For the last few weeks, SamSam ransomware attacks have steadily increased across all sectors. The virus took down the entire municipality of Farmington, New Mexico, and just last week two hospitals were hit -- Hancock Health and Adams Memorial.

Allscripts appears to have become the first EHR vendor brought down by ransomware, although officials have said the variant is slightly different than the strain impacting those other organizations.

[Also: Allscripts hit by ransomware, knocking some services offline]

Regardless, there’s been an uptick in SamSam attacks since about Jan. 11, although some security experts saw the start Dec. 25. As these attacks show no signs of slowing down, it’s important for healthcare security leaders to understand how the virus gets in to prevent falling victim.

SamSam evolution

While there’s been a sudden increase in attacks, SamSam isn’t a new strain. The virus first made an appearance in the healthcare sector in 2016. It’s not a stock ransomware variant but is instead a customized strain used in targeted attacks.

SamSam hackers are known to scan the internet for open RDP connections and break into networks leveraging either weak passwords or with brute force attacks on these endpoints. The goal is to spread to other devices and computers on the network.

[Also: Protecting against the new arsenal of weaponized malware]

HIMSS North America Director of Privacy and Security Lee Kim explained that the early variants of SamSam didn’t require a phishing email to get in: The hackers just exploit unpatched machines. And once the hackers got a foothold into the server, it would spread throughout a network.

“The theory [was]: Your JBoss server is external facing to the internet,” said Kim. “Other machines are behind a firewall, segmented off. But your web server and other machines may be on the same subnet or other proxy, which can connect to the infected machine.”

And the latest strain, according to other security experts, follows this attack method: targeting external facing RDP servers.

Who’s vulnerable?

There are a few different ways a hacker can use SamSam to get into a system. For example, those who use weak passwords, reuse passwords and fail to limit admin credentials. A brute force tool can break weak credentials to get in, especially if an organization has failed to limit the number of attempts allowed by a user to get into a system.

Organizations that also fail to monitor an abnormal amount of attempts are also at risk.

One of the things seen by CynergisTek Executive Vice President of Strategic Innovation David Finn is that often organizations put antivirus on laptops, desktops and other physical machines, but fail to keep servers locked up and safe with antivirus.

“It needs to be on all of your endpoints,” said Finn. “We sometimes forget about those servers being endpoints.”

While SamSam is highly effective, Finn said, “it isn’t terribly sophisticated.”

The virus is spread through the web and Java apps, as well as other web-based applications, explained Finn. And once it gets into the system, it spreads -- without a malicious email. SamSam can be stopped if detected before it gets into a system, but “once it’s spread: it’s over.”

“It speaks to effectiveness not sophistication,” said Finn. “That’s one of those things that makes it more insidious. It can traverse the network without human intervention. That’s why the prevention piece becomes more critical.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com