Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/24/2020
11:45 AM
50%
50%

Cybercriminals' Promises to Pause During Pandemic Amount to Little

As pandemic worsens, online profiteering -- from fraudsters to ransomware operators to cybercriminal hacking -- continues unabated, despite some promises from the underground.

Pandemics make for strange bedfellows.

In mid-March, ransomware gangs claimed to be pausing operations against healthcare organizations for the duration of the coronavirus pandemic, following pleas from some security firms and questions from journalists. The group behind the Maze ransomware operation, for example, pledged that "we [will] stop all activity versus all kinds of medical organizations until the stabilization of the situation with the virus."

But the sincerity of such promises is suspect. The Maze Team reportedly was, at the same time they were pledging to stop activity, in the process of extorting money from a UK medical research facility, Hammersmith Medicines Research. The University Hospital of Brno in the Czech Republic reportedly suffered an outage on March 20 due to a cyberattack, possibly ransomware. Other groups have rapidly increased phishing attacks that leverage the subject of the coronavirus, and the COVID-19 disease it causes, as a lure. And outright fraud has increased as well, such as e-mail campaigns collecting "donations" for coronavirus-fighting charities, according security services firm CrowdStrike.

The chaos and fear created by the coronavirus pandemic is just too enticing for cybercriminals to resist, says Adam Meyers, vice president of intelligence at CrowdStrike. "When you have something this widely recognized, and you have people, frankly, freaking out about it, then it becomes an effective way to exploit those fears," he says. "The threat is definitely there, and it's something we are paying close attention to."

As countries struggle to respond to the coronavirus pandemic, some cybercriminals and security firms have advised against exploiting the chaos.

Security firm Emisoft addressed ransomware groups directly in a March 18 statement urging them to — at the very least — leave healthcare organizations alone: "Make no mistake, an attack on a healthcare organization will have negative outcomes and may result in the loss of life. We ask for your empathy and cooperation. Please do not target healthcare providers during the coming months and, if you target one unintentionally, please provide them with the decryption key at no cost as soon as you possibly can."

Chatter in underground forums appear to show that some operators may have similar sympathies. When one would-be fraudster asked how they could take advantage of the COVID-19 chaos, other forum participants criticized them, in an exchange seen by threat intelligence firm Digital Shadows.

"As we've seen time and time again, cybercriminals will find ways to take advantage of people's fears and uncertainties in the wake of major disasters and emergencies," Alex Guirakhoo, a threat research analyst with Digital Shadows, wrote in a blog post. "However, the gravity of the COVID-19 pandemic has shown some benevolent reasoning has emerged on some platforms that are typically used for crime: Users urging others to avoid taking advantage of an already dire situation."

Still, such sentiments seem to be a rarity. Moreover, pledging to forgo attacks against healthcare institutions may be a ploy to gain some goodwill and convince other companies that the cybercriminal group is trustworthy.

"For most attackers, a time of crisis is in reality a time to expand their businesses," Tim Mackey, principal security strategist for software-security firm Synopsys, said in a statement. "They know that with businesses operating with either remote workers or with limited IT staffing levels that defenses will be weakened. Since the attackers define their rules of attack, it's worth noting that even a pledge to not target healthcare providers by ransomware teams may in actuality be part of their strategy."

And for nation-state actors, stealing information about another nation's reaction to the crisis could be good politics, says Patrick Coughlin, CEO for threat intelligence platform provider TruSTAR Technology.

"It's hard to know whether the major nation-states or known major threat actors have ordered a detente or a truce — it's hard to know," he says. "But it doesn't really matter because the noise from the scammers continues to grow, and they can use all the noise as cover."

In addition to the increased activity from cybercriminals groups, the fact that most companies now have to deal with many more remote workers aids attackers. The pandemic and the move to remote working has caused massive changes in the patterns of life for workers, which may cause many organizations to struggle to redefine a new baseline "normal" pattern of behavior, Coughlin says.

"The baseline signal that a security organization would have of what is normal activity has been thrown out the window," he says. "That loss of the normal pattern of life is providing cover for the bad guys. They have a whole different layer of noise that they can hide in."

Many cybersecurity firms have offered to help healthcare organizations and critical groups with responding to ransomware incidents and other cyberattacks.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Three Ways Your BEC Defense Is Failing & How to Do Better."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.