In a nutshell: In addition to local governments, one of the favorite targets for ransomware gangs are hospitals and medical facilities. With the coronavirus outbreak straining countries' healthcare systems to the limit, ransomware operators have pledged not to attack these organizations during the pandemic---though one group appears to have broken its promise.
We've seen several hospitals hit with ransomware over the years, forcing some to run on pen and paper. With so many medical facilities struggling with the influx of coronavirus patients, a ransomware attack right now would be devastating, and almost certainly result in lost lives.
Last week, Bleeping Computer contacted several ransomware operators to see if they planned on targeting health organizations during the outbreak. Only two responded, both promising to avoid entities such as hospitals.
DoppelPaymer said it always tries to avoid medical facilities, and if it did hit one by mistake, the group would offer the decryption key for free. It did warn that some companies try to represent themselves as something else, so it would be double and triple-checking firms before releasing any free keys.
The operators behind Maze ransomware said, "We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus." But it appears the group is stretching the truth with that claim. On March 14, the Maze gang attacked the systems of Hammersmith Medicines Research (HMR), a UK company that carried out tests to develop the Ebola vaccine, and performs early clinical trials of drugs and vaccines. It's ready to perform trials on any Covid-19 vaccines that are being developed.
Computer Weekly reports that while the attack took place before the pledge, the group published thousands of former patients' details days after the promise because HMR refused to pay.
Malcolm Boyce, clinical director of HMR, said, "We repelled [the attack] and quickly restored all our functions. There was no downtime." He added that the group had sent the company medical files of former patients as proof they had accessed the firm's data.
Boyce said HMR is a research company, not a pharmaceutical firm, and does not have the funds to pay the ransom demands even if it wanted to. "We have no intention of paying. I would rather go out of business than pay a ransom to these people," he stressed.
It might appear that cybercriminal gangs are doing the right thing by not targeting medical organizations right now, but it's a promise that should be taken with a grain of salt, as many know that hospitals' current desperation makes them more likely to pay a ransom.