Blog

Ransomware on the Rise in the Healthcare Sector: Watch Out for Samsam and Maktub Locker

Recently, hospitals and other healthcare organizations have been hit by a wave of ransomware attacks. These ransomware attacks have evolved over time with increasing sophistication. Two new ransomware strains are reported to be infecting hospital systems: Samsam (including MSIL/Samas.A and Samas/Samsam/MSIL.B/C) and Maktub Locker.

With Samsam, cyber attackers gain access to the network through vulnerability exploitation (i.e., exploiting vulnerabilities which have not been patched) in JBoss servers. Samsam spreads from the infected server through the network to other connected machines. With Maktub Locker, the ransomware is said to be spread by way of spam e-mails or phishing e-mails with a weaponized attachment (such as a .ZIP file which contains a document) and reportedly encrypts files and data while the user has the document open. From the infected local machine, the Maktub Locker ransomware then spreads to connected systems (and drives) through the network. With both Samsam and Maktub Locker, the ransomware encrypts files and data, including backups, without the use of communication to command-and-control servers to obtain an encryption key to encrypt the files and data. Maktub Locker is also said to compress the encrypted files and data as well. State of the art (strong) encryption is used to encode the files and data for both the Samsam and Maktub Locker ransomware variants. (Please note: Many other ransomware strains exist. These are only examples of two.)

Technical information, including potential indicators of compromise, can be found here:

https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Samas.A

http://blog.talosintel.com/2016/03/samsam-ransomware.html

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_maktub.a

http://www.bleepingcomputer.com/news/security/the-art-of-the-maktub-locker-ransomware/

https://developer.jboss.org/wiki/SecureJboss

The following are tips on what you can do to protect you and your organization from ransomware:

  • Perform regular backups of your files and data. Be sure to back up frequently (continuous or real-time backup may be ideal) and store your backups offline (or externally).
  • Keep your anti-virus software up to date and do not bypass the software.
  • Make sure your firewall is properly configured.
  • Segment your network.
  • Conduct regular risk assessments.
  • Patch and upgrade your operating systems, applications, plug-ins, and firmware to the most current version as expeditiously as possible. Disable any unnecessary plug-ins.
  • Do not catch that phish. When in doubt, throw it out.
  • Use good security hygiene.
  • Conduct mock exercises.
  • Be more resilient by learning from other security incidents and addressing gaps and deficiencies.

If you suspect that your machine may have been infected by ransomware, in addition to contacting your IT department, your organization may consider contacting a computer forensics expert and a law enforcement authority, such as the Federal Bureau of Investigation (CYWatch or your local field office). Other helpful resources include Malware Investigator (a tool that provides users the ability to submit suspected malware files).

Keywords: 
privacy and securityHIMSSranspware