The number of SamSam ransomware attacks on government and healthcare organization increased in recent months. These incidents prompted the Department of Health and Human Service’s Healthcare Cybersecurity and Communications Integration Center or HCCIC to publish a report about the SamSam ransomware attacks. There are tips included in the report to spread awareness on what to do to detect and block SamSam ransomware attacks.
Vulnerabilities in servers like SMBv1, JBoss and RDP have been exploited by hackers. Hence, it would help if regular vulnerability scans and good patch management are practiced by organizations. Policies on using strong passwords should be implemented. Below is the list of advice from HCCIC to help avoid SamSam ransomware attacks:
- Identify risks to ePHI by conducting an organization-wide risk analysis and implement security controls to address those risks – this is required by the HIPAA Security Rule
- Provide training to end users that teach them to identify malicious software
- Strictly implement procedures to prevent installation of malicious software. Employ software solutions that could quickly detect an attack in progress in order to make a quick response on preventing the spread of infection
- Back up all data regularly. Use the 3-2-1 approach, which means making 3 backups on 2 different media, with one copy stored securely off site.
- Be ready with contingency plans to reduce the disruption of operations in case of a cyberattack
- Establish procedures for responding to security incidents. There must be specific procedures for ransomware attacks
- Do penetration tests at least once a year to identify system weaknesses and address security issues
- Employ rate limiting to stop brute force attacks
- Limit the number of users allowed to login using remote desktop applications and restrict access to RDP behind firewalls. Make sure that a VPN or RDP gateway is utilized
- Have a 2-factor authentication set up on RDP
Paying ransom carries a risk. It is not guaranteed that the attackers will do what they promise. They may not send the keys to unlock the data or they would send keys that don’t work. It is better to have back up recovery plans so you can move on even without paying the ransom.