Allied Physicians, a 40-physician practice in South Bend, Indiana, was attacked by a particular strain of ransomware called SamSam. Allied Physicians discovered the ransomware on May 17 and shut down its network. By May 26, the network was restored. Nine days without computer capabilities is a significant disruption.
Whether patient information was exfiltrated is yet to be determined as the investigation continues.
Unlike Hancock Health of Greenfield, Indiana, who unabashedly disclosed that they paid the ransom, Allied Physicians declined to comment whether they paid the ransom. The FBI discourages paying these ransoms.
SamSam has already attacked other hospitals and is most known for its use in an attack on Allscripts.
SamSam does not infiltrate via a phishing e-mail; rather, it penetrates a server by brute force attack. Once in, files are rendered inaccessible with RSA-2048 bit encryption. Eagle recommends the following preventative measures to protect against SamSam:
- Use strong passwords, at least 10 characters, for servers and other critical assets
- Consider use of 2-factor authentication for critical assets
- Configure server accounts to lock after 10 incorrect password attempts
- Limit access to administrative accounts, and ensure that support staff use a non-privileged account except when necessary
If you suspect you are the victim of ransomware or other malicious software, Eagle offers incident response services.
