Ransomware remains the top threat faced by businesses as we move into the second half of 2018. Since the emergence of the first strains of ransomware in 2013, this nefarious trend has unfortunately only kept growing. And the latest such incidents have shown an increased focus on the healthcare sector.
Ransomware has become a growing threat for the healthcare industry, with the latest such incident reported by the Allied Physicians of Michiana – an organization offering health services to residents of South Bend, Indiana.
The community-focused alliance this week announced in a press release that, on May 17, its systems got hit by the SamSam ransomware strain.
“Steps were immediately taken to shut down the network to protect personal and protected health information,” the press release says. “In conjunction with its internal staff, its incident responder, outside counsel and other professionals, the company was able to restore its data in a secure format without any significant disruption of services to its patients.”
Although the incident was contained, the group has called on the FBI and others to investigate. The company declines to say whether it paid the ransom to regain access to its data.
“The security of our patients’ personal and protected health information is foremost in our mind,” CEO Shery Roussarie said in the news release. “While we make every effort to keep ahead of these types of cyberattacks, we have nevertheless taken additional steps to minimize any such future attack of the type experienced last week.”
SamSam is a ransomware strain that holds data hostage with RSA-2048 encryption. It spreads through Java apps, as well as other routes on the web, and favors external-facing RDP servers as its targets. It uses brute force techniques to guess weak passwords on the targeted network to make its way in. Then, using a built-in worm component, it spreads laterally, infecting every vulnerable system in sight.
At its first iteration, SamSam could recognize and encrypt 79 file types, including some of the most common ones (java, jar, cs, jpg, html, data, conf, pptx, docx, pdf, xls, etc.). When SamSam took off, attackers typically demanded between 30 and 40 Bitcoin, equivalent to $15,000 at that time. The same number of Bitcoins today is worth roughly $300,000.
SamSam has been on cybersecurity experts’ radars for a while, but, following a general trend in ransomware, has recently targeted healthcare institutions. Experts say hackers value medical data for its personal and sensitive nature, so they have turned their sights to healthcare institutions as a lucrative “business model.”
Earlier this year, a provider of electronic health record (EHR) technology was hit by SamSam, causing an outage that affected thousands of healthcare providers across the United States, some of whom were forced to turn away patients.
To gauge just how big of an impact such an attack can have, Allscripts – the EHR vendor in question – handles data for 280,000 physicians, 40,000 in-home clinicians, 2,700 hospitals, 13,000 extended care organizations and 7 million patients.
Three months ago, SamSam was used to disrupt the Colorado Department of Transportation, forcing administrators to shut down more than 2,000 computers to prevent the ransomware from spreading across the entire organization.