Coronavirus: Ransomware Groups To Stop Attacking Health Institutions

Some Ransomware operators have stated that they will no longer target health and medical organizations during the Coronavirus (COVID-19) pandemic.

Last night, BleepingComputer reached out to the operators of the Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako Ransomware infections to ask if they would continue targeting health and medical organizations during the outbreak.

DoppelPaymer Ransomware

DoppelPaymer was the first to respond and stated that they do not normally target hospitals or nursing homes and will continue this approach during the pandemic.

“We always try to avoid hospitals, nursing homes, if it’s some local gov – we always do not touch 911 (only occasionally is possible or due to missconfig in their network) . Not only now.

If we  do it by mistake – we’ll decrypt for free. But some companies usually try to represent themselves as something other: we have development company that tried to be small real estate, had another company that tried to be dog shelter ) So if this happens we’ll do double, triple check before releasing decrypt for free to such a things. But about pharma – they earns lot of extra on panic nowdays, we have no any wish to support them. While doctors do something, those guys earns.”

When asked what happens if a medical organization gets encrypted, we were told that a victim should contact them on their email or Tor webpage to provide proof and get a decryptor.

Maze Ransomware

Today, the Maze operators responded to my questions by posting a “Press Release” that also states that they will stop all “activity” against all kinds of medical organizations until the end of the pandemic.

Security companies offer free help

For now, if any organizations get encrypted, both Emsisoft and Coveware announced today that they would be offering their ransomware services for free to healthcare organizations during the pandemic.

This includes the following:

• Technical analysis of the ransomware.
• Development of a decryption tool whenever possible.
• As a last resort ransom negotiation, transaction handling and recovery assistance, including replacement of the decryption tool supplied by the criminals with a custom tool that will recover data faster and with less chance of data loss.

While this help is greatly appreciated, I hope other ransomware operators will stop targeting healthcare organizations after reading this article so that it is not needed.

As this is a global epidemic, anyone could become sick with this virus, including the ransomware operator’s loved ones.

Right now healthcare workers need to focus on helping people, not decrypting their files.

Source: BLEEPINGCOMPUTER

This article first appeared in BleepingComputer and here’s a link to the original article.