A number of healthcare-related malware attacks have been tied to the SamSam ransomware group, which has already hit several high-profile targets in 2018. Victims include hospitals, a city council, and an integrated computer solutions (ICS) company:
- Hancock Health Hospital in Greenfield, Indiana
- Adams Memorial Hospital in Decatur, Indiana
- Municipality of Farmington, New Mexico
- Allscripts, a Cloud-based electronic health records (HER) provider
- An unnamed, US-based industrial control systems company
SamSam ransomware campaign might be just getting started
The SamSam crew prowls the Internet for vulnerabilities – usually computers with open RDP connections – to access weak or stolen credentials. After infiltrating networks, they take control of RDP endpoints and make them spread the ransomware to more computers.
Victims said that the malware locked files and displayed the word “sorry”” – either in a message or in network files. SamSam ransomware, also known as Samas, doesn’t look like other infections. It is a custom strain that malicious actors use in targeted attacks. Farmington city council released a screenshot of its SamSam ransomware note:
Since December 26, this version has infected at least eight entities. Most of the victims are in the US, with a few in Canada and India.
SamSam cyber criminals have got away with nearly $325,000 so far
The ransom note contains the web address of an account where victims can deposit ransom payments. The first payment came in on December 25, and at the time of reporting, 30.4 bitcoins, valued at roughly $325,000, are in the account. There may be more victims – and payments – to come.
In the case of Hancock Health, the hospital noticed its computer systems slowing down on January 11, with 1,400 files affected. CEO Steve Long confirmed the ransomware attack was initiated by a criminal hacker who “attempted to shut down Hancock Health’s operations.” Hancock Health admitted to paying about $55,000 in ransom, despite having backups.
The hospital claims that no personal information was compromised. The other targets have not disclosed their incident remediation strategies.
Adams Health Network also hit by SamSam
Adams Health Network, which operates Adams Memorial Hospital, confirmed that it was also hit by a ransomware attack. The organization noticed the attack on its servers on January 11, but has not issued many more details.
Staff at the Berne Outpatient Clinic plus three in-network physicians were blocked from accessing patient histories or appointment schedules. The network slowed down and then went blank before files on the system read “sorry.” Susan Sefton, a spokesperson for Adams Memorial Hospital, said the data breach affected between 60 and 80 patients.
Adams Health Network said in a statement: “While AHN did experience a business interruption throughout the weekend as we worked to restore the affected severs, there was never an interruption in patient care. We are continuing to assess the severity of the situation, but at this time we believe no patient files have been accessed. At no time during this event has the quality and safety of patient care been affected.”
Allscripts infected by a SamSam strain separate from hospital versions
Chicago-based EHR giant Allscripts suffered application outages after Raleigh and Charlotte, NC data centers were infected with SamSam ransomware. Allscripts informed providers that outages would continue for a few days while it restored data through backups and alternative access methods.
The SamSam variant that infected Allscripts appears unrelated to the version that infected Hancock Health and Adams Memorial Hospital. The FBI, Microsoft, and Cisco all confirm this. Allscripts has hired Mandiant to conduct a forensic investigation into how the infection started.
SamSam ransomware is a reminder to secure RDP connections
SamSam is one of a growing list of ransomware families that infects victims through exposed RDP ports. In addressing information security risk mitigation, organizations should find ways to secure endpoints when computers are open to remote RDP connections. Additionally, securing RDP connections with strong usernames and passwords, even instilling multi-factor authentication, can help to mitigate the risk of a cyber attack.
Organizations must test and improve their cybersecurity defenses
Cyber attacks can be random and indiscriminate, or they can be sophisticated and targeted like the SamSam ransomware. IT Governance’s penetration testing solutions can help you to rank and rate vulnerabilities so that you can plan remediation activities, based on your accepted risk level and budget.
IT Governance consultants are experienced and CREST-accredited. Our threat-based approach provides a realistic appraisal of your security posture along with the risks associated with cyber crime. We will produce easy-to-understand documentation on damage potential, reproducibility, exploitability, number of affected users, and discoverability for each finding. Detailed data output enables you to replicate the issue, and personalized remediation advice will give you the best solution. Learn more about our penetration tests.