Server-side Ransomware SAMSAM Hits Healthcare Industry

samsam-ransomwareShortly after Locky—a new ransomware strain—was reported to have been responsible for an attack on a Kentucky hospital, a new ransomware family dubbed SAMSAM was discovered targeting the healthcare industry yet again. According to findings by Cisco Talos, SAMSAM is installed once the attackers exploit vulnerable servers, making it unique because unlike traditional ransomware, it does not rely on malvertising, or social engineering techniques such as malicious email attachments, for delivery. This particular ransomware variant appears to be distributed via unpatched servers and uses them to compromise additional machines which the hackers use to identify key data systems to encrypt—notably targeting the healthcare industry.

[READ: Locky Ransomware Strain Hits Methodist Hospital]

The attackers are leveraging JexBoss, an open source application server, and other Java-based application platforms by using exploits to get remote shell access to the server itself and install SAMSAM onto the targeted Web application server. The infected server is then used to spread the ransomware client to Windows machines by moving laterally through the network. Interestingly, victims are able to communicate with the attackers, and, as observed by Cisco Talos, a dialogue allows the victims and the perpetrator to negotiate the types of payment options available to the victims. As seen in some samples, a price of 1.5 bitcoin for a single system, or an option for bulk decryption of 22 bitcoin to decrypt all infected systems was being offered.

[How does ransomware work?]

The SAMSAM ransomware variant is reminiscent of, or based on SAMAS, a crypto-ransomware family known for its ability to encrypt files not only on the system it infects but also files across networks, including network-based backups. An alert released by the FBI also cautioned that the threat actors behind SAMAS are also taking advantage of the malware’s capability to “manually locate and delete” the backups, ultimately coercing businesses to either pay up or suffer critical data loss. This sort of ransomware attack behaves almost like a targeted attack, wherein the attacker chooses its targets and has discrete control over what happens, as opposed to more common crypto-ransomware variants that are automated.

In more recent news, the nonstop ransomware campaign against the healthcare industry is urgently pushing the FBI to call out security experts to expedite emergency assistance in its investigation into the ransomware. Trend Micro continues to monitor activities surrounding the SAMSAM and SAMAS ransomware.

Trend Micro endpoint solutions such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free™ Business Security can protect users and businesses from this threat. Strong password policies and the disabling of automatic macro loading in Office programs, along with regular patching schedules, are also among the valid and tested ways to keep ransomware at bay. And despite this threat’s attempt to render backup files useless, it is still an effective defense.

Additionally, Trend Micro™ Deep Security provides advanced server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions without requiring emergency patching. This comprehensive, centrally-managed platform helps simplify security operations while enabling regulatory compliance and accelerating the ROI of virtualization and cloud projects.

It is important to note, however, that for backups, the 3-2-1 rule of backup still holds true: three backup copies minimum, preferably in two different formats, and one of those copies stored off-site/air-gapped from your network.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.