SamSam Calls for Good Cybersecurity Hygiene, Especially in Healthcare

SamSam ransomware has already extracted $1 million in ransom from select targets in 2018. This unique attacker relies on known vulnerabilities, making all cybersecurity practices imperative for healthcare organizations.

Here’s the thing: If you’re a healthcare organization, SamSam is gunning for you.

But here’s the other thing: If you follow basic cybersecurity hygiene, SamSam won’t hit its mark.

That sounds really simplistic, and, of course, nothing is that simple in cybersecurity.

By some estimates, SamSam has already extracted $1 million in ransom from select targets in 2018.

“Select” is a very important word when discussing SamSam. “The attackers behind this ransomware have demonstrated a clear pattern of carefully choosing their targets based not on size but on the serious and life-threatening repercussions that an attack could have because of the targets’ operations,” says Sensato CEO John Gomez.

SamSam Bets: Odds are Good that You’ll Pay

The attackers research their targets, and their targets’ ability to pay, and set their ransom demands accordingly – betting that healthcare and other critical infrastructure organizations will do the cost/benefit analysis of paying ransom versus the lengthy and difficult proposition of attempting to restore deleted data and systems operations, and they’ll choose to pay the ransom.

Paying is faster and cheaper. The SamSam attackers have even encouraged payment by having already established themselves as “trustworthy” criminals – they do actually return all data and systems in tact to their victims. This is not always the case with other ransomware attacks.

Hancock Health was one healthcare organization that followed the attackers’ predictive analysis: in January, Hancock paid the SamSam ransom. CEO Steve Long told reporters that restoring systems from backups would have taken too long. It made better business sense to pay the ransom.

Prevention: A Better, Cheaper Best Practice

“As cybersecurity experts, the last thing we want to do is advise organizations to pay ransom, but that’s ultimately up to the affected organization,” says Sensato’s Brett Warrick. “We would much rather see preventative measures taken to avoid falling victim to ransomware and other types of attacks, because even if the attackers return your data and systems to normal, the fact is, the attackers still have all your data.”

Luckily, SamSam follows the same general approach as many attacks: it scans for exploits and known vulnerabilities. For example, it’s known to take advantage of vulnerabilities in Microsoft’s credential protocol (CredSSP), Remote Desktop Protocol (RDP), and distributed computing environment/remote procedure call (DCE/RPC) application services.

Read about the known and potential threats to healthcare information and medical device security.

What’s different about SamSam, now, is that it has been updated to require a human to manually enter a password to run the payload and begin data encryption. That may, at first, sound like SamSam has taken a step backwards. But by requiring manual password entry to activate, the attackers have ensured that experts cannot run the ransomware code for analysis.

This is why following good, basic cybersecurity practices is so important. The same things you do to protect your organization against other types of attacks will help you fend off SamSam.

A healthcare-specific cybersecurity solution protects you from hackers and your own security shortcomings. Learn more about MD-COP.

Since we know that SamSam relies on known vulnerabilities, don't forget security basics:

· Keep configurations and patches up to date

· Make passwords long and strong

· Limit administrative privileges

· Monitor networks for anomalous activity*

· Use multi-factor authentication across the entire organization

· Segment networks so you can quickly contain and limit an attack

· Keep backups up-to-date

*Keep in mind, the use of stolen credentials is the most common tactic leveraged by attackers, including SamSam, employing familiar tools like Mimikatz to steal valid credentials.

Sound like a broken record?

That’s because healthcare is among the most targeted industries for cyber attackers. In 2017, more than 500 patient records affecting over 4.7 million people were breached at 295 healthcare providers.

Sensato has found an average of 6.2 vulnerabilities per medical device, with many running on operating systems too old for patches or updates.

That’s a lot of vulnerability. Reminder: SamSam and other attacks begin by scanning for vulnerabilities. Get to work.

MD-COP will secure your data, devices, and network from targeted and “side effect” attacks. Act quickly.

Cybersecurity Awareness Month Recap - Resources and Tips

October was National Cybersecurity Awareness Month which is meant to put a spotlight and focus on cybersecurity education and taking action to protect yourself and your organization from a cyberattack. Here’s a roundup of some of the top things we shared in October.

Four New Phishing Tactics to Watch Out For

By now most healthcare organizations perform cybersecurity awareness training and their staff are on the lookout for phishing emails. Cyber attackers are getting more savvy, however and are coming up with new phishing techniques that are harder to spot. Below are some examples of these new tactics and how to spot them.

Real-time Review of Oklahoma State University Cybersecurity Breach

Healthcare organizations that are victims of a cyberattack are reported daily. Reviewing OCR findings to identify actions you can take to protect your organization from similar attacks is a good best practice. Here is a review of the OSU breach to use as an example.