LabCorp still recovering from ransomware, won't say if it's SamSam
Medical testing giant LabCorp is still recovering from a ransomware attack nearly a week later, but won’t say just how the hackers got in nor how many servers were impacted.
When asked on Friday to confirm reports that claimed it was SamSam that infected thousands of LabCorp’s servers, the spokesperson would not confirm or deny. And when pressed again with the actual report, the spokesperson pointed to the official statement and wouldn’t say anything further.
But that official statement, containing the attack date, ‘suspicious activity’ and ‘a new variant of ransomware,’ is nearly identical to the publicly available comment and the statement filed with the Securities and Exchange Commission on Monday.
A report from CSO, meanwhile, claimed that thousands of LabCorp’s servers were impacted by the attack, and the notorious SamSam variant was the culprit. SamSam is the virus that shut down the Allscripts platform for about a week in January and is known to use brute force RDP attacks to breach a system and proliferate.
The variant is also responsible for taking down Hancock Health, Adams Memorial and the government systems of Atlanta -- among a host of others. What’s worse is that once SamSam gets in, as CynergisTek Executive Vice President of Strategic Innovation David Finn said in January, “Once it’s spread: it’s over.”
While LabCorp was able to quickly contain the attack, in the 50 minutes between detection and mitigation, the ransomware encrypted 7,000 systems, 1,900 servers -- 350 of which were production servers. According to the report, hackers used a brute force attack on the remote desktop protocol to gain access.
The report claimed officials confirmed that only Windows systems were impacted. Further, the official statement stresses that there was no breach of patient data, which the report said LabCorp confirmed through its management and traffic monitoring.
Several analyses of SamSam do support that claim, as they concluded that there is currently no evidence that the hackers are interested in the data. The goal is to spread the virus and collect the ransom.
If it was indeed an attack on the RDP, the attack is very similar to one at Cass Regional Medical Center. Hackers got into the system through a brute force attack on July 9 and officials brought the system back online a week later.
LabCorp is still working to restore its systems, according to the official statement. Officials expect recovery will continue over the next few days.