Skip to content

The Covid-19 Pandemic Reveals Ransomware’s Long Game

The novel coronavirus pandemic has stretched the world’s health care systems to their limits, creating a global crisis. New research from Microsoft shows that ransomware attackers are actively making that crisis worse, forcing health care and critical infrastructure organizations to pay up when they can least afford downtime. In many cases, hackers are reaping the rewards of groundwork they laid months ago, before Covid-19 fully hit.

Hackers have known for years that hospitals and other health care providers make perfect targets for ransomware attacks, since there’s life-or-death urgency in getting back up and running quickly. During the pandemic, though, the risk has become even more dire. After a hospital in the Czech Republic was hit by a debilitating ransomware attack in March, the country’s cybersecurity oversight agency warned two weeks ago that it was bracing for widespread cyberattacks against critical services in the country. Two Czech hospitals reported attempted attacks a day later, and the US State Department threatened consequences if the antagonism continued.

The Czech incidents reflect just one corner of a worrying global trend of opportunistic ransomware activations.

“The attackers are definitely being what I’ll call rational economic actors, which unfortunately also means vicious,” says Rob Lefferts, corporate vice president of Microsoft 365 security. “We see behavior where they will break into organizations and actually lie dormant, both because they’re doing reconnaissance but also because they are apparently estimating what is the moment in time when that organization will be most vulnerable and most likely to pay.”

An initial attack might give hackers access to a victim’s network. But they’ll then wait weeks or months for a particularly opportune moment to actually infect the system with ransomware. Microsoft has been tracking such behavior from groups using a number of prominent strains of ransomware, like Robbinhood, Maze, and REvil. While some ransomware groups had pledged not to attack hospitals during the coronavirus crisis, in practice hackers are increasingly attempting to cash in.

The Microsoft researchers often observed attackers getting their initial network access by exploiting unpatched vulnerabilities in victims’ web infrastructure. They saw some hackers taking advantage of a widely publicized flaw in the Pulse Secure VPN and others exploiting flaws in remote management features like remote desktop systems. Attackers also targeted vulnerabilities and insecure configurations of Microsoft’s own products. Attackers could guess passwords of organizations using Remote Desktop Protocol without multifactor authentication or exploit known bugs in Microsoft SharePoint and Microsoft Exchange servers that victims had neglected to patch.

Attackers even took advantage of tools used in security to proactively find and plug network holes, including the attack emulation platform Cobalt Strike and malicious techniques in Microsoft’s remote management framework PowerShell. This activity often looks legitimate and can sneak past scanners, allowing attackers to lie in wait and do reconnaissance undetected on the network until they choose the moment to actually strike.

While attackers wait for the right conditions to release the ransomware, they often exfiltrate data from their victims’ networks. The motive of this activity isn’t always clear, though, Microsoft says. It can be difficult to tell the difference between attackers who have IP theft or other intelligence gathering as their main goal and those that just collect what they can as a secondary benefit of positioning themselves for ransomware attacks.

“That dwell time can vary between days, weeks or even months,” says Jérôme Segura, head of threat intelligence at the monitoring firm Malwarebytes. “When the time has come for ransomware deployment, threat actors will typically choose weekends, and preferably the wee hours of Sunday morning. This made sense pre-pandemic as staff would typically return to work on Mondays to witness the damage. Now many businesses have their resources stretched far more than before and as a result may be in a tougher position to respond to a compromise.”