HHS warns SamSam ransomware is still ravaging healthcare

So far in 2018, hackers continue to look for vulnerable, public-facing servers to gain access to providers’ networks.


Hackers have launched at least eight separate cyberattacks on healthcare and government organizations so far this year using SamSam ransomware, according to the Department of Health and Human Services.

The 2018 attacks include incidents involving two Indiana-based hospitals and one involving cloud-based electronic health record vendor Allscripts, reports the HHS Healthcare Cybersecurity Integration and Communications Center in its latest update on SamSam ransomware activity.

The file-encrypting malware has been active since at least 2016, largely in hospitals and the healthcare and public health sector, notes the center’s report on SamSam ransomware campaigns.

“In the recent SamSam incidents, victim organizations reported that their files were encrypted with the ‘.weapologize’ extension and displayed a ‘sorry’ message,” according to HHS. “This particular SamSam version has infected at least 10 entities since 26 December 2017 and uses a ‘0000-SORRY-FOR-FILES.html’ ransom note.”

SamSam ransomware was behind a major cyberattack in April 2017 on the Erie County Medical Center, a 602-bed hospital in Buffalo, N.Y. Although no patient records were compromised, it took ECMC six weeks to recover from the incident and cost millions of dollars to fix.

Also See: Erie County Medical Center—Anatomy of a ransomware attack

HHS reveals that in the 2017 attack on ECMC, hackers leveraged an unpatched vulnerability on a public-facing web server to compromise the server, got a foothold on the hospital’s network and deployed the SamSam ransomware.

“In 2018, the trend of targeting vulnerable, public-facing servers continued for the attackers behind the SamSam campaigns and, although the infection vector for the ongoing campaigns is yet to be confirmed, there has been some discussion among researchers that the attackers’ initial foothold may have been a compromised RDP/VNC (Remote Desktop Protocol/Virtual Network Computing) servers,” reports the agency. “The SamSam group is reported to scan the Internet for computers with open RDP connections and then break into networks by brute-forcing the RDP endpoints.”

The Health Cybersecurity and Communications Integration Center concludes that the 2018 SamSam ransomware attacks “have had material impacts on healthcare services to patients, both through attacks on patient care facilities themselves and through attacks on supporting organizations.”

Given the healthcare industry’s reliance on IT systems and the operational importance of patient data and records, HHS sees the ransomware risk “continuing for the foreseeable future.” As a result, the center recommends that organizations take several steps to protect themselves from SamSam, including using data backups and developing contingency and business continuity plans that can ensure they have the resilience to adapt and respond to adverse cyber events in ways that maintain the confidentiality, integrity and availability of data and services.

More for you

Loading data for hdm_tax_topic #better-outcomes...