LabCorp still recovering from ransomware, won't say if it's SamSam

Media reports claim that the notorious SamSam ransomware variant took down thousands of the medical testing giant’s servers through an RDP brute force attack, but the company won’t share the details.
By Jessica Davis
04:36 PM
Share
LabCorp still recovering from ransomware

Medical testing giant LabCorp is still recovering from a ransomware attack nearly a week later, but won’t say just how the hackers got in nor how many servers were impacted.

LabCorp was forced to shut down its network on Sunday, after officials discovered suspicious activity. Test processes and customer access were temporarily impacted during its recovery efforts.

When asked on Friday to confirm reports that claimed it was SamSam that infected thousands of LabCorp’s servers, the spokesperson would not confirm or deny. And when pressed again with the actual report, the spokesperson pointed to the official statement and wouldn’t say anything further.

But that official statement, containing the attack date, ‘suspicious activity’ and ‘a new variant of ransomware,’ is nearly identical to the publicly available comment and the statement filed with the Securities and Exchange Commission on Monday.

A report from CSO, meanwhile, claimed that thousands of LabCorp’s servers were impacted by the attack, and the notorious SamSam variant was the culprit. SamSam is the virus that shut down the Allscripts platform for about a week in January and is known to use brute force RDP attacks to breach a system and proliferate.

The variant is also responsible for taking down Hancock Health, Adams Memorial and the government systems of Atlanta -- among a host of others. What’s worse is that once SamSam gets in, as CynergisTek Executive Vice President of Strategic Innovation David Finn said in January, “Once it’s spread: it’s over.”

While LabCorp was able to quickly contain the attack, in the 50 minutes between detection and mitigation, the ransomware encrypted 7,000 systems, 1,900 servers -- 350 of which were production servers. According to the report, hackers used a brute force attack on the remote desktop protocol to gain access.

The report claimed officials confirmed that only Windows systems were impacted. Further, the official statement stresses that there was no breach of patient data, which the report said LabCorp confirmed through its management and traffic monitoring.

Several analyses of SamSam do support that claim, as they concluded that there is currently no evidence that the hackers are interested in the data. The goal is to spread the virus and collect the ransom.

If it was indeed an attack on the RDP, the attack is very similar to one at Cass Regional Medical Center. Hackers got into the system through a brute force attack on July 9 and officials brought the system back online a week later.

Last year, U.S. agencies and a host of security researchers predicted these types of attacks would begin to proliferate.

LabCorp is still working to restore its systems, according to the official statement. Officials expect recovery will continue over the next few days.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com