- SamSam ransomware attacks, which have targeted healthcare organizations, has netted its creator $6 million so far, according to a recent report by security firm Sophos.
Three-quarters of the victims are based in the United States, and the largest ransom paid by an individual victim is $64,000.
Medium to large organizations in healthcare, education, and government make up half of the identified victims. Healthcare victims include Indiana-based Hancock Health Hospital and Adams Memorial Hospital, cloud-based EHR provider Allscripts, and possibly Case Regional Medical Center.
Based on Sophos’ research of the Bitcoin addresses in ransom notes, it estimated that about 233 victims have paid a ransom to the attacker.
The report noted that SamSam attackers wait for an opportune moment, typically launching the encryption commands in the middle of the night or the early hours of the morning of the victim’s local time zone, when most users and admins would be asleep.
SamSam encrypts not only document files, images, and other personal or work data, but also configuration and data files required to run applications. Victims whose backup strategy only protects the user’s documents and files won’t be able to recover a machine without reimaging it, Sophos explained.
The cost victims are charged in ransom has increased significantly, and the tempo of attacks shows no sign of slowing down, according to the report.
Sophos identified six stages of a SamSam ransomware attack: 1) target identification and acquisition, 2) penetrating the network, 3) elevating privileges, 4) scanning the network for target computers, 5) deploying and executing the ransomware, and 6) awaiting payment.
“The attacker gives the victim roughly seven days to pay the ransom, although, for an additional cost, this time can be extended,” the report observed.
Security firm McAfee found that attackers increased their SamSam ransomware attacks against the healthcare sector in the first quarter of 2018, with numerous cases of hospitals paying the ransom to regain access to their systems.
According to McAfee, healthcare saw a 47 percent jump in cyberattacks in the first quarter of 2018 compared with the fourth quarter of 2018. Healthcare was the most targeted sector in terms of the number of breaches in the 2017-2018 period, followed by the public sector and education.
Earlier this year, HHS warned about SamSam ransomware zeroing in on healthcare organizations and government agencies.
SamSam's signature is the encryption of files and data with the “.weapologize” extension, the display of a “sorry” message, and the use of a “0000-SORRY-FOR-FILES.html” ransom note, the HHS related.
HHS explained that SamSam hackers focus their attacks on open remote desktop protocol (RDP) connections and break into networks by carrying out brute-force attacks against these endpoints.
Because SamSam hackers attack RDP connections, HHS recommended that healthcare organizations restrict access behind firewalls with RDP gateways and virtual private networks, use strong/unique username and passwords with two-factor authentication, limit users who can log in using remote desktop, and implement an account lockout policy to help thwart brute force attacks.
HHS said that organization should consider the following factors before they pay the ransom:
- Paying a ransom does not guarantee an organization will regain access to their data; some individuals or organizations were never provided with decryption keys after paying a ransom
- Some victims who paid the ransom were targeted again by cyber actors
- After paying the originally ransom, some victims were asked to pay more to get the promised decryption key
- Paying could encourage this criminal business model
Ransomware attacks have had material impacts on healthcare services to patients, both through attacks on patient care facilities themselves and through attacks on supporting organizations.
Because of the healthcare sector’s reliance on IT systems and the operational importance of patient data and records, the ransomware risk is expected to increase. HHS said it encourages organizations to use data backups and develop contingency and business continuity plans that can ensure resilient operations in the event of a ransomware event.