New ransomware 'SamSam' takes aim at hospitals

News by Max Metzger

Hospitals have taken a beating recently, not least from a new form of ransomware called SamSam that comes loaded with lethal new features.

The apparently non-stop campaign against healthcare seem to have reached further depths with the discovery of new ransomware currently taking aim at hospitals.

What makes this piece of ransomware different is that it doesn't violate its targets through exploitation of human frailty, like a phishing attack, but goes straight for the jugular. SamSam attacks using vulnerabilities in unpatched servers.

Cisco's Talos group couldn't tell who exactly SamSam was affecting but still, Craig Williams, sr. technical leader and manager of the group explained how the ransomware works.

“Samsam spreads via server vulnerabilities, using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom“, Williams said. This means that instead of one hapless hospital employee clicking on a phishing email and deploying ransomware on his computer, SamSam creeps through a system selecting the most valuable pieces of data to encrypt and steal.

SamSam represents a new entry into the rogue's gallery of ransomware. Williams noted, “this is contrary to more common examples of ransomware, which instead rely on human interactions, such as phishing and exploit kits. As a result, SamSam has evolved beyond most ransomware by doing this.”

Furthermore, unlike other ransomwares, this one can encrypt offline. With no communication from its C&C back end, the ransomware merely diverts its unfortunate victims to a wordpress website available over Tor.

One of the other shiny new features on SamSam is that it can communicate with the victim as files are being encrypted and negotiate the ransom in real time as the victims watch their computers lock up one by one and the price of freedom climbs ever higher.

It's a dangerous time to be a hospital. The last few months have seen an earth-shattering upswing in ransomware attacks on hospitals. The first, and perhaps most successful, of note was a ransomware attack in the US on Hollywood Presbyterian Medical Centre only a few months ago.

The attack considerably hampered day to day operations until the hospital agreed to pay the ransom, handing over US$ 17,000 (£12,000).

But what's prompted this sudden, sharp shock to western hospitals?  Ben Johnson, co-founder of Carbon Black had at least a partial answer for SCMagazine

Simply, “cyber-crime has found its sweet spot”, said Johnson.  Medical records contain a bounty of valuable information: medical conditions, detailed personal data as well as the personal data of the patient's family.  

With that, said Johnson, “criminals can do more with them, including order drugs in the patient's name or use their information for identity theft.”

Furthermore, in hard currency terms  medical records are by far the more valuable set of data to have. Johnson told SC that medical records will net the hacker ten times the value of a stolen credit card number - “Not only that, but healthcare organisations are also still lagging in the security game; they are an easier target than a bank. Unfortunately for healthcare, the hacker eye has shifted in their direction and they are mercilessly taking advantage of this period of unpreparedness.”

All these factors are in play without even taking into account ransomware, with which the blackmailers can extract great sums from the victim and still  make money off the stolen data.

Of course, many hospitals are well prepared for just such a cyber-attack and many of those that have been the victims of ransomware have quickly and deftly dealt with the problem.

Still, the risk remains. Independent Security Evaluators (ISE), an independent security firm based in Baltimore, recently released a report detailing the many failings of medical bodies when it comes to cyber-security,

Principle among the report's many troubling findings, was that hospitals focus primarily on protecting patient data and largely ignore advanced threats. The report notes that “the efforts that do aim to protect patient health do not address intelligent cyber-threats. Defending patient health and patient records is not one-in-the-same, and placing the focus on records harshly ignores the patient health aspect.”

Rest assured, this has been a long time coming. Predictions that hospitals would be ripe for the taking have been no less than ubiquitous for several years now. Most recently, a Kaspersky researcher demonstrated how easy it really could get by hacking into a Moscow Hospital from the comfort of his car.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews