SamSam ransomware hackers bank $6 million and counting from victims

What experts are saying hospitals can do now to avoid falling prey to the ransomware as hackers show no signs of stopping.
By Jessica Davis
08:00 AM
Share
ransomware lock screen for users

The hackers behind the notorious SamSam ransomware variant have made more than $6 million from their victims since 2015. And with new major victims during the last few weeks, there’s no end in sight. Healthcare organizations need to fill those major vulnerabilities now.

With an estimated new victim each day, a recent report from cybersecurity firm Sophos found that about one out of four victims paid at least some of the ransom. To make matters worse: Hackers have steadily increased the ransom demand since the attack began to spike in January.

Researchers analyzed data from the attacks, spoke to victims, mined private and public SamSam samples to compile the information, and worked with cryptocurrency monitoring and blockchain firm Neutrino to track down the transactions.

The results were damning for the U.S. and for the healthcare industry. About 75 percent of SamSam’s victims were in the U.S. and 26 percent of those happened in the healthcare industry. In fact, the other sectors, government and education, had fewer victims combined.

Many victims didn’t specifically name SamSam. Instead, the researchers were able to identify SamSam by collaborating with other security teams. That being said, 78 percent of healthcare sector victims went public with the true cause.

Cause for concern: 223 of the victims actually paid the ransom. And the FBI and security leaders all specifically warn against paying for numerous reasons, including the fact that funds support the crimes and there’s no guarantee of getting the data back.

Racking up victims

SamSam is not a new virus, but attacks have exponentially increased throughout 2018. The first major publicized healthcare victim was Allscripts. Hackers breached the EHR company’s data centers on Jan. 18, and the platform did not return to normal operations for more than a week.

But that was only the start. SamSam took down the Atlanta government for several days, and within a few weeks of Allscripts two Indiana-based providers fell victim, Hancock Health and Adams Memorial. Hancock Health admitted to paying the ransom to regain its data.

These attacks got the attention of the government and the Department of Health and Human Services. HHS released an alert in April, warning the sector that the hackers had already claimed 10 organizations in three short months.

Shortly after the alert, Indiana's Allied Physicians of Michiana fell victim to SamSam on May 17. And July reportedly claimed two more healthcare victims: Cass Regional Medical Center and medical testing giant LabCorp. Both faced network interruptions lasting about a week.

Time to act

By looking at SamSam’s victims across all sectors, there’s one major standout: All organizations are potential victims, no matter the size or business-type. The question is, how can a provider prevent falling victim?

The good news is that SamSam is relatively straightforward and uses a few different methods to get into a system. But hospitals that fail to monitor an abnormal number of login attempts are incredibly vulnerable, as are those that use weak or reused passwords or fail to limit admin credentials.

SamSam is spread through the web, Java apps and other web-based apps. And once it’s in the system, it spreads without malicious emails. While the virus can be stopped if detected before it gets into the system, it’s over once it has breached the network.

Hackers scan the internet to find open remote desktop protocol connections or JBoss servers and use either brute force attacks or access or password vulnerabilities on these endpoints.

Researchers don’t believe hackers are looking to access data. Rather, the virus is meant to spread to other computers and devices throughout the network to demand a ransom payment.

HHS recommends restricting access behind firewalls and using two-factor authentication. Organizations need to limit who has access to RDPs and use an account lockout policy, the key method for stopping brute force attacks.

With RDP backdoors being sold for just $10 on the dark web and thousands of these ports added to the marketplace daily, these attacks won’t stop until healthcare locks down all its endpoints.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com