Last week, multiple hospitals fell victim to a new of strain of crypto-ransomware that directly attacks vulnerable servers, creating disruption, downtime, and loss of thousands of dollars. The ransomware, nicknamed Samsam caused the FBI to issue an urgent warning to the healthcare industry, including signature data for Samsam activity so organizations can scan their networks for infections, according to Reuters.
The MedStar network of hospitals in Maryland was the primary target of hackers last week. Hackers managed to infiltrate many of Medstar’s facilities including Baltimore’s Union Memorial Hospital. The cyber criminals encrypted Medstar’s data and held it for ransom until the hospital paid 45 bitcoin ($18,500) to have their data unencrypted.
Samsam, also known as Samas and MSIL, uses well-known exploits in the JBoss application server. Samsam uses an open source security testing tool that checks JBoss servers for misconfigurations. Once the attacker has used the vulnerabilities to infiltrate the server, he can then install malware on the server. After that he will use the server to spread the malware throughout the entire network, eventually encrypted data and holding it for ransom. Talos Research, a division of Cisco, found that there are 2.1 million systems that contain these vulnerabilities.
The JBoss systems that were compromised in the MedStar attacks were all Windows Servers and it was found that the hackers used stolen credentials to get into the network weeks before Samsam was installed, indicating that the attack was done manually, not automatically. However, Harlan Carvey of SecureWorks told ArsTechnica that "I'm sure portions of the attack could be [automated]...not sure about the whole thing, though.” He added, “Now, they could change how they go about that but even if they automate it, that's even more of a reason to have an Advanced Endpoint Threat Detection solution."
The past couple of months have shown a surge in healthcare cyber attacks. Last week, a hospital in Kentucky paid $17,000 to free their data from ransomware. In California, two hospitals along with their other facilities suffered a major disruption from cyber attacks. They were forced to shut down their entire system until their IT staff was able to contain and mitigate the ransomware. Fortunately, they didn’t have to pay the ransom thanks to the ingenuity, expertise, and quick work of their IT staff.
In the MedStar attack, it became clear that the hackers were able to steal login credentials by using a relatively simple phishing email. Talos Research is tracking a couple dozen targets, most of them are healthcare organizations.
Craig Williams, spokesperson for Talos told ArsTechnica, "A lot of people in the healthcare industry—they set up websites in a kind of fire and forget fashion. They hire an IT guy, they get the billing system set up, hook it up to the website and then they never touch it again. That's the perfect environment for this type of malware to thrive in because it's not maintained. As a result, the software just goes unpatched.”
Healthcare IT is changing rapidly and hospitals and other facilities are struggling to maintain tight security. With the massive increase in ransomware, the healthcare industry must evolve if they want to protect patient and employee data as well as patient health.