HHS Warns of SamSam Ransomware AttacksAt Least Eight U.S. Organizations Hit So Far This Year
Federal regulators are warning the healthcare sector about ongoing attacks involving SamSam ransomware that have impacted at least eight U.S. organizations so far this year.
See Also: Splunk Predictions 2020
A recent alert from the Department of Health and Human Services' Healthcare Cybersecurity and Communications Integration Center notes that the SamSam malware, active since 2016, has been largely associated with ransomware attacks against hospitals and others in the healthcare and public health sector.
"Healthcare is a soft target, and as long as cybersecurity is cast as an IT problem, it will remain a soft target."
—Rich Curtiss, CISO, Clearwater Compliance
Rich Curtiss, CISO at the consultancy Clearwater Compliance, says that heathcare has been hard-hit in recent SamSam attacks for key reasons: "Healthcare, in general, is and has been the number one critical infrastructure sector to be targeted by cybercriminals. Healthcare is a soft target, and as long as cybersecurity is cast as an IT problem, it will remain a soft target. This virtually ensures any new attacks will target healthcare organizations first and foremost."
The alert notes that in recent SamSam incidents, victim organizations reported that their files were encrypted with the ".weapologize" extension that displayed a "sorry" message.
"This particular SamSam version has infected at least 10 entities since Dec. 26, 201, and uses a '0000-SORRY-FOR-FILES.html' ransom note," the alert says. While most of the victims in this string of SamSam attacks are in the U.S., some were in Canada and India, HHS says.
HHS lists general information about eight known victims in 2018 attacks, but does not specifically identify most of them. Those entities include:
- Two Indiana hospitals;
- A cloud-based electronic health records provider;
- A New Mexico municipality computer system;
- A U.S. industrial control systems company;
- Davidson County in North Carolina;
- Systems and services in Atlanta;
- Colorado's Department of Transportation, which was attacked twice.
Although not named in the alert, one of the two Indiana healthcare entities mentioned is Hancock Health, a healthcare system that includes Hancock Regional Hospital and more than 20 other healthcare facilities. That organization in January acknowledged that it paid four bitcoins - worth about $55,000 at the time - to unlock its systems following a SamSam ransomware attack on Jan. 11.
The unnamed EHR vendor mentioned in the HHS alert is Allscripts, which in January said an attack involving a variant of the SamSam ransomware for several days impacted "a limited number" of its applications, including its cloud-based Professional EHR and Electronic Prescriptions for Controlled Substances services.
The HHS alert notes that the disruption of the EHR services reportedly impacted about 1,500 medical practice clients of the vendor.
Among the government organizations impacted by SamSam attacks so far in 2018 was the city of Atlanta, where the ransomware for several days hampered citizens from paying bills and accessing court-related information, among other disruptions.
More Than an 'Inconvenience'
HHS notes that ransomware attacks on the healthcare sector can pose potential patient care risks.
"Beyond being a minor inconvenience, ransomware attacks can have impacts on patient care and delivery within the [healthcare] sector," HHS says. "As a result of a recent attack on one hospital, an outpatient clinic and three physician offices were unable to use that hospital's network to access patient history or schedule appointments. This unavailability affected between 60 and 80 patients."
Mac McMillan, CEO of security consultancy CynergisTek, expects SamSam and other ransomware attacks on the healthcare sector to persist.
"We will see new variants of SamSam and other ransomware attacks continue to emerge and affect healthcare as long as these attacks continue to be lucrative for the attacker," he predicts. "The percentage of organizations paying the ransom continues to grow despite the fact that a high percentage of those who do pay still don't get their data back. As long as that happens, they will come."
Some recent trends involving malware attacks are even more worrisome, he contends. "The thing that concerns me the most about potential emerging attacks are the ones like NotPetya designed to just destroy the data, without intention of returning or relinquishing [the data]," he says.
Future attacks involving corruption of data "could be even more devastating, as organizations won't realize they have been hacked until some negative outcome occurs," McMillan says. "At least with destruction or encryption you know what information has been affected; with corruption you may not know until it is too late."
Third-party vendors appear to be a risk factor in at least some of the SamSam attacks, some experts note.
"It seems most SamSam attacks are carried out by a human using legitimate credentials - usually stolen from a third-party vendor - actively working on the victim network and looking for ways to propagate and elevate privileges," says Max Henderson, security analyst at Pondurance, a security consulting firm that assisted Hancock Health with its SamSam recovery effort.
"Right now, there are so many vulnerable vendors, server message block interfaces and RDP interfaces, plus a hoard of credentials available to purchase online, that SamSam actors do not really have the need to deploy any advanced capabilities," adds Jason Ortiz, senior integration engineer at Pondurance.
Organizations should take critical steps to avoid falling victim to malware attacks.
"Eliminate remote services without strong authentication and security. Only permit remote connection using a virtual private network and two-factor authentication, but be diligent regarding cyber hygiene," McMillan suggests.
Healthcare entities should have a plan for quickly recovering from any malware attack.
"The key to mitigating impacts and recovering faster is having well-documented and understood recovery practices," he says. "Knowing the who, what, where and how of incident response makes all the difference."
HHS' Mitigation Tips
HHS notes that SamSam scans the internet for computers with open remote desk protocol connections and then breaks into networks by brute-forcing the RDP endpoints.
The agency advises that to prevent attackers from gaining access to servers via RDP, organizations should:
- Use RDP gateways and VPNs to restrict access behind firewalls;
- Use strong/unique username and passwords as well as two-factor authentication;
- Limit users who can log in using a remote desktop;
- Implement an account lockout policy to help thwart brute force attacks.
But mitigating the threats posed by ransomware will also require a shift in mindset for many healthcare sector entities, Curtiss contends.
"It is so important to healthcare, as an industry and a critical infrastructure sector, to govern cybersecurity and information risk management from the C-Suite and board of directors - and not from the recesses of the IT organization," he says. "The lack of insight to cybersecurity exposures by most healthcare organizations is holding them back and continues to put them in harm's way - both the organization and the patients."