Cybercriminals reneged on early promises to spare healthcare facilities from cyber attacks during the COVID-19 pandemic – hitting more than 100 healthcare organisations with ransomware attacks and, a team of dark-web experts has reported, openly marketing ‘backdoor access’ to healthcare organisations on the dark web.

“There is no honour among thieves,” the new Darknet Report notes, “and as soon as the truce was broken by one [ransomware group], they all began to plunder any targets they could.”

It was a bold betrayal of an industry that spent 2020 struggling to keep up with an escalating pandemic – and found itself hopelessly outgunned in the fight to keep its data and systems safe.

“This unprecedented public health emergency has demonstrated that health facilities can become targets everywhere,” the World Health Organisation recently noted, adding that “whether they take the form of a cyber attack or a physical assault, [attacks] deprive people of urgently needed care, endanger health care providers, and undermine health systems.”

A recent analysis by VMware Carbon Black observed 239.4 million attempted cyberattacks on its customers during 2020 – with an average of 816 attempted attacks per endpoint and an 87 per cent increase in attacks between September and October alone.

Concerns about the implications of such breaches were enough to convince Shawn Richardson, senior manager for product security incident response with chipmaker NVIDIA, to last year join the CTI League – a worldwide coalition of more than 1,500 volunteer cyber security professionals working together to analyse and block threats to healthcare facilities during the pandemic.

“These have been unprecedented times,” she said, noting that “the onslaught of COVID has brought some rapid changes [and] taken away from our normal as we continue to adjust to our new realities.”

“Criminals have increased their attacks on healthcare organisations, hospitals, and medical research facilities at a time when they’re most under duress and fatigue.”

United by a desire to do something to help, the team of volunteers “have managed in just under a year to build a trusted community of volunteers that works with law enforcement to protect healthcare organisations,” Richardson said, lauding the group’s “amazing accomplishments over this in less than a year.”

A clearinghouse and staging area

The group’s CTIL Dark arm, a smaller group of darkweb experts, immersed themselves in the underbelly of this criminal underworld and found out just how far – and effectively – opportunistic cybercriminals would go to make a quick buck.

Recognising that the healthcare industry had “emerged as most vulnerable during the pandemic,” the team notes, many cybercriminals were trading and selling databases containing personal healthcare information stolen during cybercriminal breaches.

Money-minded cybercriminals had moved quickly to respond to developments in the COVID-19 response, quickly selling everything from masks, COVID test kits, and even hydroxychloroquine through darkweb forums.

“Opportunistic cyber criminals have mirrored whatever the biggest topic was being covered by the media,” CTIL Dark team lead Sean O’Connor said in launching the report, “as well as whatever the biggest concern at the time of the general public was.”

This included one campaign where a large-scale spammer leveraged publicly-available maps of COVID cases to target their campaigns to areas where they would, O’Connor said, most effectively “prey on the fear of the general public”.

Still other cybercriminals were seen testing out COVID-themed conspiracy theories and disinformation campaigns, some organised by nation-state actors, on underground message boards and Chan forums before their release onto the general web using automated bots and fake social-media personas.

CTIL Dark also observed networks of Initial Access Brokers (IABs), who scour the Internet for vulnerable networks and sell access methods to the highest bidder – or target them with inexpensive ransomware-as-a-service campaigns.

Although conventional wisdom suggests that ransomware spreads via malicious emails, the discovery of extensive trading of vulnerabilities for ransomware surprised investigators – who noted that the rapid shift to remote desktop protocol (RDP)-based remote access had left many companies with poorly secured networks.

Attacks increasing

Observed surges in cybercriminal compromise were rife throughout the pandemic – with Avast, for one, noting a 10 per cent surge in ransomware against Australian targets, a 51 per cent increase in spyware and stalkerware between March and June 2020, and RDP attacks becoming a “strong cyber-attack vector”.

The battle against opportunistic cybercriminals has scored some victories in recent months, with the drug-riddled Empire Market disappearing from the darkweb and authorities shutting down the Emotet ransomware network after a massive multinational campaign.

Yet the fight continues after “a long year”, CTI League co-founder Marc Rogers said, noting that CTIL Dark’s learnings were a major payoff from the volunteers’ efforts to keep up with the escalation in cybercriminal activity during the pandemic.

“The dark web remains an incredibly important source of threat intelligence,” he said. “By tracking threat actors across this space, the league is able to understand the [tactics, techniques and procedures] that lead to incidents within the healthcare sector as well as better understand the motivation driving these threats.”