Revenue generated by ransomware attacks fell dramatically in March as COVID-19 lockdown measures spread around the world. The drop is somewhat curious considering attackers have never wielded such leverage; medical care facilities are stretched close to their limits in many countries.
Typically, ransomware attackers have found a worthy target in the computer systems of medical facilities. With patients relying on the correct functioning of hospital systems, the theory is that such companies will be more willing to pay for their data to be returned to them.
Security Experts Warn of Ransomware Spike but Revenue Falls
With hospitals around the world never in higher demand, the value of fully functioning computer systems in medical facilities has also never been greater. As per this reasoning, you might expect to see greater numbers of organizations falling victim to attackers taking advantage of this extended leverage.
However, data from Chainalysis suggests that the opposite is true. March saw the dollar value of digital ransom payments sent to cryptocurrency addresses fall to below $500,000. This is the lowest level it has been at since November 2019 and the second-lowest since February of the same year.
The firm also notes that the number of active ransomware addresses fell dramatically in March. However, the previous month saw the number of addresses associated with the crime at highs not observed since 2017.
— unfolded. (@cryptounfolded) April 16, 2020
The blockchain forensics firm also notes that the figures they report tend to be an underestimation since some organizations will just pay the demands to save face. At a time of great demand on medical services, it’s plausible that greater numbers of victims would have neglected to report instances due to more pressing concerns.
Are Attackers Laying Off Ransomware Efforts for Now?
Although attackers purposefully avoiding hospitals during the time of crisis arguably makes for a better story, that doesn’t seem to be the case. In correspondence with various groups of hackers, reporters from BleepingComputer discovered that many of the groups behind dominant strains of ransomware claim never to have intended attack hospitals anyway.
In a particularly revealing email, an alleged operator of the Netwalker malware stated:
“Hospitals and medical facilities? Do you think someone has a goal to attack hospitals? We don’t have that goal — it never was. It was a coincidence. No one will purposefully hack into the hospital.”
Contrary to the above, Chainalysis’ research found that a Netwalker attack was attempted against two different medical facilities during the crisis. Similarly, those behind the strain stated that they would not waive fees for medical companies that were encrypted by ‘accident.’
Also contrary to the “ethical attacker” thesis is the fact that operators of Maze Ransomware broke their word not to target medical facilities. The group stated as such via a press release, only to release data from Hammersmith Medicines Research shortly after.
Another group, DoppelPaymer, had stated that it had always provided decryption services for free to the healthcare industry, and COVID-19 hadn’t changed anything, according to BleepingComputer.
Of those strains of ransomware active right now, only DoppelPaymer seems to have made good on its promise to not target medical facilities. However, those behind it have been active against other organizations.
While the figures suggest that the number of victims and the success rate of ransomware are dropping, it remains a significant threat. BeInCrypto recently reported on numerous high-profile ransomware attacks. These included the French government and an Illinois Public Healthy Agency website. Similarly, Chainalysis notes a rise in scammers using COVID-19 as inspiration for phishing emails and other victim-facing content.