‘Ransomware’ hospital extortion schemes are on the rise since February, that encrypts a victim’s files until they pay a hefty bounty to relate them. Some of the victims have had to resort to using pen-and-paper and diverting emergency services to other facilities while they try to regain control of their systems.
The FBI is actively investigation the ransomware cases, as well as others who have found serious issues with the security of hospitals and medical devices, and the problem facing the healthcare sector may be set to get worse, according to Ars Technica.
“We made a decision very quickly to shut down our systems,” Ann Nickels, a spokesperson for MedStar Health, told Motherboard in a phone call. MedStar is a non-profit network that runs 10 hospitals in the Baltimore and Washington area and was attacked with malware earlier this week.
As of Wednesday, computers in at least four associated hospitals remained offline. Nickels refused to say whether the attack involved ransomware, but staff at MedStar facilitates have reportedly seen pop-ups on their computers demanding around $19,000 in bitcoin. MedStar, it seems, is just the latest suspected victim of ransomware in a months-long campaign targeting the healthcare sector.
On February 5, the Hollywood Presbyterian Medical Center in Los Angeles was hit and eventually coughed up just under $17,000 to hackers in order to decrypt its files. At least two facilities in Germany were targeted around the same time, and a handful of computers at the Ottawa Hospital were infected in March. The Methodist Hospital in Henderson, Kentucky was targeted shortly after.
“Methodist Hospital is currently working in an Internal State of Emergency due to a Computer Virus that has limited our use of electronic web based services,” the hospital said in a statement at the time. The damage to many of these hospitals has been debilitating. Doctors pushed high-risk surgeries to later dates, records had to be faxed or hand-delivered, and written notes then had to be entered back into computers once everything was up and running again.
Even if certain systems weren’t infected with malware, some hospitals still pulled the plug as a precaution, seriously affecting productivity.
“For security reasons we turned off all computers immediately,” Dr. Andreas Kremer, a spokesperson for Lukas Hospital in Neuss, Germany, told Motherboard. “Working through our 700 computers is still ongoing, meanwhile many work stations got completely new hardware and the old devices were disposed [of] appropriately.”
Near the start of the attack, the hospital had to cut down its emergency services for a few days, “because providing emergency care needs a fast system and we could not provide that,” Kremer continued. When asked how many computers MedStar uses, Nickels said, “We haven’t even tried to provide that number, but it’s affected our entire system.”
“We detected an intrusion in our servers, and immediately acted to shut down our systems, and keep it from spreading elsewhere,” she continued. “Our large system server. Not a single PC.”
Although Nickels would not specify what kind of malware had infected MedStar’s system, the fact that it targeted a server suggests it could have been Samsam, a new form of ransomware that is spreading like wildfire, and not just in hospitals. Ransom notes reportedly found on MedStar computers also resemble those from Samsam.
Samsam’s most interesting innovation is that it requires no human interaction from the target in order to start cutting off files. Typically with ransomware, a victim’s machine might be infected by a malicious email attachment or a malware-laden advert. But Samsam doesn’t target humans. It targets servers.
“Samsam is innovative, in that it actually decided to target server vulnerabilities,” Craig Williams, senior technical leader from research group Talos, which is part of cybersecurity company Cisco, told Motherboard in a phone call. Talos has been researching Samsam and is actively working with the FBI on a criminal investigation into its use. Although Williams wouldn’t name specific hospitals, he said Talos had received numerous reports from the healthcare industry about Samsam-related attacks.
The Samsam ransomware is so worrying that the FBI has published a direct call to the private sector, urgently asking for assistance in combating it.
In February, the FBI’s Cyber Division distributed an industry alert about MSIL/Samas.A, other names used to label the Samsam ransomware. “In a new scheme, cyber criminals attempt to infect whole networks with ransomware and use persistent access to locate and delete network backups,” it read, and gave the usual advice of creating offline backups of data so as to thwart the criminals’ extortion attempts.
According to the FBI, Samsam has raked in around $115,000 as of earlier this month, but has since seen a significant increase in successful extortions. On Wednesday, they also said they had found tens of thousands of servers vulnerable to the issues the Samsam attackers were leveraging, but it wasn’t immediately clear if all the servers were exploitable.
Hospitals and private companies are being asked to patch their servers and backup their data regularly. Since the malware doesn’t rely on a human mistakenly downloading it, one gullible click won’t cause an infection. That’s only the case with Samsam though-mitigating more traditionally delivered ransomware would still need hospital staff to be vigilant.