Ransomware that won’t quit: SamSam still pummeling U.S. healthcare

A new Symantec report finds the notorious, highly targeted virus is primarily hitting the U.S. – especially the healthcare sector, where hackers may believe orgs are more likely to pay.
By Jessica Davis
03:03 PM
Ransomware virus on healthcare sector

The notorious SamSam ransomware – that hampered Allscripts for a week and shut down the city of Atlanta’s government – has not let up as the year draws to a close. And its hackers are continuing to target the U.S, especially the healthcare sector.

According to a new Symantec report, the SamSam hacking group has targeted at least 67 organizations this year, with 56 attacks in the U.S. Just a small number of attacks were reported in France, Portugal, Ireland, Israel and Australia.

The “highly active group” is going after a wide range of sectors, but healthcare organizations appear to be the hackers’ preferred choice. In fact, 24 percent of SamSam attacks in 2018 were on the healthcare sector.

“Why healthcare was a particular focus remains unknown,” the report authors wrote. “The attackers may believe that healthcare organizations are easier to infect, or they may believe that these organizations are more likely to pay the ransom.”


Since the ransomware began ramping up attacks early this year (Allscripts and several health systems fell victim), the SamSam hacking group has banked more than $6 million from its victims. In August, a report from Sophos found that 223 of the victims paid the ransom.

SamSam’s success can be attributed to its attack method. Spread through the web, Java apps and other web-based apps, the virus rapidly spreads throughout a victim’s system without the use of malicious emails. Instead, hackers scan the internet to find open remote desktop protocol connections or JBoss Servers.

Adding to the problem are RDP backdoors sold on the dark web for just $10, with thousands of new ports added to the mark on a daily basis.

Next, the hackers will use either brute force attacks or access or password vulnerabilities on these open end-points. While SamSam can be stopped if detected before a successful hack, it’s all over once the virus gets into a system.

Once the hackers are in a victim’s system, they’ll map out the network “before encrypting as many computers as possible.” The hackers will then ask for a ransom.

Healthcare organizations are particularly vulnerable to these types of attacks, as many organizations fail to monitor abnormal or multiple login attempts and still use weak or reused passwords. Those that fail to limit admin credentials also are incredibly vulnerable.

To prevent a SamSam infection, organizations need to restrict access to all public-facing ports. Multi-factor authentication for all applications, especially sensitive systems, also is required, as it can help stop the ransomware from spreading if it does find a way into the network.

Offline backups always are a good idea, as they will provide an organization a way to restore a network and operations without having to pay the ransom.


“The attackers have been known to offer to decrypt all computers for a set ransom and/or offer to decrypt individual machines for a lower fee,” the report authors wrote. “In many cases, ransom demands can run to tens of thousands of dollars to decrypt all affected computers in an organization.”

“If successful, these attacks can have a devastating impact on victim organizations, seriously disrupting their operations, destroying business critical information and leading to massive clean-up costs,” they added.

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.