Updated

Samsam infected thousands of LabCorp systems via brute force RDP

LabCorp contained the attack within 50 minutes, says they're at about 90-percent operational capacity

allscripts health care ransomware bitcoin
Getty Images

LabCorp, one of the largest clinical labs in the U.S., said the Samsam ransomware attack that forced their systems offline was contained quickly and didn't result in a data breach.

However, in the brief time between detection and mitigation, the ransomware was able to encrypt thousands of systems and several hundred production servers.

The wider public first learned about the LabCorp incident on Monday, when the company disclosed it via an 8-K filing with the SEC. Since then, as recovery efforts continue, the company said they're at about 90-percent operational capacity.

According to sources familiar with the investigation, the Samsam attack at LabCorp started at midnight on July 13.

This is when the Samsam group used brute force against RDP and deployed ransomware by the same name to the LabCorp network. At 6:00 p.m. on Saturday, July 14, the first computer was encrypted.

The LabCorp SOC (Security Operation Center) immediately took action after that first system was encrypted, alerting IR teams and severing various links and connections.

These quick actions ultimately helped the company contain the spread of the infection and neutralize the attack within 50 minutes. However, before the attack was fully contained, 7,000 systems and 1,900 servers were impacted. Of those 1,900 servers, 350 were production servers.

The analysis and recovery continued at that point. This led the company to confirm the source of the attack as a brute forced RDP instance, and confirm that only Windows systems were impacted.

According to NetFlow management and traffic monitoring, nothing left the network during the attack, so the company is confident that there was no data breach.

Given the RDP connection to this attack, and the fact that most attacks of this nature are bi-directional, LabCorp will likely implement two-factor authentication in the future.

It isn't clear if the company has a timeline for these changes, or if two-factor authentication was already in place at the time of the attack. Salted Hash has reached out to LabCorp for additional comment and will update should they respond.

Earlier this year, Salted Hash covered the Samsam attacks against Allscripts, another key organization in the medical industry.

In all of the recent Samsam attacks against healthcare organizations, RDP was singled out as the possible entry point, with only LabCorp and Hancock Health confirmed as victims via RDP.

One of the key recommendations from security experts dealing with Samsam (including us here at Salted Hash) is to implement two-factor authentication, and limit (or seriously control) access to RDP.

Samsam has been observed leveraging NLBrute (an exploit tool for public-faced RDP instances) and RDPWrap during their attacks, which have been successful in many cases. The group also uses various commonly used administrative tools in order to navigate a victim's network prior to infection.

However, because LabCorp was able to detect and respond to the attack quickly, they likely saved themselves from costly and lengthy outages. It's also likely that backups (tested and current) played a large role in the recovery phase of the incident.

The last time the Samsam group was in the news, they had attacked the Colorado Department of Transportation twice in two weeks and the City of Atlanta.

In March, based on the current value of Bitcoin at the time, it was estimated that the group had earned nearly $850,000 USD from their victims, who paid the ransom demands.

Update:

In response to our questions, LabCorp issued the following statement. We have produced it here in full.

"During the weekend of July 14, 2018, LabCorp detected suspicious activity on its information technology network. The activity was subsequently determined to be a new variant of ransomware. LabCorp promptly took certain systems offline as part of its comprehensive response to contain and remove the ransomware from its system. This has temporarily affected some test processing and customer access to test results.

"Work has been ongoing to restore full system functionality as quickly as possible, testing operations have substantially resumed, and we are working to restore additional systems and functions over the next several days.

"The ransomware was detected only on LabCorp Diagnostics systems; Covance Drug Development systems were not affected by the ransomware. As part of our in-depth and ongoing investigation into this incident, LabCorp has engaged outside security experts and is working with authorities, including law enforcement. Our investigation has found no evidence of theft or misuse of data."

SUBSCRIBE! Get the best of CSO delivered to your email inbox.