Skip to main content

How Covid-19 created an environment ripe for ransomware

(Image credit: Datto)

During the course of the Covid-19 pandemic, cybercriminals all over the world took advantage of the chaos caused by lockdown and economic disruption. The events of 2020 created a situation ripe for cyberattackers targeting individuals, companies and governments, the latter two in particular given the potential for bigger criminal rewards. However, there was one type of attack that stood out among the rest – ransomware. But how did it happen, who is most at risk and what should organizations do to protect themselves?

Rise of ransomware

According to Skybox Security’s 2020 Vulnerability and Threat Trends Mid-Year Update report, the creation of new ransomware and malware samples soared during the pandemic. There were 11 more ransomware samples created in the first six months of 2020 than over the same period in 2019.

Other data from Skybox Security’s Research Lab showed that between the 28th February and 31st May 2020, malicious attack attempts surged with 69 reported campaigns related to the pandemic. Over 63 percent of these reports were in April, just after governments ordered lockdowns in dozens of countries worldwide.

As people sought information on what was happening to ease their sense of uncertainty, Google searches related to coronavirus rose – one particular peak occurred on 15th March 2020 according to Google Trends public data. This created an environment ripe for ransomware attacks. Often, cyber-criminals camouflaged ransomware under the guise of new information about coronavirus, trying to lure victims into clicking on malicious links. In Italy, one of the worst affected countries by Covid-19 for infections, attackers created a web page mimicking the Italian Federation of Pharmacists website. It was set up to trick users into downloading ransomware disguised as a dashboard displaying data on Covid-19. Other ransomware targeted users of popular applications such as Microsoft Office and Android OS.

Cybercriminals hurt healthcare

Ransomware attacks during the pandemic hit aid organizations, medical billing companies, manufacturers, government institutions, transport agencies, educational software providers and more. Notably the most critical sector during the pandemic – healthcare- was the one most targeted for attack. Cyber adversaries have targeted hospitals in particular for years, as gaining access to confidential patient information such as medical history and surgery appointments can lead to delays or prevention of critical treatment. As such, hospitals are highly prone to paying a ransom. The Covid-19 pandemic stretched healthcare systems to their limits, eliminating any ‘breathing room’ they may have had if targeted in pre-pandemic times. That meant they became even bigger prey in the eyes of cybercriminals.

In March 2020, Brno University Hospital in the Czech Republic was the victim of a suspected ransomware attack which resulted in it shutting down its entire IT network and cancelling surgeries. The U.S. Secretary of State Mike Pompeo noted his concern and stated that anyone engaged in such criminal activity should “expect consequences.” Some operators of ransomware stated they would no longer target health and medical organizations during the pandemic, but others are continuing to cash in on the crisis.

The best defense is a good offense

Detecting and mitigating ransomware should be based on a holistic approach. This requires that organizations obtain full visibility and ability to analyze network, cloud, and security configurations together to proactively gain full context and understanding of their attack surface so they can see around corners to make informed decisions and solve security issues like ransomware better and faster. Indeed, the Microsoft Threat Protection Intelligence team pointed out using indicators of compromise (IOCs) by themselves to understand the impact of an attack is not enough. This is because it is common practice for ransomware threat actors to change their tools and systems after determining victims’ detection capabilities.

In addition, enterprises should to assume all the credentials present on the endpoints are available to hackers, whether accounts associated with them were logged on when the attack began or not, i.e. assume they are all affected, as it is best to act quickly to prevent further breach.

Guidelines from the FBI on ransomware prevention and response for CISOs recommend isolating affected devices immediately. This could be achieved by removing the systems from the network or shutting them down to prevent the spread of the ransomware further into the network. It is also advised to isolate or power down computers that have not been fully corrupted to gain more time to clean and recover data. Backup data and devices should also be taken offline as soon as possible. Organizations should also secure any hijacked data that is still available, change all online account and network passwords, and once the ransomware has been completely removed from the system, change system passwords too.

Don’t pay the ransom

It is highly inadvisable to pay any ransom demanded by attackers under any circumstances. The FBI explains that doing so could lead to dire consequences not considered when under pressure of attack, such as being a target for future ransomware attacks by the same or other cyber actors and being asked to forfeit more after paying the ransom. Paying the attacker also does not guarantee the victim will regain access to their data or compromised devices, as proven by the case of WannaCry, one of the most widespread ransomware attacks to date. Furthermore, making payments to malicious actors supports criminal activity and perpetuates the existence of a business model that not only causes financial loss but also risks lives.

Prevention is key

There is a lot organizations can do to protect their data – and that of their customers – from the threat of ransomware. Employee education to ensure everyone is a cautious and conscientious computer user is vital. This is especially important – as US-CERT points out – during the Covid-19 crisis when fear-inducing events like outbreaks of disease are social engineering lures. For example, individuals should go directly to the websites of health services instead of following fake links. As cyber adversaries become more sophisticated in their approaches, it has been reported that even legitimate sources of information, such as John Hopkins University’s live coronavirus map has been used to spread malware, so exercising maximum caution is highly advised.

At the foundational level, security teams should keep operating systems, software and applications up to date and ensure anti-virus and anti-malware tools set up to automatically update and run scans regularly. However, this is by no means enough. As organizations grow to incorporate a complex mix of security, network and cloud infrastructures amid a rise in threats, they need scalable cybersecurity solutions. Teams need contextual data and understanding of their attack surface to prevent the business from being exposed to these growing number of cybersecurity threats.  This data can also inform network modeling to simulate attacks to show how areas where network topology and security controls are leaving vulnerable assets exposed to threats. At a time when resources are tight and vulnerabilities are only increasing, intelligent prioritization and automation of tasks as well as patch prioritization is especially beneficial.  Backing up and storing data physically offline can also mitigate the impact of a ransomware attack. Creating a business continuity plan in case it is affected by ransomware can also help mitigate it.

Ransomware is not going away any time soon, and neither is Covid-19. Organizations need to take steps for prevention and mitigation as a matter of priority. If they don’t, their devices and data could be compromised and at risk of loss without warning.

Ron Davidson, Chief Technology Officer, Skybox Security (opens in new tab)

Ron Davidson is Chief Technology Officer at Skybox Security.