The Maze group, an anonymous cybercrime group who pledged not to target any medical organizations during the worldwide pandemic, broke their promise and carried out a ransomware attack against Hammersmith Medicines Research. Hammersmith Medicines Research is a British vaccine test center that is on standby to perform clinical trials on potential vaccines for the COVID-19 virus.
The attack took place on March 14th, which was just days before the Maze group announced on March 18th that they would not target any medical organizations during the pandemic. The clinical director of Hammersmith Medicines Research, Malcolm Boyce, stated that the attack was noticed in progress and was able to be stopped without causing any downtime. However, the Maze group was able to exfiltrate patient data which they are using to extort the vaccine test center.
Boyce expressed that his company would not be giving into the demands of the cybercriminals, and as a result, the Maze group leaked some of the patient data on the dark web on March 21st. The publishing of the data online completely violated their public statement that they would not continue to attack medical organizations during the pandemic.
“We have no intention of paying. I would rather go out of business than pay a ransom to these people,” Boyce said. If the Maze group follows their typical pattern, they will continue to release the stolen data on a staggered basis until the company pays the ransom or all of the data has been released.
On a more optimistic side, security companies such as Emsisoft and McAfee are providing free assistance to medical organizations being hit by cyber attacks. These companies are providing threat analysis, development of decryption tools, and even negotiating with cyber attackers.
Written By: Spencer Roth
With the growing concern surrounding the novel coronavirus it is not to surprising that some criminals may be ex-pointing peoples fear of infection. Recently Emotet attackers have been using their botnets to send out a phishing campaign centered around the virus. This attacker are sent under the guise of spreading prevention. In addition, they appear to be targeting Japan, The IBM X-Force researchers have discovered a number of emails that appear to look like they have been sent from the Japanese welfare distribution written in Japanese. Each email contains an infected Microsoft word document which when opened will run a obfuscated VBA macro script which installs a powershell which downloads the Emotet Trojan.
Recently the United States Cyber Security Agency warned of a recent spike in Emotet activity. Emotet is a Trojan malware that is a dropper for other malware, a scraper of information, and it will send spam emails from an infected pc in order to grow its botnet. In the past Emotet has been known to drop ransomware as well as trickbot. This is also not the first time this software has used recent events as a phishing campaign. In 2019 they sent out emails stating that they contained Edward Snowdens complete memoir. In addition, they used a phishing scheme around climate-change activism during the rise of Greta Thunburg.
It is not only Emotet using the coronavirus as a tactic to get people to click on their spam email. Malware protection company Kasper has reported up to 10 different flies using this tactic. As rates of infection and panic increase it is easy to assume more spamers will use this campaign tactic to acquire more downloads. It is also likely as threats increase around the virus the scope of the spammers will increase out of Japan and into other regions.
By: Kevin Dickey
You’ve probably heard of the media using fear mongering of outbreaks and news in order to sell their papers and generate views. Yellow journalism is something many are all too familiar of. Now, even hackers and phishers are taking advantage of the Coronavirus scare.
With the recent outbreak of the Coronavirus, people are trying their hardest to stay safe and informed. Wearing face masks and washing your hands is a start, but for people trying to take the extra step in educating themselves on staying safe, they might be putting themselves in danger instead.
It started with cybercriminals disguising malware as educational documents on the Coronavirus, infecting peoples’ computers with trojans and worms. These malicious files will damage or encrypt the data on your computer to be used for ransom.
Phishers are getting in on it too now, with fake emails pretending to be from the Center for Disease Control and Prevention (CDC), which has users “log in” using their email credentials in order to see health information and updates on the Coronavirus. In reality, your credentials are just handed over to the phishers, who will hijack your account and try to find anything valuable in your emails.
It’s important to stay safe, both physically and virtually. If you’re feeling sick, make sure to see a doctor, and if you get an email asking you to donate bitcoin or log in using your email credentials, just use google instead. For examples of the phishing emails and malware being sent out, check out the sources from Kapersky down below.
– Chris Heine
Coronavirus used to spread malware online
The incredible eye-opening work; Spam Nation by Brian Krebs was released on November 18th 2014 and since then, plenty has happened. Technology waits for no one and with that, spammers and their methods have to evolve to survive, and so they have.
Currently, in the world of Spam, there is not much to differentiate older spamming and phishing techniques from modern methods. This is primarily due to the lack of change in the basis of how information is communicated between computers through the network. What has changed though, are the methods that ISPs and other network administrators use to filter out spam and decrease the amount of spam that disperses through the internet. Thus, spammers must eventually find a way to bypass those measures or else suffer extinction.
This involved various methods, for example one method is to switch from email spam to social media spam (Facebook, Twitter and more recently snapchat) whereas the other method is to combine various techniques together to aid in bypassing the newly developed spam filters. These various methods could include embedding images that link back to a malicious server instead of a plaintext hyperlink, changing their choice of wording and advertising jargon to a more informal writing style, using various different origin servers to avoid an emergence of patterns, and using the unsubscribe button as a way to determine who is reading the spam messages (for verification of filter avoidance). However, by changing the email origin server, the email address that the mail is being sent from should also differ from the original as changing IP address repeatedly before sending various amounts of the same spam mail is known by spam filters.
Spam is a constant problem and regardless of what companies, ISPs, and individuals do to cut down and/ or prevent spam and phishing campaigns, spam will prevail. Both sides of the problem evolve, spam just so happens to evolve slightly faster than that of the prevention team and thus threats can only be protected against once they exist.
A current modern day spamming campaign uses the recent Coronavirus outbreak to ‘trick’ their victims into opening a file that is advertised to help prevent the spread of the Coronavirus strain but actually contains malicious malware that is designed to copy and steal personal information. This specific malware is known as Emotet and while it had previously been on a hiatus, it appears it’s making a comeback.
Written by: Jarryd Brits
Virtual Care Provider (VCP) Incorporated is a company for health care facilities to outsource their information technology needs while also maintaining HIPPA compliance. Services include cloud hosting, networking, client support, security, and more. However, over the last month VCP experienced a ransomware attack.
VCP services a number of clients, including 110 operators of acute care and nursing homes across the United States. This on its own doesn’t seem like a lot, but this translates to approximately 45 states running around 80,000 computers. The attack involved a strain of ransomware called Ryuk, a type that encrypts data to suspend access to its users. Many times, an exorbitant amount of money is demanded for the return of the encrypted files. In this case, a fourteen-million dollar ransom had been issued, which VCP reports they can’t afford.
VCP estimates that 20% of their servers have been affected by the attack. According to Brian Krebs from KrebsOnSecurity, who spoke with VCP CEO Karen Christianson, the attack has affected many of the services they provide, such as email, patient records, billing, payroll, and phone systems. One result of these effects was an inability to either view or modify patient records. Unfortunately, this also applied to acute care facilities, making medication distribution and basic patient care more difficult and time consuming as they can’t order electronically.
Reportedly, the attack began on November 17, 2019 and is still affecting client information and payroll processing for around 150 employees. At current, VCP is prioritizing the restoration of their Active Directory services, email, eMAR, and EHR applications. They also state that there isn’t currently a time estimate for when the services will be available again, it depends on the number of affected servers.
Written by Brett Segraves