Amid the ongoing COVID-19 pandemic, Kivu’s intelligence is indicating an exponential surge in cyber-attacks likely to cause post-pandemic disruption. Currently, we are seeing three cyber trends develop semi-independently of each other.
Among organized ransomware groups such as Ryuk, Sodinokibi (also known as REvil) or Maze, there is a growing divide between the groups’ operators and affiliated partners. The issue is whether or not to target key, or essential, industries during the COVID-19 pandemic. One trend is seeing affiliated partners calling for a ceasefire on attacks targeting critical organizations, voicing frustration and citing moral conflict. On the opposite side, forming the second trend, actor groups are continuing their ransomware and extortion operations unabated, targeting hospitals, clinics and critical healthcare organizations. Despite many public announcements pledging to not target hospitals and similar organizations, evidence is refuting their claims. As outlined by ADVIntel, this divide can be described as an almost ethical disagreement over whether or not to publicly commit to whitelisting healthcare institutions which may be overwhelmed by the pandemic.
The third trend is a rise in dark net discounts and promotions offered on spamming campaign services, often including phishing templates, banking trojans and info-stealing malware. Although Microsoft and others report no tangible surge in the number of attacks, they do note a substantial repurposing of infrastructure (phishing templates and botnet usage) to align with COVID-19-related campaigns. The campaigns being launched seek to exploit the public’s heightened sense of fear and their desire for information about the pandemic. In effect, this trend aims to deliver information stealing malware with the objective to compromise as many organizations as possible while user vigilance remains low – with the aim to cash in on those compromises later.
Kivu consistently observes the deployment of information-stealing malware as a means to pave the road for ransomware variants, such as Ryuk or Maze, aiming to carry out attacks at a later date.
This would imply that the current lull in ransomware incidents is unlikely to continue. Rather, the current reconnaissance work on organizations of interest being carried out via banking trojans and information stealing malware will eventually translate into a surge in ransomware attacks. Meanwhile, despite the current divide between affiliated partners and organized groups’ operators, these threat actors will likely reunite and resume their operations as usual after the pandemic. More significantly, once the initial turmoil of the pandemic has subsided, ransomware groups will be ready to purchase access to an abundance of compromised organizations – and this time, they will feel no moral obligation to avoid disrupting critical infrastructure.
Just as we take physical measures to limit the spread of COVID-19, we ought to exercise similar cyber-hygiene when interacting with coworkers, friends and family on the internet:
- Practice social distancing: Segregate your work and personal devices.
- Limit the spread of viruses: Train employees to be vigilant and inspect external emails, flagging them if suspicious.
- Routinely wash (hands) for twenty seconds: Take extra time out of your daily routine to enable and utilize multifactor authentication across your accounts, both personal and business.
- Regularly clean common surfaces: Regularly update systems and security tools, such as anti-virus and remote access (VPNs) software, and monitor user access and activity.
Help flatten the incoming ransomware curve and other cyber-attacks, by practicing good cyber-hygiene daily. By remaining vigilant you, too, could prevent breaches to personal, professional and business privacy.