On January 11th, Hancock Regional Hospital in Indiana discovered that their computers had been infected with SamSam ransomware, a malware variant which has existed since early 2016. The hospital decided to pay the four Bitcoin ransom in order to get their files decrypted, which was worth around $55,000 USD at the time.
I know what you must be thinking. "Here’s another institution which couldn’t recover from a cyberattack properly because they didn’t bother to keep backups!" No, they had backups.
Hancock Regional Hospital is the anchor of the Hancock Health network, with several facilities in the area east of Indianapolis. The Regional Hospital itself is in Greenfield, Indiana.
When hospital workers discovered the SamSam attack on January 11th, they engaged their incident response and crisis management plan and got their legal team and an outside cybersecurity firm involved. They also contacted the FBI’s cybercrime task force.
They had full backups of all of the data that SamSam encrypted.
Hancock Regional Hospital not only initiated effective incident response, they were properly prepared for such an event. They were also candid with the public in their press releases. From what I can see, they did absolutely everything right.
“We were in a very precarious situation at the time of the attack,” Hancock Health CEO Steve Long said. “With the ice and snow storm at hand, coupled with the one of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients. Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.”
Emails with malicious attachments are a common attack technique for ransomware campaigns, including SamSam specifically. But Hancock Health confirms that SamSam did not enter their computer network by that method.
Instead, the point of entry was a computer with the Remote Desktop Protocol open to the Internet, and a vendor’s username and password were used. More than 1,400 of the hospital’s files were encrypted by SamSam, and each file was renamed “I’m sorry.” That’s some sad irony on the cyber attacker’s part.
What is SamSam Ransomware?
SamSam emerged around March 2016, and its first attacks were targeted at specific business and institutional victims. Brian Krebs reported in September 2016 that it’s believed that SamSam most often targets healthcare firms.
The vulnerabilities it exploits are in JBoss enterprise products, leveraging the opensource JexBoss tool for that purpose. SamSam encrypts with a 2048-bit RSA algorithm, one of the strongest cyphers available. Theoretically, no cryptographic technology is impossible to crack with enough computing power, time, and good mathematics, but a good 2048-bit RSA implementation is pragmatically near impossible to crack with current technology, even with the resources of large corporations and institutions.
No More Ransom is an excellent service for individuals and enterprises who are hit by ransomware. But of the many strains of ransomware that No More Ransom offers free decryption tools for, SamSam isn’t one of them, as of this writing.
As of this time, there’s no practical way for any entity to decrypt files affected by SamSam. Decryption wasn’t an option for Hancock Health.
So, What About the Backups?
Everyone with sensitive or important data should make backups, preferably on external disks or some combination of cloud servers and external disks that one has physical access to. Ransomware victims should avoid paying ransoms to their cyber attackers, as sometimes an attacker won’t decrypt files even when a ransom is paid, and all payments made to ransomware cyber attackers make ransomware profitable for criminals and encourages those actions to continue. That’s the common wisdom of cybersecurity professionals.
But what about the everyday reality of healthcare institutions like Hancock Regional Hospital? The files SamSam encrypted included patient data that needs to be available at all times in order for the hospital to function properly.
Hancock Health assures that life-sustaining and support systems of the hospital remained unaffected during the ordeal. They also assure that patient data wasn’t transferred outside of the hospital’s network. That makes sense, because ransomware typically just encrypts, it usually doesn’t behave like spyware. But still, imagine that a nurse and a physician are treating a patient with drugs and they need to make sure that the patient isn’t on any other drugs that would react badly with the recommended medication.
Hospital staff did their best to record patient data with pen and paper while they lacked access to digital records. But what if they need information that was recorded prior to the ransomware attack? Also, keeping information with pen and paper will eventually become very difficult in a system with thousands of patients. Hancock Health said that recovering from their backups could have taken weeks. They made a difficult decision in favor of offering their patients the best care as soon as possible.
Hancock Health contained the SamSam infection by January 12th, the day after the attack. That’s also the day they paid the ransom. By January 15th, Hancock Health’s entire network recovered completely and resumed normal operations.
Without knowing further details about how Hancock Health’s computer network and backups operate, here’s the best advice I can come up with: The SamSam attack vector was an open Remote Desktop Protocol, and the attacker acquired access with a third-party vendor’s username and password.
Hancock Health should review how they implement the RDP protocol. How do they use it, and why do they need it? If they absolutely must use RDP and they can’t use other protocols or software for remote access, then they must work to harden their RDP implementation as much as possible. RDP should be open on as few client and server machines as they can possibly get away with, and the principle of least privilege must be applied to all RDP user accounts.
Recovering data that the hospital needs on an everyday basis clearly takes too long to be practical. Is it possible for Hancock Health to have an entire redundant backup network? The backup network would need to have all of the data and software that the production network has and it also must be completely isolated from the Internet except when it needs to be used in an emergency situation, such as in a ransomware attack.
Can Hancock Health afford such a system? Do they have the physical space for the necessary extra computers, either in one of their own facilities or at a trusted third-party site? Can they pay the necessary extra staff and overhead?
I’m just an ordinary user, and I work out of my home office. I have an external 4 TB HDD which I backup all of my desktop’s master HDD’s data onto on a daily basis. If my personal computer needed to recover from ransomware, it would take me less than a few hours to recover completely, assuming everything worked as it’s supposed to.
But my situation is entirely different from that of an institution with hundreds of employees and thousands of patients. There’s simply no ‘apples to apples’ comparison between my LAN and a hospital’s internal computer network.
All of us entities who make backups feel confident and perhaps smug because we believe that we’re completely prepared for ransomware to strike. But perhaps those of us who make backups, especially large enterprises, should ask ourselves if it’s pragmatic for us to restore from our backups if we become ransomware victims.
About Kim Crawley
Kimberly Crawley spent years working in consumer tech support. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. By 2011, she was writing study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. She’s since contributed articles on information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo-developed PC game, Hackers Versus Banksters, and was featured at the Toronto Comic Arts Festival in May 2016. She now writes for Tripwire, Alienvault, Cylance, and CCSI’s corporate blogs.
The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance.