A recent wave of cyber “ransomware” attacks known as SamSam has impacted healthcare and governmental organizations throughout the country. The following unclassified summary of SamSam was adapted from a report developed by the Healthcare Cybersecurity and Communications Integration Center (HCCIC), in coordination with the HHS Computer Security Incident Response Center (CSIRC).
In 2018, there have been at least eight separate cyber-attacks on healthcare and government organizations utilizing a form of ransomware known as SamSam. This has included two Indiana-based hospitals, an electronic health record provider, and various systems and public services in Colorado, North Carolina, New Mexico, and Atlanta, Georgia.
Authorities believe these attacks are not necessarily targeted and appear to be more opportunistic in nature. As in previous campaigns, attackers are believed to gain initial access to the target systems through open vulnerabilities, before gaining access to additional computers once inside the network and deploying the SamSam malware.
In order to prevent attackers from gaining access to servers via RDP, as is the case with many ransomware events, the following mitigations strategies are recommended:
- restrict access behind firewalls and by using a RDP Gateway, VPNs
- use strong/unique username and passwords with two-factor authentication (2FA)
- limit users who can log in using remote desktop
- implement an account lockout policy to help thwart brute force attacks (set a maximum number of attempts before locking out the account)
The following practices should be considered to help ensure business and healthcare continuity in the face of potential disruptions from ransomware or other factors:
- Back up data regularly, and verify the integrity of those backups and test the restoration process to ensure it is working
- Conduct an annual penetration test and vulnerability assessment
- Secure your backups – ensure backups are not connected permanently to the computers and networks they are backing up. Examples include securing backups in the cloud or physically storing backup data offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously backup in real time, also known as persistent synchronization. Backups are critical in ransomware recovery and response; if infected, a backup may be the best way to recover critical data.
For more information, view the full report. For questions relating to the content in the report e-mail the HCCIC at HHSHCCIC@HHS.GOV.
This posting is being shared on behalf of the Healthcare and Public Health sector.