SamSam, a ransomware variant used extensively in attacks on healthcare providers, recently resurfaced in a slightly different form, taking down systems at hospitals and businesses, including EHR vendor Allscripts.
In a Jan. 25 blog post, Healthcare Information and Management Systems Society's Director of Privacy and Security Lee Kim addressed key facts of the ransomware variant.
Here are seven things to know.
1. SamSam is not new. In fact, it's been around for about two years. When it first appeared on the scene, it was described as "self-contained," meaning it didn't need to "call home" via a command and control server, Ms. Kim writes. However, the widespread attacks involve a new variant of the strain that spread in the past, though some SamSam victims said they were affected by the old version.
2. Hackers raised over $300,000 in just four weeks. The first bitcoin wallet transaction associated with the attackers reportedly occurred Dec. 25. It is not yet clear where the attack originated, but some have attributed it to actors in Eastern Europe.
3. Recent attacks commonly involve compromised vendor credentials. Using stolen vendor credentials to get into a victim's network creates a "'window of opportunity' for the attacker who wants to compromise 'equipment vendors' and other types of vendors who have 'trusted access' to a healthcare provider," Ms. Kim writes. Another way it gets in is by exploiting vulnerability vendor products and services, then using automated exploitation tools or scripts to launch the attack.
4. A sign your organization is facing a SamSam attack may be the word "sorry." The new variant of SamSam is reportedly more obstructed and harder to detect, Ms. Kim writes. Adams Health Network in Decatur, Ind., said the attack led networks to operate slowly before screens went blank and files on the system read "sorry." Hackers demand a ransom — in the case of Greenfield, Ind.-based Hancock Health, it was 4 bitcoin, or about $55,000 — in exchange for the private encryption keys. In a screenshot of the hacker's ransom note posted by Talos, SamSam attackers state "we don't want to damage our reliability" and "we are honest" as it explains victims can test the decryption process before paying the ransom.
5. The initial attack vector hasn't yet been determined. Traditionally, SamSam is manual, meaning the malware must first be uploaded to a victim's machine. However, some analyses note remote desktop or virtual network computing servers have recently been playing a role in similar types of attacks.
6. If you believe your organization is under attack, carefully consider your options. While some organizations decided to pay the ransom, others did not. Ms. Kim warns organizations might not necessarily get their data back even if they do pay the ransom. Paying the ransom could also infect your system with more malware.
7. Here are some tips on how your organizations can protect itself from SamSam. Organizations should update or patch their security solutions whenever a new version is released. They should also know what is "normal" for their systems and networks, Ms. Kim advises. She adds that plans, tests and training should be reviewed frequently and reminds organization to not forget to test their backups, too.
Click here to read the full post.
More articles on cybersecurity:
Viewpoint: How realistic is Apple's attempt at the EHR industry? Very - 6 reasons why
Alphabet's newest business wants to stop cyberattacks before they happen
2 ways AI is helping fight the flu this season and those to come