Peace

Some Ransomware operators have stated that they will no longer target health and medical organizations during the Coronavirus (COVID-19) pandemic.

Last night, BleepingComputer reached out to various ransomware operators such as the Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako Ransomware infections to ask if they would continue targeting health and medical organizations during the outbreak.

Below is what some of them said. Whether they plan on keeping their promise will have to be seen.

CLOP Ransomware

In emails with BleepingComputer, the operators behind the CLOP Ransomware have stated that they have never attacked certain types of facilities, including hospitals and charities, and will continue to not do so.

"we never attacked hospitals, orphanages, nursing homes, charitable foundations, and we won’t. commercial pharmaceutical organizations are not suitable for this list; they are the only ones who benefit from the current pandemic."

They have also stated that if one of these organizations is encrypted by accident, they will provide a free decryptor.

When asked if they would offer a free decryptor to pharmaceutical companies if they are working on a Coronavirus vaccine or drug, we were told they would after being shown proof of this.

"the international health organization conducts vaccine tests, we follow  the news, if there is actual evidence of the laboratory working on the  vaccine, of course we will give the key for free, we are not enemies of  humanity, but commercial laboratories that are trying to trick us will never get the key. our goal is money, not harm."

CLOP had added some pharmaceutical companies to their data leak site, but have since removed them. It is not known if it was due to a gesture of good will during these times or if the victims paid.

DoppelPaymer Ransomware

DoppelPaymer was the first to respond and stated that they do not normally target hospitals or nursing homes and will continue this approach during the pandemic.

"We always try to avoid hospitals, nursing homes, if it's some local gov - we always do not touch 911 (only occasionally is possible or due to missconfig in their network) . Not only now.

If we  do it by mistake - we'll decrypt for free. But some companies usually try to represent themselves as something other: we have development company that tried to be small real estate, had another company that tried to be dog shelter ) So if this happens we'll do double, triple check before releasing decrypt for free to such a things. But about pharma - they earns lot of extra on panic nowdays, we have no any wish to support them. While doctors do something, those guys earns."

When asked what happens if a medical organization gets encrypted, we were told that a victim should contact them on their email or Tor webpage to provide proof and get a decryptor.

Maze Ransomware

Today, the Maze operators responded to my questions by posting a "Press Release" that also states that they will stop all "activity" against all kinds of medical organizations until the end of the pandemic.

"We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus."

We have not received a reply as to whether a free decryptor would be provided if a healthcare organization mistakenly gets encrypted.

On March 18th, after Maze stated they would stop all activity versus all medical organization, they leaked the data for a company named Hammersmith Medicines Research (HMR) that ComputerWeekly.com claims is on standby for testing Coronavirus vaccines in live trials.

Maze continues to say that they will not encrypt any medical organizations after March 18th.

We will have to see if they keep this promise, which to most has already been broken.

Nefilim Ransomware

Nefilim Ransomware told BleepingComputer that they do not target non-profits, hospitals, schools, or government agencies. If one is done by accident, they state they will provide a free decryptor.

"We work very diligently in choosing our targets. We never target non-profits, hospitals, schools, government organizations.
If we ever encrypted one of those organizations by accident we would provide decryption for free and would delete all data downloaded.
But as you probably understand the process of choosing and downloading data makes it unlikely that we would encrypt something by accident.
The pandemic has not changed our stance on our targets since we believe that hospitals are off limits in any situation."

Netwalker Ransomware

Since the article was posted, we have also asked the Netwalker Ransomware operators if they would attack hospitals and they made the claim that no ransomware operators target hospitals.

"Hospitals and medical facilities? do you think someone has a goal to attack hospitals? we don't have that goal -it never was. it coincidence. no one will purposefully hack into the hospital."

When I disagreed and asked if they would decrypt hospitals that they encrypted by accident, they responded that they would not.

"If someone is encrypted, then he must pay for the decryption."

Security companies offer free help

For now, if any organizations get encrypted, both Emsisoft and Coveware announced today that they would be offering their ransomware services for free to healthcare organizations during the pandemic.

This includes the following:

  • Technical analysis of the ransomware.
  • Development of a decryption tool whenever possible.
  • As a last resort ransom negotiation, transaction handling and recovery assistance, including replacement of the decryption tool supplied by the criminals with a custom tool that will recover data faster and with less chance of data loss.

While this help is greatly appreciated, I hope other ransomware operators will stop targeting healthcare organizations after reading this article so that it is not needed.

As this is a global epidemic, anyone could become sick with this virus, including the ransomware operator's loved ones.

Right now healthcare workers need to focus on helping people, not decrypting their files.

Update 3/22/20: Added updated info about Maze and added Netwalker
Update 3/27/20: Added responses from CLOP and Nefilim

Related Articles:

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

US offers up to $15 million for tips on ALPHV ransomware gang

KuCoin charged with AML violations that let cybercriminals launder billions

Ransomware as a Service and the Strange Economics of the Dark Web

What the Latest Ransomware Attacks Teach About Defending Networks