The operators of Ryuk ransomware continue to target hospitals, despite the intense pressures they are already facing as a result of the coronavirus pandemic.

On March 27, ‘PeterM’ of British IT security firm Sophos, tweeted that a United States-based healthcare provider had been targeted by Ryuk’s ransomware. PeterM stated that the cyber offensive “looks like a typical Ryuk attack,” posting:

“I can confirm that #Ryuk ransomware are still targeting hospitals despite the global pandemic. I'm looking at a US health care provider at the moment who were targeted overnight. Any HC providers reading this, if you have a TrickBot infection get help dealing with it ASAP.”

Two of seven ransomware operators claim to cease targeting hospitals 

On March 18, cybersecurity publication BleepingComputer published a report after contacting seven ransomware operators to ask if they would continue to target hospitals despite the COVID-19 outbreak.

Only Maze and DoppelPaymer indicated that they would no longer target hospitals. Maze later decrypted and released data that it had stolen from a drug testing company that it had targeted prior to the pandemic. 

Ryuk did not respond to the publication’s request for comment

One week later, Bleepingcomputer reported that software security firm SentinelOne had identified at least ten instances of Ryuk targeting at least 10 healthcare organizations during March — including one attack on a network of 9 hospitals.

Dutch cybersecurity firm freely fights ransomware for hospitals

As part of the “Tech against Corona” initiative — where a consortium of local tech companies are freely offering their services and technologies to the Dutch government to fight COVID-19 — IT security firm Cybersprint is helping hospitals fight ransomware.

In addition to providing its security services to the hospitals free of charge, it is also conducting a deep investigation into recent ransomware attacks to develop best practices to secure against future incidents.