SAMSAM Ransomware Hits US Hospital, Management Pays $55K Ransom
Hancock Health, a regional hospital in Indiana, paid a $55,000 ransom following a ransomware attack that infected the hospital’s systems and hindered its operations. The infection took place on Thursday, January 11, where attackers deployed SamSam ransomware that encrypted files and renamed them with the phrase “I’m sorry.” The ransomware quickly affected operations, forcing the hospital’s IT staff to take down the network and use pen and paper.
The hospital had backed up its data but decided to pay the ransom of four bitcoin, or $55,000. Hancock Health CEO Steve Long said that the files could have been recovered but restoring them would take days or weeks and could come at a cost. Long added that paying the small ransom made more sense from a business standpoint.
After receiving the ransom, the attackers released the files early Saturday and the hospital’s computer systems were up and running by Monday. The hospital also released a statement that detailed the incident. The attack was not the result of an employee opening an infected email, but hackers gaining access to the hospital’s system through a remote access portal and logging in with a vendor’s username and password.
SamSam is a ransomware family known for targeting the healthcare industry in the past. Unlike traditional ransomware, SamSam does not rely on malvertising or social engineering techniques like malicious email attachments. This ransomware variant appears to be distributed through unpatched servers and uses them to compromise additional machines that hackers use to identify key data systems to encrypt.
To defend against ransomware such as SAMSAM, it’s critical to safeguard networks with these tips in mind:
- Regularly back up critical data to minimize potential damage. A good strategy is keeping critical data in a secure location to allow the organization to quickly get back on its feet.
- Practice the 3-2-1 rule: create three backup copies on two different media with one copy stored offsite.
- Implement application whitelisting on endpoints to block all unknown and unwanted applications.
- Develop a security-oriented network segmentation plan. Properly identify and categorize users and the networks they access. Segmenting user privileges and network traffic adds an extra layer of protection to the organization’s most crucial data.
- Educate users on the dangers and signs of social engineering.
- Perform timely application of software patches from OS and third-party vendors.
- Ensure that security products are regularly updated and perform periodic scans.
Trend Micro Solutions Enterprises can benefit from a multi-layered, step-by-step approach to best mitigate the risks brought by spam mail. Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. Also at the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimizes the impact of this threat.
Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud. For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware. For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat. Updates and technical information on this ransomware can be found in this article.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report