SamSam ransomware hackers still targeting healthcare, HHS warns

The hackers behind the attack on Allscripts have hit 10 organizations in the last few months, levering open RDP connections to proliferate inside a network.
By Jessica Davis
12:27 PM

The destructive ransomware strain SamSam is still pummeling the healthcare sector, and hackers using it have hit at least eight separate targets in the government and healthcare sectors this year, according to an alert from the U.S. Department of Health and Human Services.

HHS officials recommend restricting access behind firewalls, but, more important, using two-factor authentication. Organizations should also limit the users who can access the remote desktop server and use an account lockout policy, which is crucial to stopping the brute force attacks used by SamSam hackers.

[Also: OCR urges health providers: Draft contingency plan for cyberattacks, now]

“Due to the sector’s reliance on IT systems and the operational importance of patient data and records, the ransomware risk to the [health] sector is expected to continue for the foreseeable future,” HHS officials wrote. “Organizations are encouraged to utilize data backups and develop contingency and business continuity plans that can ensure resilient operations in the event of a ransomware event.” 

While the SamSam virus has been active since 2016, security researchers saw an uptick in attacks beginning at the end of December 2017. SamSam is a customized variant, rather than a stock virus sold on the dark web.

Hackers will scan the internet for open RDP connections and break into networks using weak passwords or brute force attacks. The goal is to proliferate across a network to other devices and computers.

[Also: What to know about the SamSam ransomware hitting Allscripts, hospitals]

“In the recent SamSam incidents, victim organizations reported that their files were encrypted with the ‘.weapologize’ extension and displayed a ‘sorry’ message,” the alert said.

The latest strain has infected about 10 organizations since December 2017, with most of its victims from the U.S. Some victims were from Canada and India, as well.

Allscripts was hit by the virus in January, locking some of its clients out of their EHRs for up to a week, while two hospitals in Indiana fell victims this year, as well. One of those hospitals, Hancock Health, actually had to pay the $47,000 ransom to unlock patient data.

[Also: HIMSS Healthcare Security Forum's hottest topics: AI, bug bounty programs, medical device hacks]

Erie County Medical Center was hit by a similar strain of SamSam ransomware in April 2017. It cost millions of dollars to fix and took six weeks for the organization to recover. An HHS official noted that hackers got in through an unpatched vulnerability on a public-facing server to launch the ransomware attack.

“In 2018, the trend of targeting vulnerable, public-facing servers continued for the attackers behind the SamSam campaigns,” according to the alert. “Although the infection vector for the ongoing campaigns is yet to be confirmed, there has been some discussion among researchers that the attackers’ initial foothold may have been a compromised RDP/VNC server.”

Most recently, SamSam was behind an attack on the Atlanta government, which shut down several of the city’s online systems and services. Hackers reportedly asked for $6,800 to unlock each encrypted computer or $51,000 for all of the decryption keys.

In the aftermath, security researchers discovered that several of the city’s servers’ Server Message Block version 1 were public facing, the same vulnerability used to launch the global WannaCry attack in May 2017 and NotPetya in June.

Healthcare Security Forum

The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.