Two new ransomware strains discovered, can spread even when offline
Ransomware attacks are growing in severity and sophistication. Two newly-discovered strains, Samsam and Maktub Locker, are prime examples of what healthcare organizations can expect in the near-future.
The ransomware Samsam gains access to an organization's network by exploiting vulnerabilities in JBoss servers, such as a missing patch, and spreads to all machines connected to the network.
Maktub Locker, for its part, enters through spam or phishing emails with a virus hidden in an attachment, like a .ZIP file. Once opened, MakTub encrypts all data and systems connected to the network.
What's interesting about Maktub is that it doesn't just send an email and download items onto a computer. As soon as the .ZIP file is opened, a malicious rich text file infects the entire system, said Lee Kim, HIMSS director of Privacy and Security, Technology Solutions. And the email looks legitimate, such as a "Terms of Service" or "Terms of Use" document.
It differs from other ransomware, such as Locky, as it's an "all-in-one" attack. Other viruses require a downloaded key and send a message “home” to gain the
encrypting tools. But Maktub and Samsam have the tools locally.
[Also: Latest cybersecurity threat, 'Locky,' spreads faster than any other virus]
"Even if your network’s connection is shut off, it can encrypt anything and everything it has access to," Kim said. "All that you need is the email; even if you're offline, that won't protect you."
Both viruses encrypt data and files - including backups on the network, while Maktub can also compress the encrypted files and data. Strong encryption is used to hold the files, until the encryption key is released by the attacker.
"There are more and more healthcare organizations getting hit, but it's because the virus has evolved into this complex beast on how it's deployed," Kim said.
She recommended that healthcare organizations backup data in real-time, in order to revert to those files without losing information in case of an attack. Organizations also need store data offline, and networks should be segmented with a properly-configured firewall with routine risk assessments.
"We need to make sure we have a complete, strong security program that blocks the malware we know about," Kim said. “So if something gets into our system, we can stop and eradicate it to stop the bleed. It's also really important to block and tackle what you can – and have a plan."
Kim added that there's no substitute for good security.
"It really is a battle between these cyber criminals and the rest of us," she said. "There definitely is a learning curve, but we can benefit as a community to try to build these solutions together."
Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com