Hackers ‘Without Conscience’ Demand Ransom From Health Providers

Article by Ryan Gallagher – Bloomberg

When hackers broke into computers at Hammersmith Medicines Research, a London-based company that carries out clinical trials for new medicines, it was a nightmare scenario for managing director Malcolm Boyce.

The coronavirus crisis was just beginning to take hold in the U.K., and the company was in talks with other firms about potentially testing a vaccine. The hackers used encryption to lock down thousands of the company’s patient records and promised to publish them online if a ransom wasn’t paid.

Instead, Boyce called the police and his company’s IT staff worked around the clock to try to mitigate the damage.

“We’ve beefed up our defenses since the attack with all sorts of software,” said Boyce, adding that his company is now operating normally after a temporary setback. “My message to other companies is to do everything possible to safeguard yourself because they are quite capable of putting companies out of business, and they are totally without conscience.”

At a time when they are struggling to handle an influx of patients suffering from Covid-19, the disease caused by the coronavirus, health-care providers and medical facilities in the U.S. and Europe have seen a surge of ransomware attacks, as criminal groups seek to exploit the crisis to hit the sector when it’s at its most desperate, according to several cybersecurity experts.

“We have now seen a number of instances where clinical labs involved in testing, or major hospitals, have suffered ransomware attacks, where all their IT systems have been knocked down,” said André Pienaar, founder of C5 Capital, a venture capital firm. C5 has created an alliance of cybersecurity companies that is providing free assistance to hospitals and clinics in the U.K. and Europe.

Europol, the E.U.’s law enforcement agency, has received reports of intensifying cyber-attacks in almost all of its 27 member countries, according to spokesman Jan Op Gen Oorth.

“We have seen organized crime swiftly taking advantage of the proliferation of the virus,” said Op Gen Oorth. “There’s an increase in malware and ransomware attacks seeking to profit from this global crisis.”

In the U.S., Bill Siegel, chief executive officer of Coveware, which helps companies affected by ransomware attacks, said he has worked with about a half dozen health-care providers that have been hit with ransomware during the Covid-19 crisis.

The organizations that were hacked varied in size, he said, and included a hospital, medical laboratories, a small pediatrician’s office and an urban care center. He declined to name them, citing confidentiality agreements.

An attack on a health-care provider locks down computers that typically contain electronic medical records, Siegel said, meaning that doctors and nurses can’t access information about their patients’ medical histories, the dosages of drugs that patients require and other critical information.

The ramifications of such an attack, especially during the outbreak, could be devastating, Siegel said. In the case of the hospital he is working with, “casualties that would not otherwise occur are a likely outcome because of the ransomware attack,” he said.

Ransomware is a type of malware that encrypts files on a victim’s computers, rendering the data they contain inaccessible until a ransom is paid for a decryption key. The ransom amounts vary, though Pienaar said he has seen “enormous inflation” in ransom demands in the last two months.

In many instances, he said, ransoms are being paid because the health organizations are under time constraints and pressure — exactly what the hackers are counting on.

The ransomware attacks come amid an increase in other cyber-attacks related to the pandemic. They have included a rash of “phishing” emails that attempt to use the crisis to persuade people to click on links that download malware or ransomware onto their computers.

John Fitzpatrick, director of HPCsec, a London-based security company, created a tool to monitor the creation of suspicious website domains associated with the coronavirus.

Fitzpatrick said that in a four-day period from March 19 to March 23, he had identified more than 650 domain names, many of which he said were “highly likely” to be associated with a surge in phishing messages.

Hospitals and medical facilities have been targets of hackers and ransomware groups for years, in part because of computer storage of sensitive patient information and lapses in cybersecurity.

In 2017, dozens of British hospitals and surgeries were affected by ransomware known as WannaCry, which resulted in thousands of canceled appointments and the closing of some accident and emergency departments.

In 2019, several U.S. hospitals had to turn away patients after another spate of ransomware attacks. The global pandemic has only increased the vulnerability of medical facilities, experts said.

“The attackers know that these organizations are so desperate at the moment to build ventilators, or to stop people from getting sick, and they are trying to exploit that,” said Malcolm Taylor, head of cybersecurity at ITC Secure, one of the companies that is part of C5 Capital’s alliance to help medical facilities and research labs.

In the Czech Republic, for instance, Brno University Hospital was hit by a cyber-attack earlier this month that forced it to shut down its computers, cancel operations and relocate patients.

The hospital, which is the second largest in the Czech Republic, had been carrying out tests for the coronavirus disease. Some of the test results were delayed due to the incident, according to a hospital spokesman.

Robert Kahofer, chief of cabinet at Czech cybersecurity agency NUKIB, said his team was currently working to fix the hospital’s computers. He declined to elaborate, citing an ongoing police investigation.

In California, the biotechnology company 10x Genomics Inc. appears to have suffered a recent attack.

The company, which develops gene sequencing equipment used in scientific research, is providing technology to Vanderbilt University Medical Center that profiles the immune system for use in developing potential antibody therapies for Covid-19.

On March 13, a group using a strain of ransomware known as REvil posted an internal company document from 10x Genomics online that claimed to contain information about more than 1,200 of the company’s employees and its internal computer systems. A copy of the document was seen by Bloomberg News.

The group said it had stolen a terabyte of information from 10x Genomics. A security researcher with the Israel-based data-breach monitoring company Under The Breach said it appeared 10x Genomics had been “compromised pretty badly.” The researcher requested anonymity to avoid retribution from ransomware attackers.

10x Genomics didn’t respond to requests for comment.

Some ransomware groups have pledged not to hit hospitals and other health-care providers while the coronavirus continues. But security experts caution against believing the hackers’ assurances.

“It’s completely false,” said Siegel of Coveware. “We have seen almost every single one of them recently target a health-care organization.”