Analysis One of the largest clinical testing specialists in the US, LabCorp Diagnostics, is coming out of recovery mode a week after being hit with ransomware – reportedly SamSam, the same malware that brought the US city of Atlanta to a standstill earlier this year.
LabCorp has not confirmed that the malware was SamSam, but several reports have cited "people familiar with the matter" saying it was.
It has since been reported that the attack, which struck around 14 July, may have been more serious than the notification suggested.
City of Atlanta's IT gear thoroughly pwned by ransomware nastyREAD MORE
Quoting unnamed sources familiar with the probe, CSO Online reported that the attackers had gained access to the network by brute-forcing credentials on a resource accessible via Remote Desktop Protocol (RDP), after which the first server was encrypted.
LabCorp's Security Operations Centre reportedly contained the spread of the malware in less than an hour. However, despite this, in that short window the malware is alleged to have managed to reach thousands of systems and servers, including hundreds of production servers important for day-to-day operations.
Patient data was not thought to have been breached in an attack.
"Work has been ongoing to restore full system functionality as quickly as possible, testing operations have substantially resumed, and we are working to restore additional systems and functions over the next several days," LabCorp said in a follow-up statement to journalists.
"As part of our in-depth and ongoing investigation into this incident, LabCorp has engaged outside security experts and is working with authorities, including law enforcement. Our investigation has found no evidence of theft or misuse of data."
If the reports are true and the ransomware was SamSam, several elements of this attack stand out, starting with the unusual aggressiveness of its spread even once it had been detected – clearly, defenders don't have minutes to mitigate, they have seconds.
This has been noticed in previous SamSam attacks as a feature of its design, in which the payload is decrypted manually at runtime by a remote attacker with a password. This makes it hard to detect, let alone analyse forensically, when it has deleted traces of itself.
A second is the consistent targeting of RDP and VNC in which the attackers hunt for and compromise remote access gateways that are protected by weak credentials.
In the case of Hancock Health hospital in Indiana, criminals broke in after finding a box with an exploitable RDP server before injecting their ransomware into connected computers.
Finding open ports or outdated software versions isn't hard to do using public tools such as Shodan, which raises the question of why defenders don't comb their own networks for open ports in a similar fashion.
Hospital injects $60,000 into crims' coffers to cure malware infectionREAD MORE
The final part of the SamSam playbook is the targeting of companies in the medical sector. Although the most infamous incident involving this malware was the city of Atlanta in March, disruptive attacks on medical practice management software provider Allscripts as well as Adams Memorial Hospital, also in Indiana, just a few weeks earlier underlined this targeting preference.
On that score, attackers who use the nasty appear to have achieved a level of success. Ransoms are usually below $50,000, with some victims reportedly paying up, which possibly encourages more attacks.
As LabCorp is doubtless finding out to its cost, the alternative is days or even weeks of disruption. ®