In chaos of pandemic, more ransomware attacks targeting hospitals, some dark markets struggle to meet user illicit order demands: special ACFCS webinar report

The Skinny:

  • In chaos of coronavirus pandemic, more ransomware attacks are targeting hospitals, even as some hacking groups debate the ethics of going after vulnerable targets trying to save lives, according to details revealed in a joint ACFCS/Chainalysis webinar Friday.
  • Conversely, even as COVID-19 has opened new avenues for scam, spam and ransomware fusillades, some darknet markets are struggling to meet the illicit order demands of users because getting certain drugs and precursor chemicals are taking much longer, if at all.
  • So how are darknet market denizens responding? By taking a page out of the playback of other online and brick-and-mortar retailers: special COVID-19 discounts and sales and even – and I am not kidding here – free surgical masks with every order.
  • As for ransomware attacks, a more recent wrinkle: Many groups are now pairing that barrage and lockdown with an attempt to steal as much information as possible. They are also attempting to scare a person or top executive with sextortion, telling them they have hacked inappropriate photos from a person’s phone or cloud account.
  • But the addresses these ransomware groups tell others to pay can also be their downfall. That’s because blockchain analytics firms can then review if these addresses are tied to higher risk exchanges with few anti-money laundering know-your-customer (KYC) checks or if they have been tied to other scams and Ponzi schemes – capturing the attention of law enforcement. 

By Brian Monroe
bmonroe@acfcs.org
April 24, 2020

In an ignoble irony that would even make some criminals cringe, ransomware attackers have in recent weeks been more aggressively attacking hospitals and other healthcare operations in regions hit hard by the coronavirus pandemic.

Why? Other than having no form of morals, ethics or “honor among thieves,” there are specific reasons ransom ransackers are targeting the healthcare sector: Many hospitals are already at or beyond capacity, so they are more vulnerable to make a mistake and cyber misstep, clicking on a diseased link as the operation is in crisis mode.

The other understood meaning by cyber-enabled spammers: these operations are more likely to pay – and quickly – because lives are at stake.

Even worse: because of the higher stakes involved with hospitals, a ransomware group can ask for a much higher payment than the typical few hundred dollars in nigh untraceable virtual currency, in some cases demanding millions.  

Those are just some of the updated financial crime and compliance trends nearly 1,000 attendees learned about during a Friday webinar, “COVID-19: A Perfect Storm for Crypto Scams?” by ACFCS and Chainalysis, a blockchain countercrime analytics firm.

In any crisis “bad actors will be looking to profit off of it,” said Kim Grauer, head of research, at Chainalysis, where she examines trends in cryptocurrency economics and crime. “We’re already getting reports of cybercriminals using Covid-19 to scam the vulnerable, extort healthcare providers, and spread misinformation.”

The webinar analyzed the role cryptocurrency plays in Covid-19-related crimes, including:

·       Scams taking advantage of the crisis

·       Ransomware attacks against healthcare providers

·       How darknet markets react to a pandemic

In what seems like an endless month, the COVID-19 pandemic has done more than take lives, drain life savings and plunge much of the world into an economic downturn: it has provided new avenues for some criminal groups and cyber hackers.

Attempting to prey on people’s fear on one end of the spectrum and their desire to help on the other, illicit groups have unleashed new phishing and other spam and scam fusillades – this time based on some angle of the coronavirus, cures or equipment, or conversely, the desperately-needed funds from country stimulus packages. 

Customer service complaints…for darknet markets?

While the pandemic has opened the door to some dark net denizens, some darknet markets – an operation only accessible by a special Tor browser – have struggled to keep up with supply and demand of certain illegal items, including drugs and precursor chemicals.

On dark web forums, some customers have complained, “hey, I ordered something three weeks ago, what gives?” Grauer said. “Because of the coronavirus, a lot of the packages are not able to go out as quickly. There are not as many supplies on the darknet marketplaces.”

Overall, even as major virtual currencies saw their value drop in the past month, the revenue for scammers getting paid in Bitcoin, Ethereum and other crypto coins declined even further, more than 30 percent.

One reason profits are falling for certain scammers used to being paid in Bitcoin is that some virtual value “investment” opportunities – in actuality simply Ponzi schemes with a new crypto sheen – are imploding.

One of the biggest scams in 2020 that is flailing due to COVID-19 is the Million.Money scheme.

The operation offers buy-ins as low as .03 Ethereum, or about $5, with 10 levels of buying “tiers,” touting that those involved have the potential to make $300,000 in passive income every three months by hitting the “repeat” button.

But like many classic Ponzi schemes, faux investment scams built on paying out small amounts to investors, they fall apart when the incoming funds don’t match the outgoing payments.

To counter the drop in funding, some darknet markets are taking a page out of the playback of other online and brick-and-mortar retailers by offering sales, giveaways and even COVID-19 related freebies and swag.

Grauer highlighted some dark markets making statements like “Covid sale,” and “Coronavirus special.” Don’t forget about a commitment to customer service. “Free surgical mask with every order!” and “We take care about our customers,” – and, yes, that is the actual wording.

Ransomware groups split on ethics of healthcare attacks

When it comes to ransomware groups, many have no problem selling ransomware attacks as a service – either selling certain virulent strains to the highest bidder or engaging in a full scope attack at the behest of another illicit purchaser.  

But is it right?

That question has caused a schism in the virtual viral attack community.

Some groups behind ransomware attacks have stated they will not target hospitals, while others have brazenly flouted such ideologies.

These operations have engaged in “general” ransomware attacks and “targeted” attacks against the healthcare sector.

In a general ransomware attack, the groups will “grab a list of emails and try to get people to install the malware,” and then ask the individuals for a small amount of Bitcoin – maybe $50.

In a targeted ransomware attack, a group will engage in a “well thought out attack of all the individuals” at a given institution and, if successful in locking down its systems, will then “ask for a really high ransom,” Grauer said.

But in a new twist on the ransomware attack trend, many groups are now pairing that barrage and lockdown with an attempt to steal as much information as possible.

That way, as added leverage, attackers can say that not only have they locked down a company’s databases of customers, but they will publish lists of sensitive personally identifiable information if the company doesn’t pay millions of dollars, Grauer said.

With scammers getting creative with COVID-19 tricks, better think before you link

Ransomware groups are also trying to weave in emails that are relevant to the pandemic, such as those working from home.

Through a mix of phishing and social engineering, these groups are finding out a person’s email and then sending them a message attempting to make it look like it’s from their company, asking them to reset a password.

In another scam, these groups send emails telling someone they “have a UPS delivery, but because of the coronavirus, we can’t bring you the package,” Grauer said, adding that the email will tell the person to give their personal information so they can “tell you where the package is.”

Some ransomware emails are also masquerading as a fake charity and if a company doesn’t feel like being giving, these groups can also turn to fear.

In some cases, these groups will try different versions of extortion, warning a company that if they don’t pay a certain amount, they will infect the company with a virus that will lock its systems.

A more recent wrinkle: these groups will attempt to scare a person or top executive with sextortion, telling the person they have hacked inappropriate photos from a person’s phone or cloud account.

But the addresses these ransomware groups tell others to pay can also be their downfall. 

That’s because blockchain analytics firms can then review if these addresses are tied to higher risk exchanges with few anti-money laundering know-your-customer (KYC) checks or if they have been tied to other scams and Ponzi schemes.

One key red flag: the address routinely accepts round amounts – indicative of a Ponzi scheme or ransomware payment – that are below “KYC thresholds. That is suspicious,” Grauer said.