Here’s the thing: If you’re a healthcare organization,
SamSam is gunning for you.
But here’s the other thing: If you follow basic
cybersecurity hygiene, SamSam won’t hit its mark.
That sounds really simplistic, and, of course, nothing is that
simple in cybersecurity.
By some estimates, SamSam has already extracted $1 million
in ransom from select targets in 2018.
“Select” is a very important word when discussing SamSam. “The
attackers behind this ransomware have demonstrated a clear pattern of carefully
choosing their targets based not on size but on the serious and
life-threatening repercussions that an attack could have because of the
targets’ operations,” says Sensato CEO John Gomez.
SamSam Bets: Odds are
Good that You’ll Pay
The attackers research their targets, and their targets’
ability to pay, and set their ransom demands accordingly – betting that healthcare
and other critical infrastructure organizations will do the
cost/benefit analysis of paying ransom versus the lengthy and difficult
proposition of attempting to restore deleted data and systems operations, and
they’ll choose to pay the ransom.
Paying is faster and cheaper. The SamSam attackers have even
encouraged payment by having already established themselves as “trustworthy”
criminals – they do actually return all data and systems in tact to their
victims. This is not always the case with other ransomware attacks.
Hancock Health was one healthcare organization that followed
the attackers’ predictive analysis: in January, Hancock
paid the SamSam ransom. CEO Steve Long told reporters that restoring
systems from backups would have taken too long. It made better business sense
to pay the ransom.
Prevention: A Better,
Cheaper Best Practice
“As cybersecurity experts, the last thing we want to do is
advise organizations to pay ransom, but that’s ultimately up to the affected
organization,” says Sensato’s Brett Warrick. “We would much rather see
preventative measures taken to avoid falling victim to ransomware and other
types of attacks, because even if the attackers return your data and systems to
normal, the fact is, the attackers still have all your data.”
Luckily, SamSam follows the same general approach as many
attacks: it scans for exploits and known vulnerabilities. For example, it’s
known to take advantage of vulnerabilities in Microsoft’s credential protocol
(CredSSP), Remote Desktop Protocol (RDP), and distributed computing
environment/remote procedure call (DCE/RPC) application services.
about the known
and potential threats to healthcare information and medical device security.
What’s different about SamSam, now, is that it has been
updated to require a human to manually enter a password to run the payload and
begin data encryption. That may, at first, sound like SamSam has taken a step
backwards. But by requiring manual password entry to activate, the attackers
have ensured that experts cannot run the ransomware code for analysis.
This is why following good, basic cybersecurity practices is
so important. The same things you do to protect your organization against other
types of attacks will help you fend off SamSam.
healthcare-specific cybersecurity solution protects you from hackers and your
own security shortcomings. Learn more about MD-COP.
Since we know
that SamSam relies on known vulnerabilities, don't forget security basics:
· Keep configurations and patches up to
· Make passwords long and strong
· Limit administrative privileges
· Monitor networks for anomalous
· Use multi-factor authentication across
the entire organization
· Segment networks so you can quickly
contain and limit an attack
· Keep backups up-to-date
*Keep in mind,
of stolen credentials is the most common tactic leveraged by
attackers, including SamSam, employing familiar tools like
Mimikatz to steal valid credentials.
Sound like a
That’s because healthcare
is among the most targeted industries for cyber attackers. In
2017, more than 500 patient records affecting over 4.7 million people were
breached at 295 healthcare providers.
Sensato has found an average of 6.2 vulnerabilities per
medical device, with many running on operating systems too old for patches or
That’s a lot of vulnerability. Reminder: SamSam and other
attacks begin by scanning for vulnerabilities. Get to work.
MD-COP will secure your data, devices, and
network from targeted and “side effect” attacks. Act quickly.