The COVID-19 pandemic has given rise to a terrible trend: cyberattacks targeting health care employees. It’s an insidious and reprehensible attack on some of the most valued and stressed segments of the workforce, part of an alarming increase in attacks that prey on fear and concerns about the pandemic and economic crisis.
Healthcare IT services professional Don Baham from Kraft Technology Group warns healthcare professionals about the next wave of cyberthreats during and post COVID19.
What Cyberattacks Target Healthcare Workers?
The latest hacking attack is called NetWalker and is a variant of ransomware called Mailto.
Netwalker targets government agencies and enterprise companies. The white-hat group MalwareHunterTeam found an attachment as part of a coronavirus phishing scheme that installs the Netwalker ransomware. In March, hackers attacked the Champaign Urbana Public Health District, an Illinois public health agency covering 210,000 people.
The ransomware attack hit just as the COVID-19 pandemic was escalating and thousands of people were looking for health guidance. The district had to create an alternate website to continue to provide information.
How Does Netwalker Attack Websites?
Netwalker appears to hide in plain sight. It uses a technique known as process hollowing, in which it acts like a legitimate process using the Windows explorer.exe program. This process helps Netwalker evade common anti-virus software, whitelisting and signature-based detection.
The campaign uses an attachment called “CORONAVIRUS_COVID-19.vbs.” Like in most successful phishing campaigns, users who click on the file believing it contains valuable health information instead launch the malware attack.
The attachment contains an executable file and carefully hidden code that’s extracted and launched on the infected computer. Once the script launches, it saves another executable file in a temp folder. Once launched, the ransomware encrypts files and adds a random extension to file names.
At the time of this column, there was no known free decryption tool to solve the Netwalker malware.
What Cyberattacks Target Healthcare?
Netwalker is not the only phishing scheme to target healthcare organizations.
The FBI has issued three warnings in 2020 about the Kwampirs Remote Access Trojan, which exploits network vulnerabilities. Health organizations have become a frequent target. Why? There’s ample opportunity, especially as health organizations pivot quickly to telehealth options and more people are working from home.
Unit 42 reported on a scam in late March that spoofed an email address from the World Health Organization (WHO). The campaign targeted an unnamed Canadian government health agency and a Canadian university doing COVID-29 research. It contained a Rich Text File (RTF) attachment that delivered ransomware.
A separate malware campaign has targeted medical organizations and medical research facilities the world over. The email campaign teased COVID-19 news with attachments titled “COVID-19 Supplier Notice” or “Corporate advisory” and used an email address from an electric skateboard company. The attachments launched AgentTesla, malware that steals information.
The prevalence of attacks led the WHO to report that the agency had seen a fivefold increase in cyberattacks this year compared to in 2019. WHO also reported the online leak of 450 email addresses and passwords belonging to agency employees and retirees. Scammers have used WHO addresses to direct donations to a fraudulent fund.
What Can Be Done to Prevent Healthcare Cyberattacks?
Several cybercrime organizations announced that they would not target healthcare organizations with attacks. However, several security analysts noted that these moves are not driven by an interest in protecting public health but in self-preservation. Ian Thornton-Trump, CISO at Cyjax, told Forbes that continued attacks on healthcare organizations “may even elicit military action up to and including a special forces mission to take out the actors responsible for the cyber-attack.”
The insidious attacks on our most vulnerable and needed institutions reinforce that companies have to be ever-diligent in keeping systems secure. Now is the time to ensure that your cybersecurity solution is current, comprehensive and active.