- Cybercriminals carrying out SamSam ransomware attacks, which have been identified by HHS as posing a significant threat to healthcare organizations this year, focus on victims that are most likely to pay to get their data back, such as hospitals, according to an analysis by security firm Sophos.
The SamSam cybercriminals use two methods to get access to their target organization: they either exploit system vulnerabilities to gain access to the target’s network or they launch brute-force attacks against weak passwords of the remote desktop protocol (RDP) function.
Once cybercriminals have penetrated the target organization’s network, they look for more victims through network mapping and stealing credentials, according to Sophos. They then manually deploy the SamSam ransomware on selected systems using PSEXEC and batch script tools.
SamSam attackers are very good at hiding their attack vectors. They are able to obscure their initial infection point and some of their subsequent movements inside the network. In addition, they delete files involved in the attack, including the SamSam payload, and change their deployment methodology frequently.
In its March report on SamSam ransomware, HHS said that at least eight cyberattacks had been carried out on healthcare and government organizations so far this year: Indiana-based Hancock Health Hospital and Adams Memorial Hospital, cloud-based electronic health record (EHR) provider Allscripts, the municipality of Farmington in New Mexico, an undisclosed US industrial control system company, Davidson County offices in North Carolina, Colorado’s Department of Transportation, and Atlanta’s systems and services.
The healthcare sector continues to face challenges from ransomware attacks. These attacks have had impacts on healthcare services to patients, both through attacks on patient care facilities themselves and through attacks on supporting organizations.
Because of the healthcare sector’s reliance on IT systems and the operational importance of patient data and records, the ransomware risk is expected to increase. HHS said it encourages organizations to use data backups and develop contingency and business continuity plans that can ensure resilient operations in the event of a ransomware event.
SamSam is not the only ransomware strain that has targeted healthcare organizations. Last year, the WannaCry ransomware infected thousands of medical devices and crippled the UK’s National Health Service (NHS) and other healthcare providers. NHS had to cancel certain services, patient records were unavailable and phones did not work.
The attack targeted Microsoft’s Windows operating system and impacted more than 230,000 individual computers.
In response to the WannaCry attacks, the NHS has taken several steps to protect its systems against ransomware, including recently signing an agreement with Microsoft to use its Windows 10 software and security settings on NHS computers.
The UK Department of Health and Social Care said April 28 that it plans to spend £150 million to improve NHS’s resilience against cyberattacks over the next three years. As part of that effort, the department plans to set up a new digital security operations center to prevent, detect, and respond to incidents. This will be in addition to the £60 million already spent to address cybersecurity weakness at NHS since the WannaCry attacks.
“We know cyberattacks are a growing threat, so it is vital our health and care organizations have secure systems which patients trust,” commented Health and Social Care Secretary Jeremy Hunt.
Other measures to improve NHS cybersecurity include:
• £21 million to upgrade firewalls and network infrastructure at major trauma center hospitals and ambulance trusts
• £39 million spent by NHS trusts to address infrastructure weaknesses
• New powers given to the Care Quality Commission to inspect NHS trusts on their cyber and data security capabilities
• Data security and protection toolkit which requires health and care organizations to meet 10 security standards
• Text messaging alert system to ensure trusts have access to accurate information, even when internet and email services are down
“We have been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS against this threat. This new technology will ensure the NHS can use the latest and most resilient software available–something the public rightly expect,” Hunt added.