The cybercriminals behind SamSam ransomware have been highly active this year. 67 organizations have been attacked and have had files encrypted, of which 56 are in the United States. While the attacks have been conducted on a range of organizations, healthcare is the industry that has been most extensively targeted, accounting for 24% of attacks according to Symantec. Symantec has suggested healthcare organizations are either easy targets or the attackers believe there is a higher chance that the ransom will be paid.
The attackers behind SamSam ransomware use different tactics to most ransomware attacks, which often use email to infect end users. SamSam ransomware is deployed manually after access has been gained to a network. Network access is usually gained through RDP attacks – brute force attacks that exploit weak passwords and RDP backdoors.
Once access has been gained, the attacker moves laterally and deploys the ransomware on as many computers and servers as possible before the encryption routine is run on all infected devices. This method causes maximum disruption and with large numbers of devices encrypted, ransom payments are higher – usually tens of thousands of dollars.
Symantec remarks that threat actors invest a lot of time into their attacks, which can often take several days from the initial compromise to file encryption. The threat actors utilize off-the-shelf administration and penetration testing tools like PsExec to move throughout the network without being noticed. The threat actors also use the Mimikatz hacking tool to acquire passwords to attack even more devices.
To minimize risk, healthcare organizations should take the following steps:
- Strengthen the perimeter defenses against attacks.
- Employ cybersecurity solutions to find network infiltrations and detect suspicious activity.
- Regularly create backup copies of files and store them offline.
- Use strong unique passwords and change all default passwords.
- restrict login attempts to prevent brute force attacks.
- Generate reports of suspicious login activity.
- Restrict access to public-facing ports
- Use multi-factor authentication on all programs and applications.
- Limit administration privileges.