Ransomware Campaigns During COVID-19

Ransomeware Campaigns during COVID-19

As the world collectively grapples with the health, societal, and economic impacts of COVID-19, businesses everywhere are facing a hidden parallel threat. Hackers and malicious actors are using the confusion and anxiety to pry open new and existing vulnerabilities, and cybersecurity firms around the world are seeing a drastic increase in attacks.


This is possibly the most dangerous threat facing healthcare organizations, governmental entities, and businesses at this time. Cybercriminals will likely intensify their ransomware distribution campaigns, and take advantage of the fact that hospitals and government agencies, who are at the frontline of the COVID-19 response with thinly stretched resources, can’t afford to be locked out of critical systems or files and are more likely to pay the demanded ransom to get back online. RH-ISAC members and others have reported a number of ransomware campaigns they have observed:

  • COVID-19 Themed Ransomware Phish:
    • NEMTY Ransomware: A nasty encryptor with history of publishing stolen files if victims refuse to pay the ransom.
    • Netwalker Ransomware (aka Mailto): Has a history of attacking healthcare organizations such as Champaign Urbana Public Health District (CHUPD) in Illinois in early March 2020 using an attachment “CORONAVIRUS_COVID-19.vbs.” For more information, see Bleepingcomputer, “Netwalker Ransomware Infecting Users via Coronavirus Phishing.”
    • CoronaVirus Ransomware: Yes, coronavirus has its very own ransomware named after it. It is being spread through a phishing website spoofing the free system utilities provider WiseCleaner. The ransomware is distributed alongside an infostealer named KPot, also known as Khalesi. For more information, see Security Boulevard, “CoronaVirus Ransomware.”
    • COVIDLOCK Ransomware: The attackers behind the COVIDLOCK campaign created a phishing site on the domain coronavirusapp[.]site that displays a map providing real-time information on the spread of the virus. According to Accenture, “The site encourages victims to download and run an Android application called “Covid19 Tracker” to stay up to date on the location of infected patients and the spread of the virus in the area, using smartphones to view the data. In reality, the application hides the CovidLock ransomware, which uses a malicious technique known as screen-lock, that denies the user access to the smartphone by forcefully changing the password needed to unlock the phone. Immediately after the lock, the app displays a ransom note on the screen.”
  • Other Extortion Emails:
    • Researchers have uncovered an extortion emails that threatens to expose recipients and their families with COVID-19 if they don’t pay $4,000 worth of bitcoins within 24 hours.

RH-ISAC Recommends

As with malspam and phishing attacks, the best way to protect against ransomware is to avoid being infected in the first place. Stress to your employees not to click on unexpected emails, particularly those about COVID-19. You should also back up critical systems and information regularly so if you are infected, you can restore without loss of functionality.

As with all threat activity and risk management, walking together as one is better than walking alone.

Engage! Leverage your RH-ISAC membership to engage with your peers in the listservs, on Slack, in the Weekly Intelligence Calls, and in any working groups you may be a part of where we maintain a proud tradition of trusted and active peer-to-peer information sharing.

Reach out! Not an RH-ISAC member? Reach out to us or visit www.www.rhisac.org for information on how to join, or reach out to similar security organizations of relevance to you to ask for information, solicit peer collaboration and to engaged in the strength of collective activity…don’t walk alone!

More Recent Blog Posts