Andrea Danti - Fotolia

MedStar says it is recovering from suspected ransomware attack

US hospital group MedStar says it is restoring its IT systems after reportedly being hit by a stealthy new strain of server-targeted ransomware

US hospital group MedStar Health has announced that it is recovering from a malware attack, but has still not confirmed it is among the latest healthcare organisations to be hit by ransomware.

The healthcare group, which runs 10 hospitals in Washington DC and Maryland, initially said its IT systems had been “affected by a virus” and that it had shut them all down to stop the virus spreading.

A subsequent statement said that within 48 hours of the malware attack, the group was “moving to full restoration” its three main clinical information systems supporting patient care.

The group also said that “enhanced functionality continues to be added to other systems” and reiterated that no patient or associate data had been compromised.

MedStar has still not provided details of the malware involved, but, according to the Baltimore Sun, the group was hit by Samas, a new stealthy strain of ransomware that is aimed at servers.

Like other forms of ransomware, Samas – also known as Samsam and MSIL.B/C – encrypts data and will decrypt it only on the payment of ransom in the difficult to trace crypto-currency bitcoin.

Read more about ransomware

  • Businesses are still getting caught by ransomware even though fairly straightforward methods exist to avoid it.
  • Criminals use devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, warns security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off-guard, but there is a defence strategy that works against it.

How it works

The ransomware does not rely on user-focused attack vectors such as phishing emails. Instead, it is distributed by compromising servers, using them to move laterally through networks to encrypt and hold multiple data sets to ransom.

Samas compromises the servers by exploiting known vulnerabilities in unpatched versions of the JBoss application server software identified using the Jexboss open-source network-scanning tool.

It then encrypts hundreds of different file types with the Rijndael algorithm and applies RSA-2048 bit encryption to the key, making the files unrecoverable, according to a blog post by Cisco Talos security researcher Nick Biasini.

Another hallmark of the Samas ransomware is that it offers a bulk discount. According to the Baltimore Sun, the cyber criminals behind the MedStar attack have asked for three bitcoins equivalent to $1,250 to decrypt one computer or 45 bitcoins ($18,500) to unlock them all.

FBI gets involved

The FBI has issued an alert about Samas, and appealed to businesses and software security experts for emergency help in its investigation of the powerful strain of ransomware.

The FBI alert provided a list of technical indicators to help companies determine if they were victims of Samas and to enable network defence activities to reduce the risk of similar attacks in future.

Federal agencies have alerted the Department of Homeland Security to 321 possible malware infections across 29 agencies with the potential to hold government networks hostage, reports Nextgov.

In all cases, the ransomware infections were neutralised by removing the affected end-user workstations from the agency networks and not by paying the cyber criminals behind the attacks.

To limit the success of this increasingly popular cyber extortion method, security industry representatives have advised against paying ransoms.

Ransom attraction

But many organisations are believed to be paying up after weighing the cost of losing or recovering data against the ransom.

The Hollywood Presbyterian Medical Center was criticised by some for caving into ransomware demands by paying 40 bitcoins ($17,000) to regain control of its computer systems after 10 days.

Paying the ransom was the “quickest and most efficient way” of regaining access to the affected systems, hospital chief executive Allen Stefanek said in a statement.

As concerns over ransomware escalate, a survey revealed that only 38% of security professionals are confident their organisation would be able to recover from a ransomware attack.

Nearly three-quarters of those polled at RSA Conference 2016 by security firm Tripwire said critical infrastructure providers are more vulnerable to ransomware attacks than other organisations.

More than half said they are not confident their executives could spot a phishing scam, while 58% said their company had seen an increase in spear phishing in the past 12 months.

Backup confidence

“The decision to pay a ransom comes down to the confidence and financial cost of recreating or restoring data from a previous backup,” said Travis Smith, senior security researcher for Tripwire.

“Since most ransomware samples we have seen have a time limit to pay, it’s important to have confidence that you can restore the majority of data on short notice. Organisations should focus on improving backup and restoration procedures to reduce the cost of restoring data and services after a potential breach.” 

Read more on Privacy and data protection