New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Some Ransomware Operators Vow to Leave Healthcare Alone During COVID-19 Crisis

Lawrence Abrams of Bleeping Computer reached out to the operators behind some of the most prevalent ransomware this week. His question was a simple one: “Will you continue to target health and medical organizations during the COVID-19 pandemic?” So far two groups have answered Lawrence’s question–DoppelPaymer and Maze. The threat actors behind the DoppelPaymer ransomware said that if a medical or healthcare organization is mistakenly attacked, they will provide the facility with the decryption key for free. Interestingly, the group added that pharmaceutical companies do not get the same free pass as other healthcare organizations. The spokesman for the group stated that “they earn a lot of extra on panic” and that they “have no wish to support them.” Maze responded similarly, saying that they would stop attacking medical organizations until “the stabilization of the situation with the virus.” Unlike DoppelPaymer, Maze would not confirm if they plan to decrypt medical and healthcare facilities for free if they become infected unintentionally. 

Analyst Notes

Many believe that this promise from the ransomware operators was made out of a sense of self-preservation rather than a genuine interest in the common good. If a medical facility were to be hit by ransomware, the public reaction would be very negative and the response from the law enforcement, military, and intelligence community against the ransomware operators could be overwhelming. Even if the ransomware operators provide free decryption keys, operations at hospitals could still be severely impacted while IT staff work to restore computers and verify proper operation. Decrypting all the files on a computer with a program supplied by the attackers can be time-consuming and can result in corrupted files, putting patient safety at risk. While many cyber-criminals who operate ransomware are interested in turning a profit more than decency, they are still human and susceptible to the same viruses and illnesses as the rest of us, meaning that an attack on a medical facility could impact them or people they care about if it is located in the same geographic region where any of their friends or family members live. More information on this incident can be found at