Some ransomware groups said that they avoid health organizations during the Coronavirus pandemic. The operators replied BleepingComputer’s questions about their intentions to attack health and medical organizations.
CLOP stays away
The operators behind CLOP Ransomware mentioned in an email that they have never attacked hospitals and charities and will continue this way. And CLOP is developed by one of the famous ransomware groups and can change in a quick way to make it more complex to track the samples.
“We never attacked hospitals, orphanages, nursing homes, charitable foundations, and we won’t. commercial pharmaceutical organizations are not suitable for this list; they are the only ones who benefit from the current pandemic,” they mentioned in an email. Also, they added that if one of these organizations is enctrypted by accident, they will provide a free decryptor.
Moreover, they would offer the decryptor to pharmaceutical companies that work on a Coronavirus vaccine or drug, after they show proof of this.
“We are not enemies of humanity, but commercial laboratories that are trying to trick us will never get the key. our goal is money, not harm,” they explained. Although CLOP had added some pharma companies to their data leak site, it removed them. But it is unclear if this was good will or the victims paid.
DoppelPaymer treat things differently
DoppelPaymer mentioned that they do not normally target hospitals or nursing homes. Also, they will continue this approach during the pandemic.
“We always try to avoid hospitals, nursing homes, if it’s some local gov – we always do not touch 911 (only occasionally is possible or due to missconfig in their network). Not only now. (…) But about pharma – they earns lot of extra on panic nowdays, we have no any wish to support them. While doctors do something, those guys earns.”
Still, if a medical organization gets encrypted, attackers say that a representative should contact the group on their email or Tor webpage. In other words, they provide proof they get a decryptor.
Maze Ransomware said the same
As a reply, the Maze operators posted a “Press Release” that states they will stop all “activity” against all kinds of medical organizations. But this will happen “until the stabilization of the situation with virus.”
Still, on March 18th, Maze leaked the data for Hammersmith Medicines Research (HMR). ComputerWeekly.com claims this is on standby for testing Coronavirus vaccines in live trials.
Nefilim Ransomware gives free decryptors
Nefilim Ransomware told BleepingComputer that they do not target non-profits, hospitals, schools, or government agencies. Thus, they say they’ll provide a free decryptor if, by accident, hit one of these.
“We never target non-profits, hospitals, schools, government organizations. If we ever encrypted one of those organizations by accident we would provide decryption for free and would delete all data downloaded.(…) The pandemic has not changed our stance on our targets since we believe that hospitals are off limits in any situation.”
Netwalker Ransomware will ask for money
The Netwalker Ransomware operators also mentioned that no ransomware operators target hospitals. “Hospitals and medical facilities? do you think someone has a goal to attack hospitals? we don’t have that goal -it never was. it coincidence. no one will purposefully hack into the hospital.” Still, they added that “if someone is encrypted, then he must pay for the decryption.”
Free help from security companies
According to BleepingComputer, Emsisoft and Coveware announced today that they would be offering their ransomware services for free to healthcare organizations during the pandemic. So, they will offer technical analysis of the ransomware and development of a decryption tool, whenever possible. Also, they will also replace the decryption tool supplied by the criminals with a custom tool. That will recover data faster and with less chance of data loss. Still, there are ransomware groups, such as Ryuk, who continue to target hospitals and ask for money from such organizations.