikes Business Networks, Does Damage Both as Ransomware and Disk Wiper



Right-Side-Virsec-Large Group-Dots-Light Sections