Healthcare continues to have a target on its back. Staying aware and in touch with the security community helps mitigate risk.

2 Min Read
Stethoscope and medical forms

Healthcare is under fire, and there’s no sign of the burn slowing.

Look, it’s no secret that hackers have been targeting hospitals and other healthcare providers for several years. In the United States alone, in fact, more than 270 data breaches affecting nearly 12 million individuals were submitted to the U.S. HHS Office for Civil Rights breach portal (as of November 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more.

Bottom line: If you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights–and may just need a doctor yourself.

So, who’s wreaking all this havoc and how? According to AT&T Alien Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems and networks continuously operating.

One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million by manually compromising critical healthcare networks. The group behind SamSam has invested heavily in its operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018.

And, according to AT&T Alien Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital that publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.

SamSam attackers are known to:

  • Gain remote access through traditional attacks, such as JBoss exploits

  • Deploy web shells

  • Connect to RDP over HTTP tunnels such as ReGeorg

  • Run batch scripts to deploy the ransomware over machines

SamSam isn’t going away, either. AT&T Alien Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks and recommendations for heading it off in the Open Threat Exchange (OTX), our community of 100,000 users who contribute information on threat intelligence which is also curated by AT&T Alien Labs.

You can also get more details from the blog post “SamSam Ransomware Targeted Attacks Continue.”  And, you can find detailed recommendations for preparing for SamSam and other, related attacks from HHS, FBI and US-CERT.

This guest blog is part of a Channel Futures sponsorship.

Read more about:

MSPs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like