The Spreading Epidemic of Hospital Ransomware
Ransomware including the new Samsam has been disrupting healthcare providers across the globe.
Cybercriminals have found a new, soft target for mass extortion schemes. Since February, at least a dozen hospitals have been affected by ransomware—malware that encrypts a victim's files until they pay a hefty bounty. Some of the victims have had to resort to using pen-and-paper and diverting emergency services to other hospitals while they try to regain control of their systems.
Judging by interviews with researchers working alongside the FBI on an active investigation into a related case, as well as others who have found serious issues with the security of hospitals and medical devices, the ransomware problem facing the healthcare sector may be set to get worse.
"We made a decision very quickly to shut down our systems," Ann Nickels, a spokesperson for MedStar Health, told Motherboard in a phone call. MedStar is a non-profit network that runs 10 hospitals in the Baltimore and Washington area and was attacked with malware earlier this week. As of Wednesday, computers in at least four associated hospitals remained offline. Nickels refused to say whether the attack involved ransomware, but staff at MedStar facilitates have reportedly seen pop-ups on their computers demanding around $19,000 in bitcoin.
MedStar, it seems, is just the latest suspected victim of ransomware in a months-long campaign targeting the healthcare sector.
On February 5, the Hollywood Presbyterian Medical Center in Los Angeles was hit and eventually coughed up just under $17,000 to hackers in order to decrypt its files. At least two facilities in Germany were targeted around the same time, and a handful of computers at the Ottawa Hospital were infected in March. The Methodist Hospital in Henderson, Kentucky was targeted shortly after.
"Methodist Hospital is currently working in an Internal State of Emergency due to a Computer Virus that has limited our use of electronic web based services," the hospital said in a statement at the time.
The damage to many of these hospitals has been debilitating. Doctors pushed high-risk surgeries to later dates, records had to be faxed or hand-delivered, and written notes then had to be entered back into computers once everything was up and running again.
Even if certain systems weren't infected with malware, some hospitals still pulled the plug as a precaution, seriously affecting productivity.
"For security reasons we turned off all computers immediately," Dr. Andreas Kremer, a spokesperson for Lukas Hospital in Neuss, Germany, told Motherboard. "Working through our 700 computers is still ongoing, meanwhile many work stations got completely new hardware and the old devices were disposed [of] appropriately."
Near the start of the attack, the hospital had to cut down its emergency services for a few days, "because providing emergency care needs a fast system and we could not provide that," Kremer continued.
When asked how many computers MedStar uses, Nickels said, "We haven't even tried to provide that number, but it's affected our entire system."
"We detected an intrusion in our servers, and immediately acted to shut down our systems, and keep it from spreading elsewhere," she continued. "Our large system server. Not a single PC."
Although Nickels would not specify what kind of malware had infected MedStar's system, the fact that it targeted a server suggests it could have been Samsam, a new form of ransomware that is spreading like wildfire, and not just in hospitals. Ransom notes reportedly found on MedStar computers also resemble those from Samsam.
Samsam's most interesting innovation is that it requires no human interaction from the target in order to start cutting off files.
Typically with ransomware, a victim's machine might be infected by a malicious email attachment or a malware-laden advert. But Samsam doesn't target humans. It targets servers.
"Samsam is innovative, in that it actually decided to target server vulnerabilities," Craig Williams, senior technical leader from research group Talos, which is part of cybersecurity company Cisco, told Motherboard in a phone call. Talos has been researching Samsam and is actively working with the FBI on a criminal investigation into its use. Although Williams wouldn't name specific hospitals, he said Talos had received numerous reports from the healthcare industry about Samsam-related attacks.
The Samsam ransomware is so worrying that the FBI has published a direct call to the private sector, urgently asking for assistance in combating it.
In February, the FBI's Cyber Division distributed an industry alert about MSIL/Samas.A, other names used to label the Samsam ransomware. "In a new scheme, cyber criminals attempt to infect whole networks with ransomware and use persistent access to locate and delete network backups," it read, and gave the usual advice of creating offline backups of data so as to thwart the criminals' extortion attempts.
A month later, however, the FBI issued another alert, this time much more urgent.
"WE NEED YOUR HELP!" the document, obtained by Motherboard and originally reported by Reuters, reads. "If you find any of these indicators on your networks, or have related information, please contact FBI CYWATCH immediately."
Samsam works by first exploiting vulnerabilities in JBoss application servers by using an open source, publicly available penetration testing tool called JexBoss.
"They literally have copied the exploits out of [JexBoss]," Williams said. From here, the hackers can move through the network onto other machines and encrypt their files.
"These attackers have done their reconnaissance," Williams added. "They've scanned the internet for this particular set of JBoss vulnerabilities, and set up a set of servers they wanted to attack, relatively simultaneously." Williams said the Samsam attackers appear to be new to the ransomware game, pointing to how their extortion price has steadily increased over the months, indicating that the attackers are still trying to figure out how much money they can squeeze from victims. Williams added that the Samsam attackers have also targeted other industries, such as gaming and construction, since December.
According to him, Samsam has raked in around $115,000 as of earlier this month, but has since seen a significant increase in successful extortions. On Wednesday, Williams also said his team had found tens of thousands of servers vulnerable to the issues the Samsam attackers were leveraging, but it wasn't immediately clear if all the servers were exploitable.
Fortunately, at least when it comes to the Samsam ransomware, there is a very easy solution.
"Patch your servers. Backup your data. Done," Williams said. "This isn't one of those situations where they need to educate every user." Since the malware doesn't rely on a human mistakenly downloading it, one gullible click won't cause an infection. That's only the case with Samsam though—mitigating more traditionally delivered ransomware would still need hospital staff to be vigilant.
It is not clear how many of the recent hospital cases can be directly linked to Samsam.
"For the other types of ransomware targeting hospitals, I don't think they're related," Williams said. "I think it's a simple copycat thing." At least one of the attacks in Germany, for example, reportedly started from a malicious email attachment; Kremer from the Lukas Hospital told Motherboard their investigation was still ongoing.
Even if the FBI and industry does start to get a grip on Samsam, the way some medical networks are designed means the ransomware threat facing hospitals may get even worse, and problems aren't likely to be addressed any time soon.
Sergey Lozhkin, a senior researcher at Kaspersky Lab said this is because "in lots of cases medical equipment is not isolated from the local office network." Last month, he detailed the results of his penetration test of a Moscow hospital. Among other issues, Lozhkin discovered a login portal for a CT scan machine on the open internet, and once inside the hospital's local network, he found a control panel for an MRI machine that was not password protected.
"If somehow ransomware gets inside the hospital, it could spread through the internal network" and manage to get onto medical devices, Lozhkin said. After all, medical devices are often, at bottom, just computers, with some running the same operating system as office desktops such as Windows XP. Security of these devices has largely been an afterthought, with efficiency naturally pegged as the highest priority.
Ultimately, there's only really one way to help ward off ransomware attacks: not paying the hackers.
"The FBI does not condone payment of ransom, as payment of extortion monies may encourage continued criminal activity, lead to other victimizations, or be used to facilitate serious crimes," an FBI official told Motherboard.
"The problem is, as long as people continue to pay that ransom, not only are they funding the development of future versions of ransomware that are going to become even more insidious, but they're also encouraging other malware authors to move towards ransomware," Williams said.
"Until users start backing up their hard drive, and not paying the ransom, this is only going to continue to be a problem."
Pascale Mueller contributed reporting.