Hospitals around the world struggle with ever-growing waves of COVID-19 infections but the efforts in one testing center in Europe are being hampered by cyber-criminal activity.
Computer systems at the University Hospital Brno in the Czech Republic have been shut down on Friday due to a cyber-attack that struck in the wee hours of the day.
This comes at a time when there are more than 140 confirmed infections in the country and around 4,800 people in quarantine. The government has declared a state of emergency and imposed stern restrictions on crossing the border.
The University Hospital Brno hosts one of the 18 laboratories the Czech Republic uses for testing for the new coronavirus. Since the outbreak, the institution did up to 20 tests a day.
Not all systems are down
Little information has been released about the attack, which occurred on Friday morning, around 2 a.m. local time. Its nature remains unknown but it would not be a surprise if it were a ransomware incident. At the time of writing, the hospital’s website was down.
Due to the attack, the results for COVID-19 tests in the past couple of days, estimated to dozens, have been delayed. It typically takes a day to get the results.
According to the Czech News Agency (ČTK), the director of the hospital, Jaroslav Štěrba, told reporters that computer systems started “falling gradually” and “had to be shut down.” Members of the staff received instructions not to turn on the computers.
Systems serving laboratories like hematology, microbiology, biochemistry, tumor diagnostics, or radiology appear to be on a different network than the affected systems as they continue to work.
Basic operations are still possible at the hospital and patients are still being investigated, despite the attack. However, medical data collected by lab systems is stuck there and cannot be recorded in databases.
Recipes are written by hand or typed, leading to longer examination times. This happens at a point when every minute counts and doctors need all the help in dealing with COVID-19 infections.
The National Cyber and Information Security Agency (NÚKIB) has been called in and is working to identify the root of the problem and remedy the situation. The National Organized Crime Center is also involved in the case.
Because the state of emergency had already been declared in the country when the attack occurred, the investigators will treat it with priority and aggravated circumstances will be considered for prosecution.
Malware in the time of COVID-19
Some ransomware operators, like Maze, intentionally avoid targeting critical services. They told BleepingComputer that they “don’t attack hospitals, cancer centers, maternity hospitals and other socially vital objects.”
Other ransomware actors, though, have no problem attacking healthcare units. At the beginning of 2018, SamSam hit at least two hospitals in the U.S.
Ryuk also has no remorse attacking hospitals. Last year, DCH hospitals in Alabama paid what the cybercriminals demanded for the decryption key that unlocked the medical data.
Other threat actors are also trying to capitalize from this global health crisis and created malware or launched attacks with a COVID-19 theme. A new ransomware strain discovered this week, BEC scammers are using the outbreak in an attempt to persuade victims to send money to a different account.
DomainTools also found a new malware for Android phones that locks them up and demands a ransom of $100 in bitcoin. CovidLock, as the researchers named it, locks the phone screen and threatens to delete contacts, pictures, and videos. The ransom note also claims to leak social media accounts to the public.
This is a screen-locker and starting Android 7.0 (Nougat) there is protection against it if a password is already set. CovidLock can still affect devices where unlocking the screen is not password protected.
DomainTools have obtained the decryption key for the unlock password set by CovidLocker and will soon make it public, along with the technical details of their research.
Update March 17, 12:18 EDT: DomainTools published their technical analysis for CovidLocker, which includes the ‘verify PIN’ function that contains the unlock password. As Jazmac mentions in the comment bellow, by the time the company published the details, someone else had reverse-engineered the application, extracted the information and announced the feat on Reddit.