A large-scale Snake ransomware campaign is underway after a period of low-level activity. Snake ransomware was first identified by MalwareHunter Team in January 2020 and has only been used in limited attacks, but there was a major spike in attacks on May 4, when 25 attacks were reported.
Snake ransomware is unusual as it targets industrial control systems (ICS), SCADA systems, and processes related to enterprise management tools. The systems targeted by the hackers are found in production and manufacturing networks, where the downtime can result in millions of dollars in losses. This makes payment of the ransom much more likely due to the level of disruption caused by the attacks.
As is now common in ransomware attacks, the operators of Snake ransomware say that prior to encryption, files are stolen from victims and threats are issued to publish the stolen data if payment is not made within 48 hours. It is currently unclear whether they have that capability or if it is an empty threat.
According to a recent report on KrebsonSecurity, the operators of Snake ransomware recently attacked Fresenius Group, the largest private operator of hospitals in Europe. The group has 290,000 employees in more than 100 countries around the world and generates sales in excess of $35 billion.
Within the group are four leading healthcare companies, including Fresenius Medical Care which is the leading provider of kidney dialysis equipment in the world, with a 40% market share in the United States. Fresenius Kabi is a pharmaceutical firm supplying drugs, clinical nutritional products, and medical devices for critically ill patients, and Fresenius Helios, is the largest private operator of hospital in Europe.
The attack was conducted on May 4, 2020 forcing the shutdown of several systems to prevent the spread of the ransomware. The attack has naturally caused considerable disruption, but the group says it is continuing to provide care for patients. The company is working to remove the ransomware and restore its systems as quickly as possible. At this stage it is unclear whether the ransom will be paid for the keys to unlock the encryption. If the ransom is paid it would not be the first time. The Fresenius Group reportedly paid a ransom of $1.5 million to resolve a 2019 ransomware attack.
Some ransomware operators have stated that they will not attack healthcare organizations during the COVID-19 pandemic, but others are making no such concessions and the attacks are continuing at pace. Even ransomware operators that have said attacks would stop have not stopped all attacks on healthcare organizations. The Maze ransomware gang for instance, recently published data from a plastic surgery clinic that was recently attacked when the ransom was not paid.
Parkview Medical Center in Pueblo, CO was also hit with a ransomware attack on April 21, 2020 that took its electronic medical record system out of action. One of the largest COVID-19 testing laboratories in Europe, Brno University Hospital in the Czech Republic, was also attacked during the COVID-19 pandemic.
Operators of manual ransomware campaigns often gain access to networks several months before deploying their ransomware payloads, waiting for the optimal time to deploy the ransomware when maximum disruption will be caused. Microsoft’s Threat Protection Intelligence team recently issued an alert to the healthcare industry warning healthcare providers to check for signs of compromise after it detected dozens of ransomware attacks in the first two weeks in April, several of which were on healthcare organizations and other firms involved in the COVID-19 response.
Warnings about cyberattacks targeting healthcare providers have also recently been issued by the U.S Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), Interpol, and the UK’s National Cyber Security Centre (NCSC).