Healthcare Ransomware Challenges: HHS Warns of SamSam Ransomware Attacks

The healthcare sector needs to be aware and take steps to prepare, prevent, and respond to ransomware such as the attacks that have impacted at least eight U.S. organizations so far this year.

A recent alert from the Department of Health and Human Services’ Healthcare Cybersecurity and Communications Integration Center notes that the SamSam malware, active since 2016, has been largely associated with ransomware attacks against hospitals and others in the healthcare and public health sector.

Here is a summary of that alert from HHS:

In 2018, there have been at least eight separate cyber-attacks on healthcare and government organizations utilizing a form of ransomware known as SamSam:

  • Two Indiana based hospitals
  • A cloud-based Electronic Health Record (EHR) provider
  • A New Mexico Municipality computer system
  • An unnamed ICS (Industrial Control Systems) company in the US.
  • Davidson County in North Carolina
  • Colorado’s Department of Transportation (CDOT) –twice
  • Systems and services in Atlanta, Georgia

In ransomware attacks such as these, an attacker gains unauthorized access to an organization’s computer network and uses ransomware software to block most or all of the organization’s access to their own files and data.

Access to the affected files is restricted until a ransom is paid to the attackers, and an accompanying timer usually provides only a limited amount of time to pay the ransom.

The SamSam malware has been active since at least 2016 and has largely been associated with ransomware attacks in hospitals and the Healthcare and Public Health (HPH) Sector as a whole.

The alert notes that in recent SamSam incidents, victim organizations reported that their files were encrypted with the “.weapologize” extension that displayed a “sorry” message.

“This particular SamSam version has infected at least 10 entities since Dec. 26, 2017, and uses a ‘0000-SORRY-FOR-FILES.html’ ransom note,” the alert says. While most of the victims in this string of SamSam attacks are in the U.S., some were in Canada and India, HHS says.

Known Victims:

HHS lists general information about eight known victims in 2018 attacks but does not specifically identify most of them. Those entities include:

  • Two Indiana hospitals;
  • A cloud-based electronic health records provider;
  • A New Mexico municipality computer system;
  • A U.S. industrial control systems company;
  • Davidson County in North Carolina;
  • Systems and services in Atlanta;
  • Colorado’s Department of Transportation, which was attacked twice.

Although not named in the alert, one of the two Indiana healthcare entities mentioned is Hancock Health, a healthcare system that includes Hancock Regional Hospital and more than 20 other healthcare facilities. That organization in January acknowledged that it paid four bitcoins – worth about $55,000 at the time – to unlock its systems following a SamSam ransomware attack on Jan. 11.

The HHS alert notes that the disruption of the EHR services reportedly impacted about 1,500 medical practice clients of the vendor.

Among the government organizations impacted by SamSam attacks so far in 2018 was the city of Atlanta, where the ransomware for several days hampered citizens from paying bills and accessing court-related information, among other disruptions.

HHS notes that ransomware attacks on the healthcare sector can pose potential patient care risks.

“Beyond being a minor inconvenience, ransomware attacks can have impacts on patient care and delivery within the [healthcare] sector,” HHS says. “As a result of a recent attack on one hospital, an outpatient clinic and three physician offices were unable to use that hospital’s network to access patient history or schedule appointments. This unavailability affected between 60 and 80 patients.”

Taking Action:

Organizations should take critical steps to avoid falling victim to malware attacks. Entities should also have a plan for quickly recovering from any malware attack.

HHS notes that SamSam scans the internet for computers with open remote desk protocol connectionsand then breaks into networks by brute-forcing the RDP endpoints.

The agency advises that to prevent attackers from gaining access to servers via RDP, organizations should:

  • Use RDP gateways and VPNs to restrict access behind firewalls;
  • Use strong/unique username and passwords as well as two-factor authentication;
  • Limit users who can log in using a remote desktop;
  • Implement an account lockout policy to help thwart brute force attacks.

Another option to proactively monitor for suspicious behavior and system level changes on PC’s and servers is to utilize File Integrity Monitoring (FIM) software and to have the logs from critical systems and devices analyzed by a SIEM service. Ideally this type of service would be monitored by skilled cybersecurity personnel that are part of a Security Operations Center (SOC).

Additionally, the only way to check your systems for vulnerabilities is to have regular vulnerability testing performed, along with periodic penetration testing by ethical hackers to see now only what vulnerabilities may exist, but what damage could be done if a hacker were to be able to gain access to your “crown jewels”, meaning your company’s most critical systems and data.

Ransomware is very much an epidemic in today’s modern healthcare arena, but there are things that healthcare IT leaders can do to help defend and protect themselves from this threat.

If you need help from an outside vendor that has deep expertise in security and compliance, contact usfor a no obligation review of your requirements and see how WHOA can help you become more secure.