Ransomware Attacks During the Coronavirus (COVID-19) Pandemic

Ransomware and Corona Virus


Understanding cyber risk is an important part of our shift to remote work during the COVID-19 pandemic.

Many businesses are trying to survive the financial impact from the Coronavirus shutdowns and their employees are desperately seeking to hold on to their jobs.

During this stressful time, many of us have our cybersecurity guard down, making us more vulnerable to cybercriminals looking to capitalize on the situation.  

Right now, we have no way of verifying if human error will increase during the novel coronavirus COVID-19 outbreak. We do know that human error is often the gateway that allows hackers unauthorized access to computer systems, servers and networks – resulting in a ransomware attack or data breach.

Employee training on remote work protocols is very important. Even if you began deficiently in the rush to move to remote work, you have time to train your team, improve your cyber hygiene and consider investing in cyber insurance to help protect your business and data assets.  

Cyber Armada Insurance will make every effort to provide the best, up-to-date advice on cyber risk during remote work. We are here to provide specialized service and know-how for your cyber insurance protection. Our goal is to help you to operate “cyber secure” during this crisis.

Success is not final; failure is not fatal: it is the courage to continue that counts.

Winston Churchill

Right now, you have time to train your team, improve your cyber hygiene, and consider investing in cyber insurance to help you protect your business and critical data assets. Is cyber insurance worthwhile? It is if you want to survive the business interruption that often accompanies a ransomware attack.

Ransomware is a form of malware that infiltrates your network or computer system, allowing hackers to lock your data while seeking a ransom payment (usually in Bitcoin). Typically, these attacks occur via a breach of trust using email impersonation. Individuals or company employees are tricked into opening a hyperlink or attachment sent by a phishing or spoof email.

During the COVID-19 outbreak, many employees find themselves in a new remote work setting, trying to adapt as quickly as possible. At the same time, cybercriminals appear to be taking advantage of increased vulnerabilities with a reported 667% spike in fraudulent coronavirus emails since March 1, 2020. The challenge we all face is to decipher the legitimate from the fraudulent emails and websites.

Stop and think because one click is all it takes. When ransomware attacks lock a policyholder out of their network, there are two options, either pay the ransom or restore the locked data from backups. Organizations without adequate backups face a difficult choice – pay the ransom or rebuild their data from scratch (if at all).

During this COVID-19 crisis, we see new threats to businesses of all sizes, even to facilities tasked with saving lives.

Ransomware Risk to Hospitals and Medical Facilities

In March 2020, as healthcare organizations battle the COVID-19 pandemic, they’re also facing heightened cybersecurity threats.

  • In Illinois, the Champaign-Urbana Public Health District discovered a ransomware attack when they tried to deliver COVID-19 updates to Champaign-Urbana residents. The hackers did not steal patient health information, and their website is up and running again.
  • The U.S. Department of Health and Human Services also fended off an attack recently while focusing on the coronavirus response.
  • Hammersmith Medicine Research, a UK-based medical facility that has plans to test coronavirus vaccines, has been attacked by one of the ransomware groups that recently pledged not to target medical organizations during the COVID-19 pandemic. According to a report in Computer Weekly, HMR was able to repel the attack and restore its systems without having to pay any ransom. However, personal information of more than 2,300 patients, including medical questionnaires and copies of passports, was leaked online.
  • The Brno University Hospital in the Czech Republic experienced a cyberattack forcing a tech shutdown during the coronavirus outbreak. The hospital houses one of the most extensive COVID-19-testing facilities in the Czech Republic. A ransomware attack is suspected but not confirmed.
Fake COVID-19 Tracking App Downloaded Ransomware on Android Mobile Phones

A fake coronavirus tracking app downloaded ransomware on Android mobile phones, locking down the phones. First, the user was asked to grant access to the phone’s lock screen for instant alerts when a Coronavirus patient is near you, and second, to grant permission to access settings for active state monitoring. Once permission was granted, the ransom note appeared on the screen.

The threat:

  1. Your social media accounts will be leaked or made public and
  2. Your phone’s entire contents, stored on your phone, will be deleted.

The demand:

The ransom demand is $100 in Bitcoin to be paid via a code provided within 48 hours.

A security research team reverse-engineered a decryption key, and publicly released it, allowing users to unlock their phones without paying the ransom. Thus far, they have not discovered any ransom payments being made. This type of attack signals a warning to all mobile phone and smartphone users.

Fortunately, the CovidLock ransomware has a flaw the prevents a new key from affecting anyone who has previously downloaded the app.

