Hackers Continue to Turn SamSam Loose on Healthcare

Ryan Black
MAY 23, 2018


Another healthcare provider has reported that its systems were locked up by the notorious SamSam ransomware. Allied Physicians of Michiana, a small health network near South Bend, Indiana, noticed the attack last week and issued a statement about it Monday.

“The incident has been successfully contained at this time,” according to the company’s statement, which also said that the group was working with the FBI to full discern the scope of the incident. Upon the ransomware’s discovery, the health network moved to immediately shut down its network in hopes of protecting patient information.

SamSam isn’t acquired by chance. While ransomware is typically delivered via phishing emails or automatic downloads, this particular malware is deployed by hackers who first probe their way into a network. The bad actors scan for vulnerable networks and enter them manually, though they might now know who precisely they are attacking—they might use context clues based on network devices to determine the size of the institution they have accessed and what industry it works in.

>>READ: Survey Says Healthcare Leads All Sectors (in Ransomware Infections)

The strain has been weaponized in a rash of attacks so far in 2018. In late March, the Department of Health and Human Services issued a warning that, by that time, there had already been 8 SamSam attacks against healthcare and government institutions. “The ransomware risk to the [healthcare and public health] sector is expected to continue for the foreseeable future,” the document notes. Perhaps the most noteworthy enterprise to encounter the malware was the City of Atlanta, which saw a number of its important web functions crippled as 5 of its agencies became infected in March.

In healthcare, the biggest strike came against digital services and electronic health records (EHR) provider Allscripts. About 1,500 of the company’s smaller healthcare clients faced days’ worth of outages when SamSam was unleashed on the company’s North Carolina-based data centers in January. Offices had to revert to keeping records on paper, and many appointments ended up getting cancelled. One practice would later file a class-action lawsuit against the company as a result of the disruption.

The conventional wisdom is that administrators should not pay the ransom, although in some cases organizations have chosen to do so. Hancock Health, also in Indiana, was hit with SamSam in January and decided to pay up. Its president and CEO, Steve Long, penned a column 1 week later explaining why his group made that $50,000-plus decision, and why it may’ve been the right choice.

“It became clear that there were no easy-to-implement means of purging the encrypted data and replacing it with clean data from backup systems,” he wrote. “With this in mind, the decision was made to purchase the decryption keys.” Later, the Hancock team would learn that the “core components” of the company’s backup files had also been corrupted, and for that reason the CEO characterized the purchase as “unavoidable.”

SamSam can be devastating, and the alternatives to paying up can be costly. Atlanta reportedly spent more than $2.5 million to rectify the problems caused by a $50,000 demand.

“In reality, the best way to remediate the situation is to rebuild the network from the ground up,” cybersecurity expert Adam Dean told Healthcare Analytics News in January. The firm he works for, GreyCastle Security, has helped hospitals through SamSam attacks in the past. “You don’t want to just clean off the encrypted files and hope it doesn’t come back. Unfortunately, that’s a very long and tedious process, but that’s the only way to be 100% sure that the infection is cleaned off.”

To protect themselves, experts say healthcare organizations need to secure their digital perimeters.

“For lack of a better term, ‘cyber hygiene’ is something that entities can practice, how you let third parties interconnect to your system is something I would focus on,” Landon Lewis, a partner at cybersecurity firm Pondurance, said in an interview. Any public-facing systems should be up to date and tightly secured, and for those, multi-factor authentication should be considered. Lewis said that it’s also important to frequently account for all of the entry points that hackers could use to get access to a network.

Allied Physicians of Michiana declined to confirm the amount of ransom requested nor if it decided to pay.

Related Coverage:
Podcast: Finding Orangeworm
To Fight Phishing, Let's Look at Fatigue
How Orangeworm Burrowed Into Healthcare's Supply Chain
 

SHARE THIS SHARE THIS
0
Become a contributor