The novel coronavirus pandemic has stretched the world’s health care systems to their limits, creating a global crisis. New research from Microsoft shows that ransomware attackers are actively making that crisis worse, forcing health care and critical infrastructure organizations to pay up when they can least afford downtime. In many cases, hackers are reaping the rewards of groundwork they laid long before Covid-19 hit.
Hackers have known for years that hospitals and other health care providers make perfect targets for ransomware attacks, since there’s life or death urgency in getting back up and running quickly. During the pandemic, though, the risk has become even more dire. After a hospital in the Czech Republic was hit by a debilitating ransomware attack in March, the country’s cybersecurity oversight agency warned two weeks ago that it was bracing for widespread cyberattacks against critical services in the country. Two Czech hospitals reported attempted attacks a day later, and the United States State Department threatened consequences if the antagonism continued.
The Czech incidents reflect just one corner of a worrying global trend of opportunistic ransomware activations.
“The attackers are definitely being what I’ll call rational economic actors, which unfortunately also means vicious,” says Rob Lefferts, corporate vice president of Microsoft 365 security. “We see behavior where they will break into organizations and actually lie dormant, both because they’re doing reconnaissance, but also because they are apparently estimating what is the moment in time when that organization will be most vulnerable and most likely to pay.”
An initial attack that might give hackers access to a victim’s network. But they’ll then wait weeks or months for a particularly opportune moment to actually infect the system with ransomware. Microsoft has been tracking such behavior from groups using a number of prominent strains of ransomware, like Robbinhood, Maze, and REvil. While some ransomware groups had pledged not to attack hospitals during the coronavirus crisis, in practice hackers are increasingly attempting to cash in.
The Microsoft researchers often observed attackers getting their initial network access by exploiting unpatched vulnerabilities in victims’ web infrastructure. They saw some hackers taking advantage of a widely publicized flaw in the Pulse Secure VPN and others exploiting flaws in remote management features like remote desktop systems. Attackers also targeted vulnerabilities and insecure configurations of Microsoft’s own products. Attackers could guess passwords of organizations using Remote Desktop Protocol without multi-factor authentication, or exploit known bugs in Microsoft SharePoint and Microsoft Exchange servers that victims neglected to patch.
Attackers even took advantage of tools used in security to proactively find and plug network holes, including the attack emulation platform Cobalt Strike and malicious techniques in Microsoft’s remote management framework PowerShell. This activity often looks legitimate and can sneak past scanners, allowing attackers to lie in wait and do reconnaissance undetected on the network until they choose the moment to actually strike.
While attackers wait for the right conditions to release the ransomware, they often exfiltrate data from their victims’ networks. The motive of this activity isn’t always clear, though, Microsoft says. It can be difficult to tell the difference between attackers who have IP theft or other intelligence gathering as their main goal and those that just collect what they can as a secondary benefit of positioning themselves for ransomware attacks.
Microsoft’s Lefferts emphasizes that attack groups can’t be reliably traced by the tools or type of ransomware they’re using, because so many groups copy each other or use different techniques against different targets. And he says that while most of the activity simply capitalizes on known vulnerabilities, ransomware groups are generally smart about rotating their infrastructure like IP addresses to make it harder to trace them.
