The Ryuk Ransomware operators to continue to target hospitals even as these organizations are overwhelmed during the Coronavirus pandemic.
Last week BleepingComputer contacted various ransomware groups and asked if they would target hospitals and other healthcare organizations during the pandemic.
With the amount of strain healthcare organizations are under during this pandemic, I was hoping that ransomware operators would avoid these organizations so they can focus on treating people.
Of the seven ransomware operators I contacted, only Maze and DoppelPaymer responded that they would no longer target hospitals.
Since then Maze has released the data stolen from a drug testing company that was encrypted before stating they would not target healthcare. They continue to tell BleepingComputer that they will not encrypt hospitals or other healthcare organizations during the pandemic.
Ryuk never responded and continues to target hospitals
One of the ransomware operations we contacted was Ryuk who never responded to our question.
Since then, BleepingComptuer has learned that Ryuk continues to target hospitals even while they are struggling to keep people alive during the Coronavirus pandemic
For example, just this morning PeterM of Sophos tweeted that a US health care provider was attacked and encrypted overnight by Ryuk.
When asked if there were any indicators of compromise (IOCs) that could be shared, he stated it looked like every other Ryuk attack.
« Looks like a typical Ryuk attack at the moment, they deployed the ransomware with PsExec, » PeterM stated.
In a conversation with Vitali Kremez, Head of SentinelOne’s research division, over the past month, he has seen Ryuk targeting 10 healthcare organizations. Of these ten targets, two are independent hospitals and another is a healthcare network of 9 hospitals in the USA.
« Not only has their healthcare targeting not stopped but we have also seen a continuous trend of exploiting healthcare organizations in the middle of the global pandemic. While some extortionist groups at least acknowledged or engaged in the discourse of stopping healthcare extortionists, the Ryuk operators remained silent pursuing healthcare targeting even in light of our call to stop, » Kremez told BleepingComputer.
BleepingComputer was informed that one of the hospitals is located in a state that is being heavily affected by the Coronavirus at this time.
At any time, but even more so now, encrypting a hospital’s data not only affects the ability of a doctor to carry out their job but also whether a patient may live or die.