A new wave of ransomware attacks against hospital has begun. Internet criminals are distributing Locky ransomware on a vast scale, mostly in the form of phishing campaigns directed at the healthcare sector. The method of distribution is a macro-enabled Office 2007 Word document containing the malicious payload.
LOCKY IS MAKING THE ROUNDS YET AGAIN
A report published by FireEye earlier this week goes to show the majority of targeted hospitals are located in the United States. Other regions include Japan, Korea, and Thailand. By distributing Locky ransomware to these institutions, internet criminals are banking on a big payday. Just last year, the Hollywood Presbyterian Hospital paid US$17,000 to get rid of a ransomware attack.
Previously, criminals would distribute Locky ransomware through spam attacks. With such a myriad of email messages being blasted out, there is a fair chance of success. But when it comes to targeting the healthcare industry, infected macro-enabled Office 2007 Word documents seem to be preferable.
As horrible as it may sound, ransomware distributors have a quote to uphold. Maximising earnings is their top priority, regardless of where the money is coming from. Despite this change of distribution tactics, the Locky ransomware is still downloaded from a centralised server. If security researchers can figure out these server locations, they may be able to shut down this threat once again.
It has to be said, however, that distributors of this new wave of Locky ransomware are taking a far more professional approach. Every email campaign has a unique ID which is broadcasted when the payload is downloaded. This allows distributors to keep track of successful distribution attempts.
The healthcare industry is not the only sector of value to Locky distributors right now. Several campaigns are targeting transportation, telecom and manufacturers all over the world. So far, no mention was made of any enterprises paying the ransom demand in Bitcoin.We can only hope things stay that way for the foreseeable future.
3 thoughts on “Criminals Target Hospitals Through New Locky Ransomware Campaign”
“Despite this change of distribution tactics, the Locky ransomware is still downloaded from a centralised server. If security researchers can figure out these server locations,…”
… or maybe Fort Meade, Maryland in concert with those brave Boys and Girls out in the Stinkin’ Desert of Utah!
But aren’t they interchangeable?