By Luke Wilson, vice president of intelligence, 4iQ.
In the wake of COVID-19, my firm, 4iQ, observed an increase in a host of cyber-attacks. This uptick did not come as a surprise, given cybercriminals typically exploit uncertain situations, but it was a wake-up call for organizations that were in the midst of transitioning to full-time remote work.
As the country begins to reopen, we cannot let our guards down – from preventing the spread of this pandemic, or from persistent cybercriminals.
Phishing campaigns were well-documented over these past few months. Scammers spoofed credible institutions, such as the World Health Organization (WHO) and Centers for Disease Control and Prevention (CDC) to lure victims into downloading malware or to capture personal or financial information.
These incidents were so widespread that government agencies, including the CDC, Federal Communications Commission (FCC), and Federal Trade Commission (FTC) published resources on these COVID-19-related scams to alert the public and offer tips on how to spot suspicious activity. Individuals were also at risk of having their identities spoofed, not just organizations.
Cybercriminals leveraged the accounts of executives with public-facing email accounts, usually via keyloggers or phishing attacks, to conduct fraudulent wire transfer payments.
As COVID-19 continued to spread, so did the number of registered suspicious coronavirus-themed domains. We analyzed over 2,400 domain names with COVID-19 themes and found that the most common terms were “virus,” “coronavirus,” and “corona.”
We also saw particular interest in protection gear, test kits, vaccines, and domains that tracked reported coronavirus cases as well as the status of the infected and cured. While some of these sites might have been legitimate, many were scams to distribute malware, inflict financial fraud, or trick victims into purchasing fraudulent COVID-19-related products, such as “vaccines,” which haven’t been evaluated by regulators for safety and effectiveness.
During the pandemic, cybercriminals have targeted entities within the healthcare sector with ransomware campaigns. Ransomware lures during COVID-19 sometimes included general information about the novel virus or focused on specific angles such as government assistance.
According to Trend Micro, modern-day ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and force users to pay the ransom through certain online payment methods in order to obtain a decrypt key. During the lockdown period, among others, we detected the following attacks as the most common.
First, Ryuk Ransomware, which starts with phishing emails, visiting a suspicious website, or clicking on a random popup, bots like TrickBot and Emotet give direct access to the victim’s network, and start spreading laterally to ultimately deploy Ryuk.
Clop Ransomware has a history of infecting only Microsoft Windows systems by surpassing the Windows defender and shutting down important processes (i.e. Microsoft Office) before blocking data recovery attempts. Last, Locky Ransomware, where Russian hacker group TA505 launched several attacks in recent months using a coronavirus lure in an attempt to deliver a downloader to a target’s computer.
Further, fake news and hoax campaigns have permeated our society for the last several years, but especially in the wake of this pandemic. Our research showed the aim is usually political, seeking to destabilize countries in the international arena, influence the stock market or affect the public’s perception of global governments and/or political parties.
A few examples that we have seen include messages causing people to hoard large amounts of essential products in the face of lockdowns, circulation of fraudulent products that claim to “cure, treat, or prevent COVID-19,” and claims of COVID-19 being a hoax.
We also found conspiracy theories surrounding the origin of the virus. For instance, one campaign claimed the virus was stolen out of a Canadian lab, while another rumor accused the Chinese government and Wuhan labs as the originators of the disease.
Cybercriminals will continue to capitalize on the fear and uncertainty surrounding COVID-19, so healthcare organizations, such as hospitals, medical organizations and pharmaceutical companies, must allocate the necessary resources to cybersecurity to prevent further harm.
During this pandemic, investment firm C5 Capital formed an alliance of cybersecurity professionals, including 4iQ, who will offer free digital defenses to our healthcare systems and providers. Further, companies should train employees on cyber best practices, secure their Wi-Fi networks and invest in credible identity theft protection to do an initial scan, then receive real-time alerts should employee credentials become compromised.