SamSam ransomware: Labcorp's systems infected via brute force attack

by Lucia Danes - - 2018-07-24

SamSam ransomware attacked LabCorp clinical testing company

SamSam ransomware attacks LabCorp LabCorp has been attacked by SamSam ransomware which resulted in more than 7 thousand encrypted systems.

LabCorp is one of the most prominent medical testing laboratories which was recently hit by SamSam ransomware^[1]. The diagnostics company reported suspicious activity on their network on July 14 and were forced to shut down some of their systems. According to the investigation, the ransomware attack started at midnight on July 13.

IT specialists at LabCorp had taken action immediately. As a result, it successfully helped to avoid further damage. Yet, SamSam ransomware managed to encrypt several hundred servers and thousands of systems. Nevertheless, the company claims that they are at 90 percent operational capacity as the recovery procedure has started^[2].

The activity was subsequently determined to be a new variant of ransomware. LabCorp promptly took certain systems offline as part of its comprehensive response to contain and remove the ransomware from its system. This has temporarily affected some test processing and customer access to test results.

Ransomware used brute force attack on RDP to access LabCorp's network

LabCorp's experts have confirmed that hackers used brute force against company's Remote Desktop Protocol (RDP) to infiltrate the systems with SamSam ransomware^[3]. Only Windows computers were affected by the file-encrypting virus. Fortunately, none of the information left the medical diagnostics company's network.

Despite that, SamSam ransomware attack analysis revealed that approximately 7 thousand systems and more than 1.9 thousand servers were affected. More detailed investigation allowed the researchers to state that 3.5 hundred of those were production servers^[4].

As a response to the attack, LabCorp is considering to apply two-factor authentication in the future or substantially limit the access to RDP. Even though RDP was not commonly used during previous SamSam ransomware attacks, this medical testing lab is the second victim after Hancock Health.

Quick response to SamSam infection helped to avoid further damage

Security experts note that IT specialists at LabCorp had responded to the attack quickly. They have managed to stop the spread and neutralize SamSam ransomware within 50 minutes. Likewise, the company protected its servers from more time-consuming and costly consequences.

Additionally, since LabCorp has taken precautionary measures in case of ransomware attack, they have stored backup copies of all the necessary information. This must significantly help during the recovery procedure and avoid financial losses.

Note that medical institutions are highly targeted by file-encrypting viruses as they can be successfully exploited for financial benefit. Pierson Clair, the senior director at Kroll, comments the following on the incident^[5]:

The healthcare industry is seen by attackers as an enticing target and ransomware is a low-risk, high-reward tool <…>

About the author

Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions

References

^ Julie Splinters. SamSam ransomware virus. How to remove? (Uninstall guide). 2Spyware. Security and Spyware News.
^ Filip Truta. US clinical lab recovers within 50 minutes of getting hit by SamSam ransomware. HOTforSecurity. The blog on the sizzling world of computer security.
^ Steve Ragan. Samsam infected thousands of LabCorp systems via brute force RDP. CSO. Security news, features and analysis.
^ Jessica Davis. LabCorp still recovering from ransomware, won't say if it's SamSam. Healthcare IT News. Latest reports.
^ Marianne Kolbasuk McGee. LabCorp Still Recovering From Ransomware Attack. BankInfoSecurity. Bank information security news, training, education.