Hospital servers in crosshairs of new ransomware strain

SamSam virus is highly contagious and Bitcoin's the only known cure


Security types are warning hospitals to stay on alert for a "widespread campaign" targeting vulnerable servers with new strains of ransomware.

The SamSam ransomware variant targets vulnerable servers with criminals breaking into networks and infecting as many systems as they can access.

Cisco's Talos threat man Nick Biasini says SamSam's writers are popping servers in the healthcare sector, using stolen logins to infect individual systems.

"Cisco Talos is currently observing a widespread campaign leveraging the Samsam (Samas, MSIL.B/C) ransomware variant," Biasini says.

"This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom.

"A particular focus appears to have been placed on the healthcare industry."

Jboss application servers are being targeted using the JexBoss security testing tool, he says.

According to an Intel February report [PDF] attackers have also used the csvde.exe tool to harvest Active Directory credentials which helps with lateral movement for further ransomware infection.

SamSam victims pay up.

SamSam and a separate strain Maktub are further unique in that file encryption takes place offline and does not use the usual command and control infrastructure for payment.

Maktub, however, spreads through typical phishing campaigns according to a MalwareBytes security wonk known as Hasherezade, who says the code will both encrypt and compress files in a likely attempt to speed up the infection process.

Maktub will not infect systems that have the Russian keyboard locale activated, in a likely bid to avoid drawing local law enforcement heat.

"Maktub Locker has clearly been developed by professionals," she says. "The full product’s complexity suggests that it is the work of a team of people with different areas of expertise."

SamSam by contrast appears to be the work of amateurs to the ransomware game, Check Point security bod Gil Sasson says.

While Maktub victims are pointed to a payments site and offered two free file decryptions, SamSam casualties are asked to pay the one Bitcoin per machine ransom before noting the proof of payment in the comments section of their blogs.

Those who pay are promised a copy of decryption software along with a private key, according to the Intel report. Once files are decrypted, SamSam deletes itself.

VirusTotal checks against a related MD5 show it is detected by one antivirus platform as a generic malware tool.

Attackers have removed the latest Wordpress sites, eliminating the ability to review victim comments.

Intel reckons in its February report that "many" victims have paid the SamSam ransom. ®


Other stories you might like

  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Costa Rican government held up by ransomware … again
    Also US warns of voting machine flaws and Google pays out $100 million to Illinois

    In brief Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica's government if a ransom wasn't paid. This month, another band of extortionists has attacked the nation.

    Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica's Social Security system, and also struck the country's public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.

    The Costa Rican government said at least 30 of the agency's servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.

    Continue reading
  • Cisco EVP: We need to lift everyone above the cybersecurity poverty line
    It's going to become a human-rights issue, Jeetu Patel tells The Register

    RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.

    "It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. 

    "This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said. 

    Continue reading
  • Healthcare organizations face rising ransomware attacks – and are paying up
    Via their insurance companies, natch

    Healthcare organizations, already an attractive target for ransomware given the highly sensitive data they hold, saw such attacks almost double between 2020 and 2021, according to a survey released this week by Sophos.

    The outfit's team also found that while polled healthcare orgs are quite likely to pay ransoms, they rarely get all of their data returned if they do so. In addition, 78 percent of organizations are signing up for cyber insurance in hopes of reducing their financial risks, and 97 percent of the time the insurance company paid some or all of the ransomware-related costs.

    However, while insurance companies pay out in almost every case and are fueling an improvement in cyber defenses, healthcare organizations – as with other industries – are finding it increasingly difficult to get insured in the first place.

    Continue reading

Biting the hand that feeds IT © 1998–2022