- When you mention the word WannaCry, health IT security folks break into a cold sweat. They remember the havoc that the WannaCry ransomware attack wreaked on the healthcare industry last year.
Cybercriminals claiming to be from the WannaCry-Hack-team and threatening victims with WannaCrypt ransomware are using that fear to scam companies into paying a ransom before anything happens, warned Paul Ducklin, a security writer with Sophos’ NakedSecurity blog.
The cybercriminals are sending emails to organizations threatening to encrypt and erase all their files unless they pay 0.1 Bitcoin ($650). But Ducklin has seen no evidence that they have any malware capable of doing that.
In their email, the attackers brag that they have “cracked” all of the victim’s devices and have “improved operation of our program” so that there will be no hope of regaining the data once the attack is launched.
“Our program also covers the local network, erasing data on all computers connected to the network and remote servers, all cloud-stored data, and freezing website operation. We have already deployed our program on your devices,” the attackers threaten.
To forestall this horrible outcome, victims are directed to pay 0.1 Bitcoin by a certain date and time.
However, the attackers don’t really have a devasting data wiping program or anything else for that matter, Ducklin noted.
“Just to be clear here: disk wiping malware — think of it as ransomware with no decryption key, so you can’t buy your files back from the crooks even if you want to — most certainly exists…. In this particular case, however, the whole thing is a fraud, right down to the existence of the malware in the first place,” he wrote.
Ducklin advised those who receive this email not to pay anything, not to contact the scammers, and to make sure all their systems are patched and protected.
While this ransomware attack is a scam, the WannaCry attacks of last year were anything but. What was so devastating about WannaCry was that it combined data encryption with a self-spreading virus code.
“As a result, WannaCry could worm its way through your network automatically, potentially leaving you with hundreds or even thousands of scrambled computers in a single attack, even if only one user opened a booby-trapped attachment or downloaded a file from a poisoned website,” Ducklin wrote.
The healthcare industry bore the brunt of the attacks, particularly in the UK where WannaCry disrupted the National Health Service. In response, in May last year HHS issued a warning to US healthcare organizations to be careful about opening emails and attachments.
HHS recommended the following steps to protect against ransomware attacks through email:
• Only open emails from people you know and that you are expecting. The attacker can impersonate the sender, or the computer belonging to someone you know may be infected without his or her knowledge
• Don’t click on links in emails if you weren’t expecting them – the attacker could camouflage a malicious link to make it look like it is for your bank, for example
• Keep your computer and antivirus up to date – this adds another layer of defense that could stop the malware
In March of this year, HHS warned about the SamSam ransomware threat that was targeting healthcare organizations.
As of March 30, SamSam ransomware attacks had occurred at Indiana-based Hancock Health Hospital and Adams Memorial Hospital, cloud-based electronic health record (EHR) provider Allscripts, the municipality of Farmington in New Mexico, an undisclosed US industrial control system company, Davidson County offices in North Carolina, Colorado’s Department of Transportation, and Atlanta’s systems and services.
Ducklin explained that the SamSam attackers focused on one organization at a time and identified computers they could encrypt all at the same time. Once that was accomplished, they demanded a substantial fee to decrypt each computer or a “deal” where they would decrypt all the computers for a hefty fee of $50,000.
HHS encouraged healthcare organizations to use data backups and develop contingency and business continuity plans to restore data and operations in the event of a ransomware attack.