- Healthcare organizations have accounted for one-quarter of SamSam ransomware attack victims so far this year, said security firm Symantec in a recent blog post.
In total, 67 different organizations across sectors have been attacked by the SamSam ransomware, with 56 of those attacks located in the United States, Symantec related.
“Why healthcare was a particular focus remains unknown. The attackers may believe that healthcare organizations are easier to infect. Or they may believe that these organizations are more likely to pay the ransom,” the blog post noted.
Earlier this year, HHS warned that SamSam ransomware attackers were targeting US healthcare providers and well as government agencies.
HHS noted that SamSam ransomware attacks earlier in the year compromised Indiana-based Hancock Health Hospital and Adams Memorial Hospital, as well as cloud-based electronic health record (EHR) provider Allscripts.
“The SamSam malware has been active since at least 2016 and has largely been associated with ransomware attacks in hospitals and the Healthcare and Public Health (HPH) Sector as a whole,” the HHS report warned.
The signature of SamSam attacks is the encryption of files and data with the “.weapologize” extension, the display of a “sorry” message, and the use of a “0000-SORRY-FOR-FILES.html” ransom note, the report added.
“Beyond being a minor inconvenience, ransomware attacks can have impacts on patient care and delivery within the HPH sector. As a result of a recent attack on one hospital, an outpatient clinic and three physician offices were unable to use that hospital’s network to access patient history or schedule appointments. This unavailability affected between 60 and 80 patients,” the HHS report related.
“Ransomware can even impact patient care through attacks at supporting medical IT institutions. In a recent incident, an electronic practice management and health records provider for the HPH sector reported a SamSam infection in at least two of its data centers. This incident affected services to approximately 1,500 customers (medical practices), resulting in disruptions to non-critical patient care at a number of customer facilities,” it noted.
Open remote desktop protocol (RDP) connections provide the favorite target for SamSam attackers. They break into networks by carrying out brute-force attacks against RDP endpoints.
To thwart SamSam attackers, HHS advised healthcare organizations to restrict access behind firewalls with RDP gateways and virtual private networks, use strong/unique username and passwords with two-factor authentication, limit users who can log in using remote desktop, and implement an account lockout policy to prevent brute force attacks from succeeding.
In its blog post, Symantec explained that the SamSam group’s approach is to break into an organization, perform reconnaissance by mapping out the network, and then encrypt as many endpoints as possible before delivering a single ransom demand.
“The attackers have been known to offer to decrypt all computers for a set ransom and/or offer to decrypt individual machines for a lower fee. In many cases, ransom demands can run to tens of thousands of dollars to decrypt all affected computers in an organization. If successful, these attacks can have a devastating impact on victim organizations, seriously disrupting their operations, destroying business critical information, and leading to massive clean-up costs,” the blog post related.
Symantec warned that in a worst-case scenario, if the organization has no backups available or if backups are encrypted as well, important data such as PHI could be permanently lost. In addition, restoring infected endpoints and cleaning up the network is likely to cost a lot of time and money and could damage the organization's reputation.
The security firm advised organizations to back up important data as part of a robust security strategy to combat ransomware infections.
“Victims need to be aware that paying the ransom does not always work. Attackers may not send a decryption key, could poorly implement the decryption process and damage files, and may deliver a larger ransom demand after receiving the initial payment,” Symantec concluded.