Healthcare Companies Account for a Quarter of SamSam Ransomware Attacks

November 7, 2018


The threat actors behind SamSam ransomware have been very active this year and most of the attacks have been carried out in the United States. Out of the 67 companies that the group is known to have attacked, 56 were on companies based in the United States, as per a recent analysis by cybersecurity company Symantec.

The attacks have been carried out on a wide variety of organizations and businesses, although the healthcare industry has been widely targeted. Healthcare businesses account for 24% of the group’s ransomware attacks.

It is unclear why healthcare businesses are accounted for so many attacks. Symantec proposes that it might be because of healthcare businesses being easier to attack than other possible targets, or that there is a view that healthcare suppliers are more likely to pay the ransom as they are dependent on access to patient data to work.

In contrast to most ransomware attacks, the threat actors behind SamSam ransomware don’t conduct random campaigns through electronic mail with the purpose of infecting as many businesses as possible. SamSam ransomware attacks are highly targeted and carried out manually without any involvement from end users.

Access is gained to a healthcare system, the attackers move laterally, and the ransomware is manually positioned on as many appliances as possible. When several appliances have been compromised, the encryption routine is activated on all infected appliances at the same time. This method makes sure maximum disturbance is produced, and with large numbers of appliances taken out of action through file encryption, big ransoms can be claimed – usually of the order of about $50,000.

To gain access to systems the threat actors carry out images to identify companies with open remote desktop protocol (RDP) connections. RDP backdoors can also be bought on darknet forums, which might also be used to gain access to healthcare companies’ systems.

Symantec points out that substantial work goes into each campaign. When the limit has been breached, it can take numerous days for the threat actors to draw the company’s network and stealthily install their ransomware. The threat actors use off-the-shelf administration and pen testing tackles – PsExec for example – to let them move through the system without being known. The Mimikatz hacking tool is also used to get passwords to infect more appliances.

To decrease risk, healthcare companies need to take steps to make it tougher for the attackers to breach the limit, implement cybersecurity solutions to find network incursions and identify the doubtful activity, and also make sure that standbys are frequently made with copies of backed up files saved offline.

Good password strategies are important to avoid brute force attacks. Strong exclusive passwords must be used and all default passwords should be changed. Rate limiting must also be applied to hinder brute force attacks and reports of doubtful login attempts must be automatically created to warn safety teams to a possible attack in progress. Access to public-facing ports must be limited and multi-factor authentication must be applied to all applications. It is also strongly desirable to strictly limit the use of admin identifications.