A new variant of SamSam ransomware was observed targeting multiple industries including government, healthcare and Industrial Control Systems in a series of attacks that do not appear to be highly targeted but more opportunistic in nature.
Most recently the malware has crippled the systems of nearly hundreds of patients whose information is in the Allscripts network.
Cisco Talos researchers have yet to discover the malware's initial infection vector but said there is a possibility that compromised RDP/VNC servers have played a part in allowing the attackers to obtain an initial foothold, according to a 22 January blog post.
It's also possible the attackers may follow their previous modus operandi of exploiting a host and then laterally moving within their target environment to plant and later run the SamSam ransomware as they've done in previous attacks.
At the time the blog was written, the threat actors behind the attack had received approximately 30.4 BTC equal to £227,653.
Researchers said there isn't a difference between the the encryption mechanism used by this current SamSam variant compared to older versions but noted adversaries had added new string obfuscation and improved the anti-analysis techniques used to make detection and analysis marginally more difficult.
Similar to how the earlier version of the malware put effort into obfuscating the malware code by encrypting strings with AES, the new version also obfuscates functions, class names and strings, including the list of targeted file extensions, the help file contents and environment variables.
A strain of the ransomware was recently used against the servers of Allscripts Software Company in Raleigh and Charlotte N.C in the US., on 18 January, although it is unclear if the malware is of the same strain observed in other attacks. The company is still working to rebound from the attack which affected Allscripts Professional HER (electronic health records) and some e-prescribing system capabilities.
Healthcare professionals have voiced their frustrations on Twitter over the downed medical software over the following days leading the company to release another statement about the attack that affected nearly 1,500 clients.
“As an owner of an MD practice I am appalled @Allscripts saying the ransomware affected a 'limited number' of applications. Total nonsense. The services that were unaffected were minor and this incident has dramatically impacted patient care and disabled practices nationwide,” Twitter user Adrian Lloyd said in a 22 January tweet.
The US FBI has been notified of the incident and “there is no evidence that any data was removed from our systems,” the company said in its most recent statement. “We continue to work unceasingly to restore all services to our clients who are still experiencing outages.”
Researchers are continuing to look for threat vectors and recommend users implement best security practices to help minimise their chances of infection.