COVID-19: Cyber Security Update – 9 April

This is part of our series of reports on developing cyber threats concerning COVID-19. We continue to see developments as the pandemic changes working patterns and every aspect of our lives. Cyber threats unsurprisingly follow these changes quickly, even though many of the individuals carrying them out must also be impacted. We can see that the overall frequency of cyber attacks are down, but COVID-19-related issues are increasing.

There is growing evidence from industry, law enforcement and media outlets that the attacks on medical facilities, which initially declined, have intensified in the past month since the outbreak in Europe and the US has taken hold.

Ransomware is now back on the agenda. New ransomware variants, and a shorter period between initial compromise and the point of file encryption, indicate that there are new entrants to the ransomware “market”. We believe that attackers are judging that attacks launched during the pandemic will provide maximum returns as pressure builds to deliver essential services. Ransomware gangs are always looking to reduce the window which an organisation has to mitigate any impact and to put themselves in the most powerful position to negotiate. A victim distracted by other urgent priorities is highly likely to pay, especially if backed by insurance.

Attacks in the past month include a successful infection of a Czech hospital and a UK vaccine-testing company as well as attempts against a Spanish hospital. Given the warnings from global law-enforcement, it is highly likely that other medical institutions have been targets of ransomware attacks that have not been made public.

The initial phases of a ransomware attack typically include staff clicking on infected emails, or the exploitation of public-facing services such as Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) services. Risks are increased by successful phishing of user emails and passwords, poor password hygiene by staff including password reuse or low-complexity, and poor password policies or no use of multi-factor authentication by businesses.

Increased home working and a new dependency on externally accessible services such as remote access, video conferencing or collaboration platforms means there is a potential for a businesses’ attack surface to increase. Businesses should be mindful of setting up new platforms and services, making efforts to identify and review the security of these external-facing services to ensure that they are visible and at least basic security controls applied.

It is key that businesses include ensuring reliable, regular and segregated backups are completed even when staff are working at home to reduce the impact of ransomware. Good cyber hygiene such as implementing multi-factor authentication and the filtering and blocking of content through mail filtering, email gateways, and internet security gateways should also be considered. We have provided detailed advice in the report.

Successful attacks during the pandemic are likely to present even more challenging issues in terms of response and remediation due to reduced security staff and remote working. We expect to see targeting of medical facilities but also other businesses and services involved in the response to the virus and infrastructure services.

To read our full report click here.