It’s important to recognize how essential grocery stores, hospitals, clinics and supply chain organizations are in light of COVID-19, and it’s equally important to recognize technology as their critical infrastructure. Without it, countless organizations would be left inept, disorganized and overwhelmed. Technology allows grocery stores to conduct transactions, hospitals to record their research and manufacturers to create critical items that sustain society at large. No one recognizes this value more than cybercriminals, who have actually increased their attacks and focused their targets on essential businesses across the board since the start of COVID-19.
One of the most disruptive and devastating cyberattacks is ransomware: an attack that denies access to a user’s data until a ransom is paid. These attacks are often deployed via phishing emails that contain malicious links, illegitimate websites and ultimately deploy malware as a means to extortion. These attacks can be disastrous, particularly for industries that often work with valuable data, sensitive information, and in light of COVID-19, are considered to be essential.
Ransomware organizations operate like a business complete with automated processes, customer service and even official statements. One such statement from a known ransomware group, Maze, assures that they will “stop all activity versus all kinds of medical organizations until the stabilization of the situation” with COVID-19. These statements, as well as any communication from these groups, should be met with skepticism due to the nature of ransomware itself.
How It Starts
Ransomware often begins with a socially engineered message — usually a malicious email with a manipulative story that convinces a victim to click a link, download a file or share information. These messages have always clung to major headlines to garner attention in an inbox, but in the COVID-19 era, less effort is required in crafting these messages since they all relate to the pandemic at hand. “To receive your COVID-19 relief, please verify your bank information here.” “You’ve been logged out unexpectedly since you’re working from home. Please re-enter your password here.” Whether it’s for money or disruption, ransomware at its core is meant to cripple an individual or organization of its resources, even in a pandemic.
Some unique, COVID-19-specific attacks have been reported. As the pandemic was first taking hold in the US, an accurate, interactive map of COVID-19 cases was perfectly cloned and distributed to deploy malware. This map was exploited via a Java Code, which was available to threat actors to purchase for distribution for roughly US$200. For concerned citizens hoping to stay informed of the virus’ spread on earth, those using this exploited map were at risk of losing their password credentials for a potential ransomware attempt.
In addition to the online map, a mobile application was also developed as a direct ransomware attack. As yet another onslaught against concerned citizens, an Android app claimed to provide users with an interactive map showing the spread of COVID-19. However, once downloaded, the app would harvest password credentials and completely deny access to the user until US$100 was paid via Bitcoin.
The Impact During COVID-19
Going without, or rather, being robbed of your devices during a pandemic could have extreme consequences, which ransomware organizations continue to capitalize on. The risk for individual attacks remains high, but there are special considerations for essential businesses as well. Hospitals and other healthcare organizations fighting the virus need to stay vigilant against threat actors. Despite the “assurance” from Maze ransomware, they still threaten and still benefit from exploiting COVID-19. Whether their news release was meant to offer a false sense of security or not, they are believed to have leaked sensitive data from healthcare facilities in Texas and a COVID-19 research firm in the UK.
Healthcare organizations clearly have plenty on their plate at the moment. They provide crucial information about this public health crisis, they are actively researching the behavior of this virus, and they are treating infected populations with limited resources. On top of this, and in response to these hyper-focused cyberattacks, health organizations have taken on the responsibility of educating the public on avoiding phishing attacks.
Any disruption caused by ransomware is inherently crippling, destructive, and unfair, to say the least. In times of crisis, ransomware not only affects the financial situation of an organization or individual, but potentially the medical treatment they rely on, the education they’re trying to get from home, or the critical item they need from the supply chain. The best defenses against COVID-19-themed attacks are outlined in a recent Public Service Announcement from the US Federal Bureau of Investigation as it continues to monitor the outcomes and trends of these attacks.
For individuals, it is advised to stay suspicious and skeptical of any emails, text messages, or even phone calls that promise critical information in exchange for some of yours. When researching the topic of COVID-19, be aware of the websites and URLs you are using, being sure to manually type them in your browser if necessary. Do not use the same passwords across multiple accounts as threat actors will attempt to access every vulnerability they can.
For larger organizations, particularly those who have recently shifted to a work-from-home model, be sure to educate your employees on common phishing schemes and how to avoid them. Try to ensure that an employee’s personal computer is never accessing internal networks, as personal computers may have undetected malware that now can harvest an organization’s data. Threat actors deploy their attacks primarily for financial gain, and they will attack the easiest, most valuable targets. As organizations shift to working from home, personal computers are the most convenient gateway into an internal network, giving a threat actor a larger target and a more lucrative data mine to extort.
While ransomware attempts have exploited COVID-19, and the consequences of these attacks have never been more dire, there’s comfort in knowing the infiltration methods remain unchanged as of now. A vast majority of attempts begin with socially engineered messages; staying vigilant on this front is a great defense against any potential attacks. COVID-19 poses many new challenges, but cybersecurity best practices are still effective against the viruses, malware, and ransomware that’s been seen before.
Editor’s note: For more resources from ISACA related to the COVID-19 pandemic, visit our Navigating COVID-19 page.