Cybercriminals Target Hospitals with SamSam Ransomware Attacks

Monday, August 27, 2018

Cybercriminals increased their SamSam (aka SAMSA) ransomware attacks against the healthcare sector in the first quarter of 2018, with numerous cases reported of hospitals paying the ransom to regain access to their systems, according to McAfee Labs Threats Report: June 2018.

Earlier in the year, HHS warned about an increase in SamSam ransomware attacks targeting healthcare and government organizations.

The SamSam ransomware seeks out insecure remote desktop protocol (RDP) connections as well as vulnerable JBoss systems to carry out its infections.

Healthcare saw a 47 percent jump in cyberattacks in the first quarter of 2018 compared with the fourth quarter of 2018, according to McAfee Labs.

Healthcare was the most targeted sector in terms of the number of breaches in the 2017-2018 period, followed by the public sector and education.

In addition, the Gandcrab ransomware infected around 50,000 systems in the first three weeks of the quarter, supplanting Locky ransomware as the quarter’s ransomware leader. Grandcrab asks for ransom payments using Dash cryptocurrency rather than Bitcoin.

“Cybercriminals will gravitate to criminal activity that maximizes their profit,” said McAfee CTO Steve Grobman.

“In recent quarters we have seen a shift to ransomware from data-theft, as ransomware is a more efficient crime,” he continued. “With the rise in value of cryptocurrencies, the market forces are driving criminals to crypto-jacking and the theft of cryptocurrency. Cybercrime is a business, and market forces will continue to shape where adversaries focus their efforts.”

In the first quarter, Operation GhostSecret, which is believed to be backed by the international crime group Hidden Cobra, targeted the healthcare, finance, entertainment, and telecommunications sectors.

The campaign employs implants to steal data from infected systems and can evade detection and throw forensic investigators off its trail.

The latest Bankshot variation of GhostSecret uses an embedded Adobe Flash exploit to enable the execution of implants. It also uses parts of the Destover malware, which was employed in the 2014 Sony Pictures attack, and Proxysvc, a previously undocumented implant that has operated undetected since mid-2017, according to McAfee Labs.

Using a phishing email with a malicious Word document, the campaign introduces the Bankshot implant, embedded in a Flash file that executes when the victim opens the document. This version of the Bankshot implant gives the attackers remote access to systems and enables them to wipe files and content to remove all traces of their activity.

Bankshot has reconnaissance capabilities that range from forwarding a list of files in a directory to the command and control server to gathering domain and account names for all running processes. In addition, Bankshot can create a process by impersonating a logged-on user, overwrite files with zeros, and mark them for deletion on reboot, or completely terminate processes.

Cybercriminals also are extending their operations in cryptojacking and other cryptocurrency mining schemes, where perpetrators hijack victims’ browsers or infect their systems to secretly mine for cryptocurrencies such as Bitcoin, said McAfee.

This category of coin miner malware grew 629 percent in the first quarter of 2018, rocketing from around 400,000 total known samples in the fourth quarter of 2017 to more than 2.9 million in the first quarter of 2018. This suggests that cybercriminals are finding it profitable to infect users’ systems and collect payments without having to rely on third parties to monetize their crimes.

The Lazarus cybercrime ring has launched the HaoBao Bitcoin-stealing phishing campaign, which is targeting global financial organizations and Bitcoin users. When recipients open malicious email attachments, an implant scans for Bitcoin activity and establishes an implant for persistent data gathering and cryptomining.

In January, McAfee reported an attack targeting organizations involved in the Winter Olympics in South Korea. The attack was executed using a malicious Word attachment containing a hidden PowerShell implant script. The script was embedded within an image file and executed from a remote server.

Dubbed Gold Dragon, the fileless implant encrypted stolen data, sent the data to the attackers’ command and control servers, performed reconnaissance functions, and monitored anti-malware solutions to evade them.

“There were new revelations this quarter concerning complex nation-state cyber-attack campaigns targeting users and enterprise systems worldwide,” said McAfee Chief Scientist Raj Samani.

“Bad actors demonstrated a remarkable level of technical agility and innovation in tools and tactics. Criminals continued to adopt cryptocurrency mining to easily monetize their criminal activity.”

HealthITSecurity 6.27.2018