HHS Report on SamSam Ransomware Attacks

April 15, 2018


The high level of SamSam ransomware attacks on government and healthcare companies in recent months has stimulated the Department of Health and Human Services’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) to release a report of continuing SamSam ransomware operations. The report includes guidelines to help companies find and obstruct SamSam ransomware attacks.

There Have Been 10 Main SamSam Ransomware Attacks in the Previous 4 Months

Since December 2017, there have been 10 main attacks, mainly on healthcare and government organizations in the United States. Other attacks have been reported in India and Canada.

In January 2018, the EHR provider AllScripts suffered an attack that saw its systems taken down for many days, stopping about 1,500 medical practices from accessing patient data. In some instances, those practices were barred from accessing patient data for as long as a week.

In March 2018, the City of Atlanta was compelled to close down its IT systems to stop the distribution of the ransomware. In that incident, the attack leveraged a Windows Server Message Block V1 weakness on a public-facing server to connect the ransomware – the same weakness that was abused in the global WannaCry and NotPetya in May and June 2017.

Hancock Health was struck and decided to pay the ransom as it was considered to be better than the continuing interruption that would have been caused by retrieving files from standbys. Hancock Health was among two hospices in Indiana to face an attack. The Colorado Department of Transportation experienced two different SamSam ransomware attacks in February and March.

Other healthcare companies to be attacked include Erie County Medical Center which saw an unrepaired weakness abused. In that instance, the ransom was not paid, even though it took six weeks for the medical center to completely recover at a cost of several million dollars.

While the healthcare sector seems to have been targeted, that is not necessarily the situation. The HHS and Cisco Talos indicate many of the attacks have been cunning in nature. Nevertheless, ransomware rings have been known to target the healthcare, government, and education sectors. The main interruption to facilities and the cost of alleviating attacks in these industries make it a lot more likely that the ransom payment will be made.

Different attack techniques have been used by the threat actors behind SamSam ransomware, even though the gang is known to abuse weaknesses on public-facing servers. Compromised RDP/VNC servers (Remote Desktop Protocol/Virtual Network Computing) are a usual denominator in a lot of the attacks.

The threat actors also check for open RDP connections and carry out brute force attacks which take benefit of weak passwords.

As soon as access to a server is gained, ransomware is fixed and disperse laterally. The objective of the attack is to cause huge interruption. Although standbys exist in most cases and data can be retrieved, the constant interruption to company operations while files are retrieved makes payment of the ransom desirable. Even if the ransom is paid the cost is substantial. The City of Atlanta was reportedly issued a ransom demand of $6,800 per infected endpoint.