Hospitals are one of the most important critical infrastructures at the best of times, and more so right now, with the global health emergency caused by COVID-19. At this time, it is imperative that hospitals function as well as they possibly can, with no setbacks.

However, we must not lose sight of the fact that the entire sector is currently in the midst of a technological revolution, and all information is stored digitally, something that can greatly benefit patients. All of this information is also available online so that, should the patient change doctors, the patient’s medical history is easily accessible. It is this same technological improvement that has also created a serious security problem for the healthcare industry. Medical information is highly valuable, so if a cybercriminal manages to get their hands on it, they would be able to make a large profit.

Hospitals are very popular targets for cybercrime these days. This, among other reasons, is due to the amount of personal data they handle, as well as their IT systems, which are often outdated. Some cybercriminal groups have said they won’t attack hospitals during the current pandemic, but there are certain groups that have ignored this laudable initiative. One such example of this was seen in the Czech Republic where, in mid-March, a cyberattack paralyzed a university hospital that was conducting tests and research to mitigate the spread of coronavirus.

Spain: spotlight for infections and the Netwalker ransomware

Spain is one of the countries that has been worst hit by the pandemic, and its hospitals are working non-stop to treat patients. But now Spanish hospitals have another pressing concern to deal with: ransomware.

Last Sunday, national cybersecurity agencies detected an attempt to block the IT systems of Spanish hospitals by sending malicious emails to healthcare personnel. These emails contain an attachment that allegedly contains information about the covid-19 coronavirus in a file called “CORONAVIRUS_COVID-19.vbs”.

Embedded in this file is a Netwalker ransomware executable and obfuscated code to extract and launch this ransomware on the victim’s computer. Once executed, Netwalker encrypts the files on the computer and adds a random extension to the encrypted files.

Once this process is completed, the ransomware leaves a ransom note called [extension]-Readme.txt. The note contains instructions on how to recover the encrypted files.

The good news is that mass distribution of this cyberthreat has not yet begun. However, given the emergency situation the country is experiencing, such a cyberattack on a medical center would have devastating consequences.

Process hollowing: an evasion technique

Netwalker attacks Windows 10 systems and is capable of disabling antivirus software. However, to avoid setting off alarms, it doesn’t deactivate EPP security systems. It injects malicious code directly into Windows Explorer.

To avoid detection, Netwalker also uses a technique called process hollowing. This process involves unmapping the memory of suspended state processes and replacing it with malicious code. This techniques allows it to get around cybersecurity solutions that use whitelisting and signatures to detect malware.

How to protect hospitals

Right now, it is more important than ever to keep hospitals safe. In order to ensure they are protected, it is vital that everyone make an effort to stop ransomware making its way onto IT systems in the healthcare sector.

The first step, which must be a fundamental part of any cybersecurity plan, is to be extremely careful with emails. Email is one of the leading entry vectors for malware, and is also a vector that exists in every company. To protect it, it is imperative that we never open attachments from unknown senders. It is also vital never to click on links in emails from strangers, as they can also facilitate the installation of malware.

Another essential measure are advanced cybersecurity solutions. Panda Adaptive Defense is capable of monitoring all activity on all endpoints on the network. It does not use signatures to detect malware. Instead, any unknown process is stopped before it can run, analyzed, and is only allowed to run if it is classified as legitimate. This zero trust posture guarantees the security of your IT system.

Because of how important it is to protect this vital sector, during the state of alarm in Spain, Cytomic, unit of Panda, is providing free endpoint security solutions for companies in the healthcare sector. This way, they can continue to perform all their work efficiently in these critical days, without having to worry about their cybersecurity.