The novel coronavirus pandemic has stretched the world's health care systems to their limits, creating a global crisis. New research from Microsoft shows that ransomware attackers are actively making that crisis worse, forcing health care and critical infrastructure organizations to pay up when they can least afford downtime. In many cases, hackers are reaping the rewards of groundwork they laid months ago, before Covid-19 fully hit.
Hackers have known for years that hospitals and other health care providers make perfect targets for ransomware attacks, since there's life-or-death urgency in getting back up and running quickly. During the pandemic, though, the risk has become even more dire. After a hospital in the Czech Republic was hit by a debilitating ransomware attack in March, the country's cybersecurity oversight agency warned two weeks ago that it was bracing for widespread cyberattacks against critical services in the country. Two Czech hospitals reported attempted attacks a day later, and the US State Department threatened consequences if the antagonism continued.
The Czech incidents reflect just one corner of a worrying global trend of opportunistic ransomware activations.
"The attackers are definitely being what I’ll call rational economic actors, which unfortunately also means vicious," says Rob Lefferts, corporate vice president of Microsoft 365 security. "We see behavior where they will break into organizations and actually lie dormant, both because they’re doing reconnaissance but also because they are apparently estimating what is the moment in time when that organization will be most vulnerable and most likely to pay."
An initial attack might give hackers access to a victim's network. But they'll then wait weeks or months for a particularly opportune moment to actually infect the system with ransomware. Microsoft has been tracking such behavior from groups using a number of prominent strains of ransomware, like Robbinhood, Maze, and REvil. While some ransomware groups had pledged not to attack hospitals during the coronavirus crisis, in practice hackers are increasingly attempting to cash in.
The Microsoft researchers often observed attackers getting their initial network access by exploiting unpatched vulnerabilities in victims' web infrastructure. They saw some hackers taking advantage of a widely publicized flaw in the Pulse Secure VPN and others exploiting flaws in remote management features like remote desktop systems. Attackers also targeted vulnerabilities and insecure configurations of Microsoft's own products. Attackers could guess passwords of organizations using Remote Desktop Protocol without multifactor authentication or exploit known bugs in Microsoft SharePoint and Microsoft Exchange servers that victims had neglected to patch.
Attackers even took advantage of tools used in security to proactively find and plug network holes, including the attack emulation platform Cobalt Strike and malicious techniques in Microsoft's remote management framework PowerShell. This activity often looks legitimate and can sneak past scanners, allowing attackers to lie in wait and do reconnaissance undetected on the network until they choose the moment to actually strike.
While attackers wait for the right conditions to release the ransomware, they often exfiltrate data from their victims' networks. The motive of this activity isn't always clear, though, Microsoft says. It can be difficult to tell the difference between attackers who have IP theft or other intelligence gathering as their main goal and those that just collect what they can as a secondary benefit of positioning themselves for ransomware attacks.
"That dwell time can vary between days, weeks or even months," says Jérôme Segura, head of threat intelligence at the monitoring firm Malwarebytes. "When the time has come for ransomware deployment, threat actors will typically choose weekends, and preferably the wee hours of Sunday morning. This made sense pre-pandemic as staff would typically return to work on Mondays to witness the damage. Now many businesses have their resources stretched far more than before and as a result may be in a tougher position to respond to a compromise."
Microsoft's Lefferts emphasizes that attack groups can't be reliably traced by the tools or type of ransomware they're using, because so many groups copy each other or use different techniques against different targets. And he says that while most of the activity simply capitalizes on known vulnerabilities, ransomware groups are generally smart about rotating their infrastructure like IP addresses to make it harder to trace them.
"It does point to a real need for organizations to think about posture and hygiene and how they do detection and monitoring," Lefferts says. "In many ways organizations have been catapulted five years into the future by the pandemic continuing remote work trends we were already on. It presents moments to ensure that you are thinking about these kinds of attacks—crisis moments like this do create opportunities to make things happen and take action."
Microsoft's findings are mostly based on ransomware attacks during the first two weeks of April that began as intrusions during the prior months, and the researchers say they saw a small increase in ransomware attacks during this time. But this doesn't necessarily mean that attackers always succeeded in collecting a ransom. The cryptocurrency firm Chainalysis said two weeks ago that it has seen a decrease in traceable ransomware payments throughout the pandemic. The company notes that it can only track certain payments, though, and that many organizations pay ransoms quietly to avoid bad publicity.
At the beginning of April, Interpol issued a global warning about the threat of ransomware to health care providers. "As hospitals and medical organizations around the world are working nonstop to preserve the well-being of individuals stricken with the coronavirus, they have become targets for ruthless cybercriminals who are looking to make a profit at the expense of sick patients,” Interpol secretary general Jürgen Stock said in the notification.
The best defenses against ransomware have largely remained the same over the years, and the pandemic may serve as special motivation to finally get old vulnerabilities patched, change easily guessable default passwords, and expand system monitoring capabilities. But the spread of Covid-19 presents unique challenges—just as ransomware is at its most threatening.
Updated Tuesday April 28, 2020 at 3:30pm ET to include comment from Malwarebytes researcher Jérôme Segura.