Here’s the thing: If you’re a healthcare organization, SamSam is gunning for you.
But here’s the other thing: If you follow basic cybersecurity hygiene, SamSam won’t hit its mark.
That sounds really simplistic, and, of course, nothing is that simple in cybersecurity.
By some estimates, SamSam has already extracted $1 million in ransom from select targets in 2018.
“Select” is a very important word when discussing SamSam. “The attackers behind this ransomware have demonstrated a clear pattern of carefully choosing their targets based not on size but on the serious and life-threatening repercussions that an attack could have because of the targets’ operations,” says Sensato CEO John Gomez.
SamSam Bets: Odds are Good that You’ll Pay
The attackers research their targets, and their targets’ ability to pay, and set their ransom demands accordingly – betting that healthcare and other critical infrastructure organizations will do the cost/benefit analysis of paying ransom versus the lengthy and difficult proposition of attempting to restore deleted data and systems operations, and they’ll choose to pay the ransom.
Paying is faster and cheaper. The SamSam attackers have even encouraged payment by having already established themselves as “trustworthy” criminals – they do actually return all data and systems in tact to their victims. This is not always the case with other ransomware attacks.
Hancock Health was one healthcare organization that followed the attackers’ predictive analysis: in January, Hancock paid the SamSam ransom. CEO Steve Long told reporters that restoring systems from backups would have taken too long. It made better business sense to pay the ransom.
Prevention: A Better, Cheaper Best Practice
“As cybersecurity experts, the last thing we want to do is advise organizations to pay ransom, but that’s ultimately up to the affected organization,” says Sensato’s Brett Warrick. “We would much rather see preventative measures taken to avoid falling victim to ransomware and other types of attacks, because even if the attackers return your data and systems to normal, the fact is, the attackers still have all your data.”
Luckily, SamSam follows the same general approach as many attacks: it scans for exploits and known vulnerabilities. For example, it’s known to take advantage of vulnerabilities in Microsoft’s credential protocol (CredSSP), Remote Desktop Protocol (RDP), and distributed computing environment/remote procedure call (DCE/RPC) application services.
What’s different about SamSam, now, is that it has been updated to require a human to manually enter a password to run the payload and begin data encryption. That may, at first, sound like SamSam has taken a step backwards. But by requiring manual password entry to activate, the attackers have ensured that experts cannot run the ransomware code for analysis.
This is why following good, basic cybersecurity practices is so important. The same things you do to protect your organization against other types of attacks will help you fend off SamSam.
Since we know that SamSam relies on known vulnerabilities, don't forget security basics:
· Keep configurations and patches up to date
· Make passwords long and strong
· Limit administrative privileges
· Monitor networks for anomalous activity*
· Use multi-factor authentication across the entire organization
· Segment networks so you can quickly contain and limit an attack
· Keep backups up-to-date
*Keep in mind, the use of stolen credentials is the most common tactic leveraged by attackers, including SamSam, employing familiar tools like Mimikatz to steal valid credentials.
Sound like a broken record?
That’s because healthcare is among the most targeted industries for cyber attackers. In 2017, more than 500 patient records affecting over 4.7 million people were breached at 295 healthcare providers.
Sensato has found an average of 6.2 vulnerabilities per medical device, with many running on operating systems too old for patches or updates.
That’s a lot of vulnerability. Reminder: SamSam and other attacks begin by scanning for vulnerabilities. Get to work.