There’s hardly a day anymore that we don’t hear about a
hospital being hit with ransomware. But while most have been infected
via phishing emails
carrying or linking to the malware, the latest incidents show a new
modus operandi when it comes to malware delivery: compromising servers
by leveraging vulnerabilities and spreading the ransomware to Windows
machines from there.
Latest (public) victim
An example of this attack is that which hit US-based not-for-profit
healthcare organization MedStar Health, which operates ten hospitals in
the Baltimore–Washington area.
According to Ars Technica,
the MedStar Union Memorial Hospital in Baltimore is at the center of
the attack, and the ransomware has been spread to other MedStar
hospitals in Maryland.
The organization announced the attack on March 28, when it said that
its IT system was affected by a virus that prevents certain users from
logging-in to the system.
“MedStar acted quickly with a decision to take down all system
interfaces to prevent the virus from spreading throughout the
organization,” they reassured, and in the coming days they repeatedly noted
that there was “no evidence that patient information has been
compromised or stolen in any way.” They also claimed that the quality of
patient care was not affected.
The malware
Curiously enough, MedStar never once said that the malware in question is ransomware, but The Baltimore Sun reporters discovered that it’s Samas (aka MSIL, aka Samsam).
This is the same ransomware that the FBI has been warning US
businesses about through several alerts sent out in the last two months
or so.
“The February message contained some technicals details but did not
call for help. It said that MSIL/Samas.A targets servers running
out-of-date versions of a type of business software known as JBOSS,”
Reuters reported.
“In its latest report, the FBI said that investigators have since
found that hackers are using a software tool dubbed JexBoss to automate
discovery of vulnerable JBOSS systems and launch attacks, allowing them
to remotely install ransomware on computers across the network.”
The alert also included indicators of compromise to help organizations determine if they have been hit with it.
Cisco researchers published a great write-up
about Samsam’s capabilities, and noted that unlike with previous
ransomware, this one is self-sufficient. “Once installed on a machine
there is no beaconing or C2 activity,” they pointed out.
Microsoft has also warned about the Samas ransomware.
Ransomware: A successful cyber crime business model
“The SamSam campaign is unusual in that it is taking advantage of
remote execution techniques instead of targeting the user. Adversaries
are exploiting known vulnerabilities in unpatched JBoss servers before
installing a web shell, identifying further network connected systems,
and installing SamSam ransomware to encrypt files on these devices,”
Cisco researchers explained.
They have been following this particular campaign for a while now,
and have witnessed the asked-for sum to decrypt one of the affected PCs
jump from 1 bitcoin to 1.7 bitcoin. At the time (a week ago), they
discovered that the crooks already “earned” themselves over 275 bitcoin
(around $115,000).
According to the Baltimore Sun, the attackers are asking from MedStar
3 bitcoins for the decryption key for one infected computer, or 45
bitcoins for the keys for the lot of them.
Whether the organization paid the ransom or not is unknown at this
time, but apparently they are close to restoring all their systems and
networks.