Global epidemics spread cybercrime as well. Cybercriminals will likely use the global anxiety over the coronavirus to execute ransomware attacks via social engineering.
Cybercriminals have been hugely successful using disasters and global anxiety over virus outbreaks to execute malware attacks via social engineering. Eventually, these types of infections almost always give way to ransomware.
Ebola, Zika, SARs—over the years, actors leveraging pandemics have developed a distinct pattern with the only significant difference being improvements to attack tools. They execute layered attack campaigns, first with phishing and social engineering to infect users with malware, then taking over the entire system with ransomware or other forms of malware. With the novel coronavirus now a top concern worldwide, that pattern is continuing.
The latest intelligence briefby the RiskIQ i3 threat intelligence group* assesses that these attacks will focus primarily on large corporations, which rely on markets and supply chains originating in China and other coronavirus-affected regions. Personnel at these organizations have heightened interest in news and developments related to the virus, potentially making them more susceptible to social engineering that tricks them into clicking on malicious links.
The briefing assesses there are two possible methods of attack, both the result of phishing campaigns. The first involves the AZORult malware, which researchers witnessed was the basis for a phishing campaign targeting members of the shipping industry in January of this year. On at least three different occasions since 2018, however, attackers have used AZORult to deploy ransomware.
The second phishing campaign relies on the Emotet Trojan. Victims in Japan have received emails claiming to contain important information about the coronavirus, but clicking on the link activates Emotet. In September 2019, criminals partnered Emotet with TrikBot and Ryuk ransomware to take over an organization's network, a scenario that could play out similarly over the coming weeks and months.
Secondary targets could include health organizations involved in tracking the spread, finding a cure, or providing associated public service functions. Targets of opportunity could consist of any institution or individual seeking general information about the spread and impact of the virus.
Company executives, mid-level managers, administrators of local governments, and, healthcare professionals all have a vested interest in following the latest developments around the spread of coronavirus. It only takes one tired or overworked individual to click on what they believe is a legitimate alert or update, so all personnel should be mindful of danger.
Mitigating Your Risk
The following are guidelines and steps organizations should take to protect their attack surface:
- For information about the coronavirus, visit the WHO's website.
- Only use trusted news sources for additional information.
- Do not click on links or open attachments in unsolicited email messages.
- Run up-to-date security software on your computer.
- Educate users to be on guard for threats, like Emotet, that present emails that appear to be unexpected replies to older email threads, emails that seem out of context, or messages from familiar names but are sent from unfamiliar email addresses.
- Ensure systems are patched on time.
- Update endpoint detection and response and anti-virus solutions deployed.
- Segregate networks to limit the reach of self-propagating malware.
- Review privileged access and users to enforce principles of least privilege.
- Keep up to date on blacklists of malicious IPs and compromised websites.
- Use an email security tool that features attachment inspection and disable the ability to run macros from attachments.
- Regularly back up your data on your system and store it offline or on a different network.
- Encrypt your sensitive data.
- Have an incident response plan ready.
Download the brief for extensive analysis of past ransomware attacks during global epidemics, current phishing campaigns leveraging the coronavirus, and what is likely to develop as the situation evolves.
*RiskIQ's Incident Investigation and Intelligence (i3) team is comprised of trained intelligence analysts, targeters, and operators.