By Matt Gross

 

This week, SamSam ransomware is back in the news with an attack on the Atlanta city government.


City of Atlanta attacked with ransomware


The city of Atlanta has reported that both internal and customer-facing computers are down with impact on multiple systems including bill payment and access to court information. The city claims that public safety, water and airport operations departments are not impacted.


In a new twist on the usual news coverage for these types of incidents, a local television affiliate was able to acquire a screenshot showing the actual ransom notes from the hackers that is being displayed on computer screen. The note includes a bitcoin demand of $6,800 per unit, or $51,000 to unlock the entire system. The attack reportedly resembles the "MSIL" or "Samas" (SAMSAM) ransomware strain.


The city is getting help from the FBI, U.S. Department of Homeland Security, Cisco cybersecurity officials and Microsoft to investigate and repair their systems.


In a recent cybersecurity research paper published by Princeton, NYU, and Google, 19,750 individuals made ransomware payments over the past two years.


This year, the evolving threat of SamSam ransomware represents a growing area of concern. The Colorado transportation department is still trying to recover from a major attack in February. And in January, a hospital and healthcare software provider were among the victims of SamSam attacks.


Hancock Health ransomware attack


In early January, Hancock Health was hit with an attack involving a different variant of the SamSam ransomware.


The first sign that an attack was underway occured when employees at the hospital noted that computers were running slow. Shortly afterward, a message flashed on a computer screen stating that the hospital was being ransomed.


The ransomware locked critical files including patient medical records. More than 1,400 files were locked with the name of each file modified to “I’m sorry.” The hackers who were responsible threatened the hospital that they had to pay in seven days or the files would be permanently locked by destroying the only key that could decrypt the files.


During the attack, medical staff used pen and paper to keep track of patient medical records.


The locked files had previously been backed up and, in theory, a full recovery could have been made from the files. However, there was no mechanism to easily restore systems from the backups, so the recovery could have taken days or weeks. This delay would have disrupted service for patients while costing the hospital a substantial amount.


The criminals who had attacked the hospital required four bitcoins in order to gain access to the locked files. At the time of the ransom payment, the four bitcoins were valued at approximately $55,000.


“These folks have an interesting business model. They make it just easy enough (to pay the ransom),” Hancock Health CEO Steve Long said. “They price it right.” The hospital further stated that they have cyber insurance coverage for incidents such as this ransomware attack.


Hospital leaders paid the ransom around 2 a.m. on a Saturday. Then they waited. About two hours later the hackers released the files. Within a day, the hospital systems were running normally again.


During the investigation into the hacking incident, it was discovered that the hackers gained access through a hospital administrative portal that could be accessed remotely. A hacker had logged in with the username and password of a vendor to the hospital.


Public company Allscripts ransomware locks customers out of their software


Just days after the Hancock Hospital incident, an unrelated variant of the SamSam ransomware attacked Allscripts, the Chicago-based public company that provides healthcare software for tens of thousands of hospitals and medical practices.


The hacking attempt brought down large parts of Allscripts systems with particular impact to their EHR and Electronic Prescriptions systems.


As soon as Allscripts detected the intrusion, they locked down their IT systems and removed login access. They brought in security teams from their vendors Microsoft and Cisco and also retained leading cybersecurity investigative firm Mandiant to investigate the incident.


Fortunately for Allscripts, the backup systems were not impacted by the ransomware and had been kept current through weekly complete backups and nightly incremental backups. Therefore it was possible to restore systems individually from the backups. While Allscripts was able to successfully recover from the attack, they are facing a base of disgruntled customers and pending lawsuits regarding the time that their system was unavailable.


How to protect your systems from ransomware attacks


Invest in creating a good backup system. Create an inventory of directories where important files are stored. Ensure they are backed up frequently. Make sure you have a way to restore those systems if the files are lost.


Know who has access to internal networks and servers. Keep track of usernames and passwords that have administrative access and be ready to immediately revoke them when an employee or contractor departs. Train employees about the dangers of sharing passwords.


Upgrade to the latest versions of operating systems on all computers. Don't trust antivirus software to protect your old PC from a ransomware attack if it’s running an outdated version of Microsoft Windows.