Since the early days of 2016, Iranian hackers have led a ransomware campaign, SamSam, that has impacted over 200 victims in the United States. The attack has collected more than $6 million in extortion payments and caused more than $30 million in losses. By targeting multiple health-care networks, some including prominent cardiovascular hospitals, it is evident that the hackers were not only out there to make money, but to cause physical harm to patients in need. If these hackers were successful in shutting down all critical health-care related technology and facilities across the country, how would this have affected our population, and more importantly, faith in science and medicine?
WHAT IS RANSOMWARE
As a reminder, ransomware is a form of malware that invades your files and locks them until the requested “bail” is paid. This is typically in the form of bitcoin. The ransom for many of the municipalities infected was set at $50,000. Supposedly, if you pay it you get your data returned; or unencrypted.
The SamSam ransomware is unique because it allows hackers to stealthily navigate a targeted network, unlike other malware that is largely visible and easily detected by software engineers. This is how cybercriminals were able to mindlessly roam through a secured hospital network while discontinuing proper functions that allow doctors to help their patients. It is also developed privately and updated more frequently in order to skim past antivirus detection.
Only seven states managed to escape the attack completely, leaving 43 others looking to remediate the cyber issue. SamSam compromised transportation and health-care networks. This includes LabCorp, which is one of the largest diagnostic companies that processes more than 2.5 million tests per week! Medical professionals were not able to access patient results for more than a week before things returned to normal. What if a patient was in dire need of help and the doctor was relying on test results to help him prescribe the correct medicine? Even though it was “only” one week, the point is that this shouldn’t have occurred in the first place. It is no longer solely about financial gain. Foreign hackers may soon have the power to undermine the medical systems and affect populations. This is a serious consequence of cyber-crime that has not yet been thoroughly explored.
WHO OWNS THIS DATA
SamSam attackers just come in and take what they want. It is almost like a big criminal kicking the front door in because the door is not strong enough to withstand a kick. The ransomware targets known vulnerabilities and infects servers by brute force attacks. Brute force attacks keep picking at passwords until they hit the right combination of numbers, letters and symbols. This is why all passwords across the enterprise need to be strong and the vulnerabilities patched.
Atlanta was one of the cities hit with the SamSam ransomware. The initial request for ransom was $51 thousand. The attack locked up city functions and the final costs to Atlanta were calculated at over $21 million dollars. A lot of circumstances contributed to Atlanta’s approach to the crisis. It did not help that the City’s Chief Operations Officer was in his first week on the job when the infection occurred.
The Colorado Department of Transportation was hit with a similar attack. They were actually hit twice in an eight-day period. Officials say they never paid the bitcoin ransom; however, the recovery costs were high. Every computer had to be checked and reinstalled on the network.
WILL THEY PAY
There were many other notable infections, and some did pay the ransom. It might have been because they did not have a robust backup program, or maybe because they feared letting the situation escalate. Ransomware hackers are very smart about not asking a ransom more than the victim can afford. This turns the situation and ensuing decision of whether to pay into a cost-benefit analysis. More often than not, the victim pays the ransom.
On November 28th, the Department of Justice charged Faramarz Shahi Savandi and Mohammad Medhi Shah Mansouri during a federal indictment. However, the two men are at large in their home country of Iran. The question is what happens next? What does this federal charge mean for these two men and to progressing cybersecurity because there are no extradition treaties with Iran.
This is the first prominent indictment against foreign hackers affiliated with ransomware. We win when we can move an indictment to the prosecution, even when hacker reside in countries unfriendly to the U.S. Simply pointing hackers out and shaming them does little to protect us from the next attack. In that same light, paying the ransom does not mean the victim will get their data back. And, to stop successful SamSam types of attacks on U.S. entities, responsible parties will need to backup systems and plan to be attacked. Clearly, preparing is cheaper than responding and remediating.