It was early February when Ohad Zaidenberg first started noticing malicious emails and files disguised as information about Covid. He’s a cyber intelligence researcher based in Israel, and they were the sort of schemes he encountered all the time—benign-looking messages that trick people into giving someone network access. But more and more of them seemed to be using fear of the new virus as leverage to get people to click a link or download a file. “This little measure can save you,” read one email he flagged, before prompting the reader to open a PDF called “Safety Measures.” Zaidenberg didn’t think too much of it at the time. Coronavirus cases were still mostly confined to China, and it wasn’t yet clear the virus would become a global pandemic.

Just over a month later, Zaidenberg went out to dinner. It was his last night out before Israel shut down. Infections were starting to climb, and as he drove back to his home in Tel Aviv, he was thinking about how dangerous everything suddenly seemed. A former intelligence officer with dark hair and a closely cropped beard, Zaidenberg had left the Israeli army with a deep belief in working for peace. Coronavirus is a war, he thought. Then he remembered the malicious documents he’d been seeing. For the most part, they’d seemed benign enough—someone trying to get into a system to spy, for instance. But now something new jolted his mind: What if the malware was instead used to compromise hospital security?

It had already happened three years earlier. In May 2017, computers at National Health Service hospitals all across the UK started displaying a pop-up message demanding users pay $300 in bitcoin to restore access to their files. The ransomware attack, called WannaCry, didn’t specifically target hospitals in the UK. In fact, it infected more than 200,000 computers worldwide. But many British hospitals had been running older, more vulnerable Windows operating systems, and once the worm got in, it quickly jumped from computer to computer, encrypting files as it went. Email systems went offline. Doctors couldn’t access patient records. Blood test analysis devices and MRI scanners became inoperable, and staff scrambled to cancel surgeries and other appointments—19,000 in all. The attack cost the National Health Service well over $100 million.

As Israel shut down during the pandemic, cyber intelligence researcher Ohad Zaidenberg decided to apply his skills to defending hospitals around the world.Photograph: Dudi Hasson

Zaidenberg could barely bring himself to think what an attack like that would do to hospitals around the world already buckling under a surge of Covid cases. Even a smaller attack could be devastating. Locking doctors out of patient records could easily have life-or-death consequences. If a hospital had to pay a ransom to unlock its systems, perhaps it couldn’t buy additional ventilators. People could die.

The next day, Zaidenberg saw the news. The second-largest hospital in the Czech Republic had been attacked. In the early morning hours, an announcement blared over the hospital’s PA system, instructing workers to shut down their computers immediately. A few hours later, surgeries were canceled. Luckily, there were fewer than 300 coronaviruses cases in the country at the time, so the hospital wasn’t already overburdened. It was, however, one of the Czech Republic’s biggest Covid testing centers, and the attack delayed results for a few days.

The Czech incident made it clear to Zaidenberg that his fears were justified. Israel was in the process of locking down, and he knew he would soon have a lot of time on his hands. He also knew his cybersecurity skills could help prevent attacks like the one in the Czech Republic. After all, he was already monitoring virus-related threats for work. What if there were a way to scale that up globally, a way to alert hospitals—any hospital, anywhere—that they might be vulnerable, before an attack happened?

That same day Zaidenberg noticed that Nate Warfield, a Microsoft security manager he’d recently met, was tweeting about the exact same thing. “We as infosec professionals have skills and tools our colleagues supporting the medical field may not,” Warfield wrote. “I encourage all of you to do what you can in your communities and regions to help defend them.” Zaidenberg messaged him right away. He floated the idea of recruiting a group of cyber threat researchers to work, pro bono, assessing threats related to the virus.