The ransomware exploited MedStar servers, quickly infecting data at Union Memorial as well as several other Maryland hospitals. The Samsam software, also known as MSIL or Samas, exploits the JBoss application and other Java-based applications through the open-source server testing tool JexBoss. The JBoss Management Console (JMX) vulnerabilities exploited by the ransomware, however, have been known for more than a year now.
The FBI issued an urgent call (a “Flash” advisory) for all businesses and software security companies, asking for emergency assistance during their investigation. The agency explained that this ransomware behavior is especially alarming, as it is not encrypting one computer data at a time, as usual, but is instead infecting data on entire networks, paving the way for a potential national cyber emergency.
A ransomware software is a type of malware that locks down a user’s content within a database, by encrypting all files. Victims cannot open any document, file or picture, and have no access to their own hard drives. The only way to get his computer content back is by obtaining a decoding tool, which must be obtained by paying a “ransom.” The malware itself contains a text file with the instructions on the ransom payment, usually involving a visit to some Tor gateway where the user can pay some bitcoins. It’s quite similar to a real-life ransom where the victim “drops” his money in a safe, anonymous place to get back what he was stolen.
Hospitals are the perfect target for this type of digital extortion as they depend on up-to-date information from patient records to provide life-saving health care. Because even the smallest delay in treatment may cost a patient’s life (and consequent lawsuits), hospitals administrations usually choose to pay a ransom rather than taking the risk. On February, Hollywood Presbyterian Medical Center in Los Angeles was attacked by the Locky ransomware and ended up paying $17,000 to the extortionists instead of waiting for their technicians to fix it up.
The group of hackers that infected MedStar asked for a payment of 3 Bitcoins (about $1,250) to release the digital key required to unlock a single computer. However, if the company wants them to release the entire data system, they requested a payment of 45 Bitcoins, or $18,500, for all the keys. Ann Nickels, a MedStar spokeswoman, explained that their own IT specialists are “working around the clock” to restore the system.
