Ransomware Slams Healthcare, Logistics, Energy FirmsAttacks Traced to Gangs Wielding Nefilim, Snake Strains
Ransomware attacks hit at least four large organizations around the world this week, including a hospital group in Europe that has been battling the COVID-19 pandemic.
On Thursday, Germany-based Fesnius, Europe’s largest private hospital operator and a major provider of dialysis products and services, confirmed to Information Security Media Group that its IT network has been hit by a "computer virus." Security blogger Brian Krebs, citing unnamed sources, reported that Fresenius apparently was hit with a ransomware attack using a variant called Snake.
In another incident, Australian transportation and logistics firm Toll Group confirmed that its internal corporate network was hit by a ransomware variant called Nefilim, which caused the company to shut down several of its systems. On Thursday, the company reported that it had taken an "important step in the restoration of IT systems."
Meanwhile, two major fuel suppliers in Taiwan, including a state-run firm, announced that they had sustained "computer hacks" earlier this week, which local media outlets reported as separate ransomware attacks.
The Search for Targets
Brett Callow, a threat analyst with security firm Emsisoft, says clusters of ransomware attacks are inevitable because the operators behind these attacks are continually looking for new targets and taking advantage of unpatched or poorly secured networks. Since the start of the COVID-19 pandemic, attackers have also tried to target victims that might not have updated all their security protocols (see: No COVID-19 Respite: Ransomware Keeps Pummeling Healthcare).
"Generally speaking, the number of successful ransomware attacks has remained relatively stable since the beginning of the year, and not changed significantly since the COVID-19 outbreak began," Callow tells ISMG.
Rui Lopes, engineering and technical support director at Panda Security, also noted that ransomware attacks have remained steady in the wake of the COVID-19 pandemic, and that attackers continue to look for victims that have not revamped their security to meet the current situation.
"Amidst the global crisis caused by COVID-19, it's no surprise that hackers would hit operations that are most needed, such as hospitals, shipping infrastructure and more, and therefore gain the most immediate leverage," Lopes says.
Healthcare Provider Hit
Steffen Rinas, a Fresnius spokesperson, tells ISMG that the company is taking steps to prevent malware from spreading to other parts of its network, but he says patient care services are continuing. "Our IT experts are continuing to work on remediating the situation and ensuring that operations continue to run as smoothly as possible," he says.
Rinas did not provide information on how many systems or locations were affected by this incident or whether the company has been contacted by the attackers.
Fresenius was apparently hit with a ransomware variant called Snake, according to Krebs. Security researchers first took note of the malware in January.
Snake, also known as Ekans, is designed to target the software used to run large-scale industrial facilities, according to the security firm Dragos. It has the ability to encrypt and close down industrial control systems and appears to be similar to Megacortex, a malware used in some high-profile attacks in 2019 (see: New Ransomware Targets Industrial Controls: Report)
Second Attack on Toll
For Toll, this week's ransomware attack is the second to hit the logistics firm this year. In January, the company reported that ransomware forced the firm to deliberately shut down several systems, including customer-facing applications, which slowed deliveries (see: Australian Delivery Firm Confirms Ransomware Attack).
On its website, Toll notes that it's still restoring its systems. "Toll has no intention of engaging with any ransom demands, and there is no evidence at this stage to suggest that any data has been extracted from our network," the company states.
Toll identified the ransomware involved as Nefilim. In March, security researchers reported that Nefilim appears to be an updated version of Nemty, which is part of a growing number of ransomware operations that have launched data-leaking sites in an attempt to extort more pressure on victims (see: More Ransomware Gangs Join Data-Leaking Cult)
Taiwan Energy Firms Hit
The two Taiwanese fuel firms hit by ransomware attacks, according to local media reports, are state-owned petroleum company CPC Corp. and privately owned petroleum refiner Formosa Petrochemical Corp.
According to Cyberscoop, two of the malicious files used in the attack were ransomware, and the company received a ransom note. But it's not clear if the company paid a ransom.
Formosa Petrochemica also was hit with ransomware this week, but it does not appear that any data was taken, according to local news site Focus Taiwan. The company did not issue a statement.
Managing Editor Scott Ferguson contributed to this report.