In February, Southern-California based Hollywood Presbyterian Medical Center was hit with a ransomware attack. The hospital reportedly paid $17,000 to a hacker to restore its system. Not long after, on March 28, MedStar Health, one of the largest medical service providers in the U.S. capital region, was similarly crippled by a virus.
The attacks on the two medical institutions raised some eyebrows among cybersecurity experts because the ransomware used in both cases acted a bit differently than its predecessors.
By March, the new strain of ramsomware had a name: Samas (also sometimes called Samsam). The information about Samas has been of particular interest to cybersecurity personnel, who think it could be the start of something new with potentially huge security consequences. The FBI even issued an advisory in March asking business and IT security experts to help it track Samas down.
The biggest concern? This strain appeared to work, at least partially, without human intervention.
Rise of the Cryptoworm?
In April, Cisco Talos released a report examining Samas, which is now believed to have been responsible for the two hospital attacks.
According to Cisco Talos, Samas targets unpatched server vulnerabilities and is a "close cousin" to computer worms like Conficker and SQL Slammer, which wreaked havoc on IT systems in the late 1990s. Worms have the unique ability to penetrate an operating system, spread malicious code and infect a network, all without any help from humans.
According to security researchers at Cisco Talos, Samas is a sign of things to come.
"The age of self-propagating ransomware, or cryptoworms, is right around the corner," Cisco's report said.
"Cryptoworms are certainly a rising threat," agreed Greg Pierce, cloud officer at Concerto Cloud Services. "They are, effectively, the next automation of ransomware. Up until now, ransomware has been specific and targeted. This would push to a scenario where known exploits could be exploited to spread ransomware en masse."
"Cryptoworms are a growing threat and much more dangerous forms of ransomware because human interaction is not required," said Adam Levin, chairman and founder of IDT911.
The Samas bug works by using a JBoss application server vulnerability to gain access to a network. That’s concerning because JBoss is used by many large U.S. enterprises. Once hackers gain access to a network, they can implant a tool to steal credentials and spread throughout a system or network. While Samas itself is not entirely self-sufficient, it "does exhibit some of the behaviors of a successful worm—rapid propagation, payload delivery (ransomware) and crippling recovery efforts," the Cisco Talos team said in its report.
Security experts believe Samas will soon be used as a base to build even better worms that could eventually replicate without human intervention.
Prevention as the best medicine
Self-propagating ransomware could be a nightmare for companies already dealing with these rising ransomware threats.
"The worms are programmed to spread malware automatically," said Levin. "As we have seen with recently reported cyberattacks on hospitals and law firms, ransomware attacks target sectors that collect and store treasure troves of confidential data and intellectual property."
For companies, the only way to effectively neutralize the threat is to ensure they have up-to-date backups and a flawless backup restoration protocol. And, companies must test those backup and restoration measures for all customers, suggested Pierce.
"They should be tested at least annually," he said.
"To combat this rising threat, businesses must maintain robust, updated and secure backup systems, constantly monitor looking for data exfiltration, (conduct frequent) penetration tests and patch any vulnerabilities as quickly as they are discovered," said Levin.
Pierce also suggested companies block outbound access to TOR and I2P (dark web), where most ransomware download their payloads. .
Beyond that, ongoing, continuous end user education is a must, both Pierce and Levin agreed.
"Invest in comprehensive employee training on proper privacy and security protocols—focusing on anti-phishing and social engineering sensitivity training—and carefully read the fine print in third party vendor contracts," said Levin.
Finally, Levin suggested companies demand that their vendors meet "as good, if not better" security standards as they require, along with instant notification when the vendor is breached.