Healthcare Organizations Pummeled by SamSam Ransomware

The cybercriminals behind SamSam ransomware have been highly active this year. 67 organizations have been attacked and have had files encrypted, of which 56 are in the United States. While the attacks have been conducted on a range of organizations, healthcare is the industry that has been most extensively targeted, accounting for 24% of attacks according to Symantec. Symantec has suggested healthcare organizations are either easy targets or the attackers believe there is a higher chance that the ransom will be paid.

The attackers behind SamSam ransomware use different tactics to most ransomware attacks, which often use email to infect end users. SamSam ransomware is deployed manually after access has been gained to a network. Network access is usually gained through RDP attacks – brute force attacks that exploit weak passwords and RDP backdoors.

Once access has been gained, the attacker moves laterally and deploys the ransomware on as many computers and servers as possible before the encryption routine is run on all infected devices. This method causes maximum disruption and with large numbers of devices encrypted, ransom payments are higher – usually tens of thousands of dollars.

Symantec remarks that threat actors invest a lot of time into their attacks, which can often take several days from the initial compromise to file encryption. The threat actors utilize off-the-shelf administration and penetration testing tools like PsExec to move throughout the network without being noticed. The threat actors also use the Mimikatz hacking tool to acquire passwords to attack even more devices.

To minimize risk, healthcare organizations should take the following steps:

  • Strengthen the perimeter defenses against attacks.
  • Employ cybersecurity solutions to find network infiltrations and detect suspicious activity.
  • Regularly create backup copies of files and store them offline.
  • Use strong unique passwords and change all default passwords.
  • restrict login attempts to prevent brute force attacks.
  • Generate reports of suspicious login activity.
  • Restrict access to public-facing ports
  • Use multi-factor authentication on all programs and applications.
  • Limit administration privileges.
About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: