Arecent report from the UK’s National Cyber Security Centre, part of GCHQ (a key institution in the history of IT and AI, as we looked at in the post about Alan Turing) has drawn some interesting conclusions. The center handled 723 incidents between 1 September 2019 and 31 August 2020, with around 200 related to coronavirus. This suggests that a quarter of all cyberattacks over the last few months have been related to the COVID-19 pandemic

This data also correlates with the increase in incidents that we have been witnessing at Cytomic due both to the boom in work-from-home and the consequent increase in the attack surface, as well as the rise in malware designed to take advantage of the intense interest in content related to the current health crisis.

The NCSC report places particular emphasis on this last point, highlighting one of the most common and persistent techniques used by adversaries: ransomware. In fact, the center explains that it has handled more than three times as many ransomware incidents compared to last year. Moreover, the healthcare sector, as we discussed in June, has been one of the leading targets.

Phishing and loaders_

One very recent example of attacks with COVID-related ransomware is the use of Trickbot against US healthcare services. The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Health Department published an alert warning that cyberattackers have employed this malware against several hospitals around the country.

CISA explained that Trickbot began life as a banker Trojan and is ‘descended’ from the Dyre malware. It also explains that the most common attack vector for Trickbot is wide-scale phishing, using emails containing COVID-related PDF attachments, though emails without files have also been detected as well as specifically targeted cases of social engineering spoofing the identity of company executives.

Trickbot gives adversaries a series of tools that allows them to steal credentials, mine cryptocurrencies, and most often, deploy ransomware. BazarLoader is used as a loader and the most commonly detected ransomware with Trickbot is the infamous Ryuk, which Cytomic dealt with in a  specific report released some months ago. Once loaded, Ryuk uses 256-bit AES encryption to lock files on a system. A message then appears demanding a ransom in bitcoins.

Backup copies, training, and advanced solutions_

To prevent these types of ransomware incidents which can be highly damaging for healthcare organizations, CISA has recommended the implementation of a series of policies, best practices, and specific solutions. These include:

  • Implement a recovery and continuity plan with backup copies stored offline and regularly updated, in order to prevent complete paralysis of an organization if systems are encrypted by ransomware.
  • Promote awareness and training of employees so they recognize the attack vectors used to deploy ransomware, such as phishing, and they can better identify social engineering techniques such as identity spoofing and fraud.
  • Use cybersecurity solutions that regularly scan all systems. This should include any activity on endpoints to reveal unusual behavior of users, devices, and processes. As Trickbot has shown, ransomware can be deployed using an attack vector such as fileless emails that evade traditional security solutions. This is why the Cytomic EPDR solution delivers advanced EDR capabilities for endpoint prevention and detection, along with a complete suite of preventive technologies with the Zero Trust Application Service, to prevent any binary file from being run until classified as trusted.