On Monday, March 28, MedStar Health was hit with a variant of ransomware known as Samas or “samsam.” The healthcare provider, which operates 10 hospitals and employs more than 30,000 people, quickly shut down all system interfaces. Communicating and scheduling became difficult. Staff reverted to paper records. Some patients had to be turned away.
Thus began a week of national attention as news outlets documented frustrated patients and employees, and a debate ensued around potential security flaws within MedStar.
“The issue with ransomware is of course now you’re talking about not availability, you’re talking about the data,” said Dan Holden, Director of Arbor Networks’ Security Engineering and Response Team, on our recent Cyber Chat podcast. “It is so critical, especially to these recent attacks — these hospitals. They can’t do anything without patient data or without documentation.”
Although MedStar was able to restore services without paying the 45-bitcoin ransom (around $19,000), the wide-reaching impact on business operations can make the decision to pay ransoms difficult for many providers, Holden said.
“It just puts them in an impossible situation,” he said. “In some cases you have to pay it because you simply are not able to recover any other way.”
Warnings About Samas and JBoss
Everything could have been avoided with a simple patch to update vulnerabilities found in a JBoss application server, according to the Associated Press. MedStar refuted the AP’s assertions that it ignored multiple urgent warnings dating back to 2007; however, the AP stands by its reporting.
The FBI warned of Samas, the very ransomware that appears to have hit MedStar, on March 25 — just days before the healthcare provider’s systems were impacted. The bureau first alerted organizations to Samas on February 18.
As Reuters reported, “The FBI said that investigators have since found that hackers are using a software tool dubbed JexBoss to automate discovery of vulnerable JBOSS systems and launch attacks, allowing them to remotely install ransomware on computers across the network.”
A Decade of Ransomware
Holden said ransomware attacks have risen considerably in 2016, a point echoed by SurfWatch Labs as well as an FBI agent at a recent talk.
“It’s likely,” the agent said, “that this will be the decade of ransomware.”
So far in 2016, the healthcare sector has been a major focus of that trend.
“What we’re seeing is the attackers chasing the soft underbelly if you will of the various verticals,” Holden said. “There’s a big, big difference between a Fortune 100 company and everyone else in their ability to defend themselves and respond. And that’s certainly the situation these hospitals are in. It’s going to take some time for them to properly defend and be able to respond to these things.”
Part of the issue is that the ransomware threat is different than other types of cyber threats organizations have spent years defending against.
“The investment model is potentially a little bit different there,” Holden said. “That’s why perhaps it’s so interesting right now.”
He added: “Detecting doesn’t get you anything. You either have to prevent or you have to respond. The moment you’ve detected it, it’s already too late.”
Listen to the full conversation with Arbor Networks’ Dan Holden about ransomware in the healthcare sector below:
About the Podcast
Last week MedStar Health, which operates 10 hospitals and more than 250 outpatient medical centers in the Washington region, suffered a ransomware attack that disrupted their operations and put them front in center in the fight against cybercrime.
On Friday we spoke with Dan Holden, Director of ASERT, Arbor’s Security Engineering and Response Team. We chatted about how healthcare organizations are being impacted by ransomware, where that threat is headed, and how organizations can keep themselves safe.