Categories & Search

Ransomware Attacks During COVID-19

As we previously described and as reflected in the rapidly increasing number of cyber-attacks since its start, the COVID-19 pandemic has triggered a shift in working practices that hackers and other bad actors are using to their advantage.  Recent studies show a 273% percent rise in large-scale data breaches in the first quarter of 2020, compared to prior-year statistics, and a 109% year-over-year increase in ransomware attacks in the United States through the first half of 2020.  This post will focus specifically on ransomware attacks targeting researchers working on a COVID-19 vaccine and how these attacks have evolved since the start of the pandemic.

In a ransomware attack, hackers use phishing or other means to introduce malware onto the victim’s computer system that encrypts the system, rendering the files and data on the system inaccessible to the victim.  The hackers then attempt to extract a monetary payment from the victim in exchange for the key needed to decrypt the compromised files.  In some instances, hackers also threaten to publicly release encrypted data by a specified deadline if no payment is received.

Recent ransomware attacks have targeted entities conducting confidential COVID-19-related research, including firms and groups working to develop a vaccine for the virus.  In March, for example, the Maze ransomware hacking group attacked a British research company that was preparing to conduct trials of a COVID-19 vaccine.  The hackers released thousands of personal medical records stolen from the company’s servers after the company, which stated it lacked funds to pay a ransom, refused to pay.  In April, the U.S. firm 10x Genomics—which was performing sequencing research from the cells of patients who had recovered from COVID-19—suffered a ransomware attack.  The hacking group Sodinokibi took credit for that attack, claimed to have stolen one terabyte of sensitive data and publicly released some of that information.  More recently, in June, hackers infiltrated servers in the epidemiology and biostatistics department of the University of California at San Francisco.  UCSF, then in the midst of research into a COVID-19 treatment or vaccine, hired a professional negotiator and agreed to pay a $1.14 million ransom for the decryption key (according to a leaked transcript).  Other recent targets of ransomware attacks include pharmaceutical companies working on trial-stage COVID-19 vaccines, such as Moderna

These attacks show that hackers are capitalizing on the vulnerabilities exposed by changing work patterns, such as increased use of personal e-mail accounts and “shadow” IT.  However, the increase in ransomware incidents specifically further suggests that high-stakes COVID-19 research may make companies especially attractive targets because, as the director of the U.S. National Counterintelligence and Security Center warned in the early days of the pandemic, “there is nothing more valuable or worth stealing than any kind of biomedical research that is going to help with a coronavirus vaccine.”  Because of the urgency created by the global health crisis and the value of being the first to market a vaccine, the researchers may be both more willing to cut corners with technology security and more likely to pay high ransoms to minimize work disruptions.  The situation is proving irresistible to hackers, as even groups such as Maze—which publicly committed to refrain from attacking healthcare organizations throughout the pandemic—continue to mount attacks.

The UCSF hackers, who remain unidentified but were likely from Russia or Eastern Europe, were motivated primarily by the prospect of a large payday.  However, data from other recent ransomware attacks suggests at least some overlap between hacking groups driven by profit and groups working on behalf of nation states to coopt American research for foreign vaccine efforts.  In July, a federal grand jury in Washington State indicted two Chinese nationals on hacking charges.  The defendants allegedly conducted a years-long hacking campaign, occasionally employing ransomware, and “in some instances acted for their own personal financial gain, and in others for the benefit of . . . Chinese government agencies.”  The indictment identifies multiple specific instances between January and June 2020 when the defendants allegedly probed the servers of U.S. biotechnology and medical diagnostics companies for vulnerabilities, seeking to obtain sensitive COVID-19-related research.


In the wake of these recent attacks, companies and organizations—especially those involved in medical research related to COVID-19—should take all possible steps to protect their data and follow best practices for remote work.  We will continue to monitor the unique threat environment caused by the COVID-19 pandemic.