SamSam Ransomware Attackers Hit Allied Physicians of Michiana

samsam ransomware healthcare

Cybercriminals have struck Indiana-based Allied Physicians of Michiana on Thursday with SamSam, a prolific strain of ransomware that has frequently targeted the healthcare sector.

The cyberattack was first discovered on May 17 before it was shut down to protect patient data and the wider network. Officials claimed they were successfully able to contain the incident and are currently investigating to find out if patient data was compromised. Further, the healthcare provider group is also working with the FBI and other regulatory agencies to determine and assess the scope of the incident.

“The security of our patients’ personal and protected health information is foremost in our mind,” said Allied Physicians CEO Shery Roussarie in a statement. “While we make effort to keep ahead of these types of cyberattacks, we have nevertheless taken additional steps to minimize any such future attack.”

The healthcare organization declined to confirm whether or not it had paid any ransom amount demanded by the attackers.

Officials added in a statement:

The FBI has previously stated in response to similar attacks perpetrated by these actors that their primary goal is to extract a ransomware payment.

The ransomware attack is merely the latest intrusion by SamSam ransomware-pedaling cybercriminals this year. In January, SamSam hackers hit Allscripts, throwing off its clients offline for up to a week. Another Indiana provider, Hancock Health, was hit in January and the hackers were actually paid the ransom on that occasion.

Altogether, SamSam hackers have struck at least 8 separate healthcare and government organizations this year. They are also responsible for shutting down the Atlanta government temporarily in March. In April, the US Department of Health and Human Services warned the sector that SamSam is still targeting the healthcare sector. Open RDP connections are particularly targeted, with attackers breaking into networks via brute force attacks.

“In 2018, the trend of targeting vulnerable, public-facing servers continued for the attackers behind the SamSam campaigns,” a HHS alert explained. “Although the infection vector for the ongoing campaigns is yet to be confirmed, there has been some discussion among researchers that the attackers’ initial foothold may have been a compromised RDP/VNC server.”

Image credit: LIFARS archive.