HHS Report Offers Tips to Prevent and Block SamSam Ransomware Attacks

The high volume of SamSam ransomware attacks on healthcare and government organizations in recent months has prompted the Department of Health and Human Services’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) to issue a report of ongoing SamSam ransomware campaigns. The report includes tips to help organizations detect and block SamSam ransomware attacks.

There Have Been 10 Major SamSam Ransomware Attacks in the Past 4 Months

Since December 2017, there have been 10 major attacks, mostly on government and healthcare organizations in the United States. Additional attacks have been reported in Canada and India.

In January 2018, the EHR provider AllScripts experienced an attack that saw its systems taken out of action for several days, preventing around 1,500 medical practices from accessing patient data. In some cases, those practices were prevented from accessing patient data for as long as a week.

In March 2018, the City of Atlanta was forced to shut down its IT systems to halt the spread of the ransomware. In that case, the attack leveraged a Windows Server Message Block V1 vulnerability on a public-facing server to install the ransomware – the same vulnerability that was exploited in the global WannaCry and NotPetya in May and June 2017.

Hancock Health was attacked and chose to pay the ransom as it was seen to be preferable to the ongoing disruption that would have been caused by recovering files from backups. Hancock Health was one of two hospitals in Indiana to experience an attack. The Colorado Department of Transportation suffered two separate SamSam ransomware attacks in February and March.

Other healthcare organizations to be attacked include Erie County Medical Center which saw an unpatched vulnerability exploited. In that case, the ransom was not paid, although it took six weeks for the medical center to fully recover at a cost of several million dollars.

While the healthcare industry appears to have been targeted, that is not necessarily the case. The HHS and Cisco Talos suggest several of the attacks have been opportunistic in nature. However, ransomware gangs have been known to target the government, healthcare, and education sectors. The major disruption to services and the cost of mitigating attacks in these industries makes it far more likely that the ransom payment will be made.

Different attack methods have been used by the threat actors behind SamSam ransomware, although the group is known to exploit vulnerabilities on public-facing servers. Compromised RDP/VNC servers (Remote Desktop Protocol/Virtual Network Computing) are a common denominator in several of the attacks.

The threat actors also scan for open RDP connections and conduct brute force attacks which take advantage of weak passwords.

Once access to a server is gained, ransomware is installed and spread laterally. The goal of the attack is to cause massive disruption. Even though backups exist in most cases and data can be recovered, the continued disruption to business operations while files are recovered makes payment of the ransom preferable. Even if the ransom is paid the cost is considerable. The City of Atlanta was reportedly issued a ransom demand of $6,800 per infected endpoint.

Tips to Prevent and Block SamSam Ransomware Attacks

Several vulnerabilities have been exploited to gain access to servers including JBoss, SMBv1, RDP, and others. It is therefore strongly recommended to conduct regular vulnerability scans and ensure good patch management practices are adopted. Strong passwords should be used, and controls implemented to enforce password policies.

HCCIC offers the following advice to prevent and block SamSam ransomware attacks:

  • Conduct an organization-wide risk analysis to identify risks to ePHI and implement security measures to remediate those risks – A requirement of the HIPAA Security Rule
  • Train end users to help them detect malicious software
  • Implement procedures to protect against malicious software and use software solutions that can rapidly identify an attack in progress to ensure rapid action can be taken to prevent the spread of the infection
  • Ensure all data is backed up regularly – A good backup strategy is the 3-2-1 approach – Ensure 3 backups are made, on two different media, with one copy stored securely off site.
  • Develop contingency plans to minimize business disruption in the event of a cyberattack
  • Develop procedures for responding to security incidents, including procedures specifically for ransomware attacks
  • Conduct annual penetration tests to identify weaknesses and ensure they are addressed
  • Use rate limiting to block brute force attacks
  • Restrict the number of users who can login to remote desktop applications and restrict access to RDP behind firewalls. Ensure a VPN or RDP gateway is used
  • Set up 2-factor authentication on RDP

As for payment of the ransom, that carries a risk. There are no guarantees that the attackers will make good on their promise to send keys to unlock the data or that the keys supplied will work. It is essential to ensure that recovery is possible without paying the ransom.

The HCCIC report, which includes indicators of compromise, can be downloaded from the American Hospital Association on this link (PDF).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.