Take note that in addition to the guidelines as outlined below, issued by the three U.S. federal agencies, the World Health Organization (WHO), Federal Trade Commission (FTC), Securities and Exchange Commission (SEC) and the Better Business Bureau (BBB) have all issued warnings in recent weeks about the uptick in criminal scams tied to the novel coronavirus COVID-19.

Prevention is the best medicine here – be sure to rely on trusted sources for your coronavirus information and be cautious about granting access or permission to your phone when downloading an app.

Guidance on Secure Teleworking from the FTC, NIST, and CISA

The concern over human error and the lack of cyber hygiene in remote workplaces have led three U.S. federal agencies to issue new guidance on how to ensure cybersecurity during our shift to teleworking – working remotely.

In response to the surge of remote workers, the U.S. Federal Trade Commission (FTC) and the U.S. National Institute of Standards and Technology (NIST) have both issued guidance for employers and employees on best practices for teleworking securely. In addition, the Cybersecurity and Infrastructure Security Agency (CISA) has provided advice on identifying essential workers, including IT and cybersecurity personnel, in critical infrastructure sectors that should maintain regular work schedules, if possible. 

Next Steps During Remote Work:

Employee training on remote work protocols is critical. Even if you began deficiently in a rush to move to remote work, you have time to train your team, improve your cyber hygiene and consider investing in cyber insurance to help protect your business and data assets. 

You have options available to protect your company and employees from fake emails:

  • Virtual meetings or conference calls to discuss best practices to prevent a security breach
  • Employee training on the latest phishing and social engineering attacks
    • Do not click hyperlinks in emails from unknown senders
    • Since domain and display name spoofing are prevalent, carefully review internal emails and use multi-factor authentication such as follow-up calls if unsure of the authenticity
    • Never give personal information or login details in response to an email request to avoid business email compromise (i.e., fraudulent fund transfers)
    • Report email attacks to the IT department or security manager
  • Backup critical files and systems, minimally your critical data assets
  • Develop data access protocols for system administrators and key employees
  • Patch and update software systems to address weak points
  • Invest in reliable anti-virus and anti-phishing software
  • Invest in stand-alone cyber insurance to transfer your cyber risk.
  • Create an incident response plan, business continuity plan, and disaster recovery plan (with the help of your cyber insurance advisor).
Stand-Alone Cyber Insurance Coverage for Ransomware Attacks

Many cyber liability policies provide cyber extortion coverage to protect your business against losses caused by ransomware and other types of cyber extortion.

For example:

  1. Ransom payments – when hackers lock your network or computer system demanding payment of ransom for the key to unlocking your system.
  2. Loss of business income during the cyber event – after a brief waiting period.
  3. Extortion-related expenses – when you incur losses because of the extortion threat, such as making the ransom payment and the cost of hiring a security expert to advise you on how to respond to a threat.
  4. Repair costs – when you sustain losses due to damage, disruption, theft or misuse of your data, such as the cost to restore, replace or reconstruct programs, software, or data.
Remote Work Environment

Most cyber policies provide broad, affirmative coverage for a security event (as defined in the policy). That means that the cyber policy will provide coverage regardless of where the breach or security event occurs, in the workplace, or working remotely at home. 


  • The coronavirus (COVID-19) pandemic highlights how seriously we should be taking our cybersecurity practices.
  • Cyber attackers seek out vulnerabilities in stressful environments such as hospitals and remote work environments where employees may have reduced cybersecurity practices in place.  
  • A ransomware attack disrupts your business. You are asked to make the difficult choice of paying the ransom or losing critical data assets in a short time (e.g., hours or days), and then get your business operating again.
  • Facing a cyberattack on your own, without the benefit of cyber insurance, can be a costly, arduous climb.

Contact Cyber Armada today to examine how your company faces potential financial losses from business interruption caused by a ransomware attack. Contact us at 888.727.6232.


Please watch for our upcoming article on third-party vendor cyber risk.


This article is made available for informational purposes and is not intended to be a substitute for professional or legal advice. No attorney client relationship is formed or implied between you and the authors(s) or Cyber Armada Insurance.

Topics: Ransomware Remote Work Covid-19

Cyber Armada Team
Posted by Cyber Armada Team on Mar 31, 2020

Apply for Cyber Insurance Online

Answer a few questions online and Cyber Armada will design a cyber insurance policy tailored to your particular needs.

Apply Online
Apply for Cyber Insurance
Schedule an appointment with Cyber Armada

Can we talk?

We're ready to talk when you are. You can schedule an appointment to speak with a representative from Cyber Armada when it is most convenient for you. Whenever possible we use online meetings to increase productivity and increase the amount of time we can spend with you. We use Zoom Meetings as our preferred video conferencing platform.

Schedule Appointment