The hackers behind the notorious SamSam ransomware variant have made more than $8 million from their victims since 2015 and with major new victims during the last few weeks healthcare organisations are being urged to fix vulnerabilities now.

With an estimated new victim each day, a recent report from cybersecurity firm Sophos found about 25 per cent paid at least some of the ransom to retrieve data.

Hackers have also steadily increased ransom demands since the attack began to spike in January.

Researchers analysed data from the attacks, spoke to victims, mined private and public SamSam samples, and worked with cryptocurrency monitoring and blockchain firm Neutrino to track down the transactions.

About 75 per cent of SamSam’s victims were in the US and 26 per cent of those happened in the healthcare industry. The government and education sectors had fewer victims combined.

According to the research, 223 of the victims made ransom payments, contravening the advice of the FBI and security experts.

SamSam is not a new virus but attacks have exponentially increased throughout 2018.

Hackers breached two of Allscripts’ North Carolina data centres in January and the platform did not return to normal operations for more than a week.

The ransomware then took down the Atlanta government for several days, and two Indiana-based providers, Hancock Health and Adams Memorial, fell victim. Hancock Health admitted to paying the ransom to regain its data.

These attacks got the attention of the US government and the Department of Health and Human Services issued an alert in April warning the sector that hackers had already claimed 10 organisations in three months.

In May, Indiana's Allied Physicians of Michiana fell victim, while Cass Regional Medical Centre and medical testing giant LabCorp were hacked in July. Both faced network interruptions lasting about a week.

The research across sectors shows that all organisations are potential victims, regardless of size or business-type.

Hospitals that fail to monitor an abnormal number of login attempts are highly vulnerable, as are those that use weak or reused passwords or fail to limit admin credentials.

SamSam is relatively straightforward and uses different methods to get into a system. It is spread through the web, Java apps and other web-based apps. While the virus can be stopped if detected before it gets into the system, once it has breached a network it spreads without malicious emails.

Hackers scan the internet to find open remote desktop protocol connections or JBoss servers and use either brute force attacks or access, or password vulnerabilities on these endpoints.

The researchers claim hackers are not looking to access data, with the virus designed to spread to other computers and devices throughout networks in order to demand ransom payments.

HHS recommends restricting access behind firewalls and using two-factor authentication. Organisations need to limit who has access to RDPs and use an account lockout policy, the key method for stopping brute force attacks.

With RDP backdoors being sold for just $10 on the dark web and thousands of these ports added to the marketplace daily, these attacks won’t stop until healthcare locks down all its endpoints.

Originally published on the US edition of Healthcare IT News.

To share tips, news or announcements, contact the HITNA editor on




White papers