Cyber Incident Victim: Health Canada
Date:
Mar 2020
Location:
Canada
Summary
A Canadian government health organization involved in COVID-19 response efforts was targeted by ransomware through coronavirus-themed phishing emails impersonating the World Health Organization. Attackers sent malicious RTF attachments exploiting a known Microsoft vulnerability (CVE-2012-0158) to deploy EDA2-based ransomware, which encrypted files with a ".locked20" extension after communicating with command-and-control servers to generate victim-specific keys. The campaign disrupted operations by compromising systems engaged in pandemic containment activities, leveraging the global health crisis to increase attack effectiveness. Security researchers identified the malware as part of broader efforts targeting critical healthcare and research entities worldwide during the pandemic.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between March 24 and March 26, 2020, threat actors conducted a ransomware campaign targeting a Canadian government healthcare organization engaged in COVID-19 response efforts and a Canadian medical research university. Attackers sent phishing emails from a spoofed World Health Organization address ([email protected]) using the IP address 176.223.133.91. The emails contained a malicious Rich Text Format attachment named "20200323-sitrep-63-covid.doc," referencing the March 23, 2020 date but remaining unchanged throughout the campaign. This weaponized RTF file exploited CVE-2012-0158, a buffer overflow vulnerability in Microsoft’s ListView/TreeView ActiveX controls within the MSCOMCTL.OCX library. When opened in vulnerable applications, the attachment delivered ransomware payloads. Palo Alto Networks Unit 42 researchers observed the malicious activity between March 24 at 18:25 UTC and March 26 at 11:54 UTC, confirming the targeting of personnel directly involved in pandemic containment and research operations.
The ransomware, identified as EDA2-based open-source malware originally designed for educational purposes, initiated encryption after establishing communication with its command-and-control server. Upon execution, the binary contacted the C2 to download an image displayed as the infection notification. It collected host details including username and hostname, transmitting this data to the C2 to generate a custom encryption key. The server returned the key to the infected system, which then encrypted files on the desktop with a ".locked20" extension. The malware subsequently sent an HTTP POST request containing the hostname and AES-encrypted decryption key to the resource www.tempinfo.96.lt/wras/savekey.php. This campaign formed part of a broader pattern of COVID-19-themed attacks observed by researchers, which also included AgentTesla infostealer deployments against U.S. defense research entities, Turkish public works agencies, multinational technology firms, and medical facilities in Japan. Palo Alto Networks documented the technical mechanisms but did not report specific containment measures or operational disruptions experienced by the Canadian healthcare organization. The incident exemplified threat actors’ exploitation of pandemic-related urgency to compromise critical response infrastructure through known software vulnerabilities and social engineering tactics.