New variant of SamSam - a ransomware family linked to several attacks against medical providers - is behind the Allscripts outage Credit: Thinkstock Allscripts, the billion-dollar electronic health record (EHR) company headquartered in Chicago, IL said they were still working to recover from a ransomware attack that left several applications offline after data centers in Raleigh and Charlotte, NC were infected on Thursday.In a conference call for customers on Saturday, which Salted Hash listened-in on, Allscripts’ Jeremy Maxwell, director of information security, said their PRO EHR and Electronic Prescriptions for Controlled Substances (EPCS) services were the hardest hit by the ransomware attack.Other services had availability issues as well, but those have since been restored, such as direct messaging and some CCDA functionality.EPCS has been also restored (as of Saturday) and they are working on getting PRO EHR back online. However, in a call on Sunday Allscripts told providers to prepare for outages to continue through Monday as the company recovers. The recovery is focused on getting data restored via backups and alternative access methods.“We are working around the clock to get everybody up and running by [Monday morning]. However, in terms of planning – in an abundance of caution – it would be advisable to plan for a continued outage though Monday,” said Robyn Eckerling, Chief Privacy and Security Counsel at Allscripts. The ransomware attack started on Thursday, January 18 at around 02:00 a.m. EST, and by 06:00 a.m. EST it was a full-blown ransomware incident, which required that incident response teams from Microsoft and Cisco be called in to assist.On Sunday, Allscripts said that Mandiant was also involved in the investigation as they work through how the infection started.Backup systems were not impacted by the ransomware, thus enabling Allscripts to restore systems one-by-one from backup. Full backups are made on Friday, and incremental backups are done nightly at 10:00 p.m. EST. So as the systems are restored, the expectation is that there will be minimal – if any – data loss.The variant of SamSam that infected Allscripts was a new variant unrelated to the version of SamSam that infected systems at Hancock Health Hospital in Greenfield, Indiana and Adams Memorial Hospital in Decatur, Indiana. This data was confirmed by the Microsoft and Cisco teams, as well as the FBI.In a call on Saturday, Allscripts said that all appearance this was commodity malware and that the company wasn’t directly targeted.Earlier this month, Hancock Health paid 4 BTC ($55,000 USD) to recover their systems after critical files were encrypted by SamSam. The decision to pay was weighed against manual restoration from backup. While the hospital could have used backups to recover, the process could have taken days, maybe weeks, and the cost of recovery was more than the ransom demand. In this light, it was a business decision to pay.“These folks have an interesting business model,” Hancock Health CEO Steve Long told the Greenfield Daily Reporter. “They make it just easy enough (to pay), they price it right.”According to Allscripts, their client base includes 180,000 physicians across nearly 45,000 ambulatory facilities, 2,500 hospitals and 17,000 post-acute organizations.Update 23-JAN-2018:An Allscripts customer shared the following notice from the company: “Allscripts PM and Professional EHR systems in the East, Central, Mountain, and Pacific regions have been brought back online. We are currently working to restore permissions for all users. Once permissions are restored, users will have access to their core applications. We are continuing to work on restoration of interfaces.”In a conference call on Tuesday, Allscripts confirmed the notice and added some additional details.“Our base functionality is online, but some active users are still unable to complete login,” said Robyn Eckerling, Chief Privacy and Security Counsel at Allscripts.“As part of our security procedures we locked down the systems and removed login access. We are in the process of systematically re-establishing logins. This access is being re-established as we are on this very call, so it is happening right now.”Many users are able to access data though the Pro Mobile service. Access to Pro Mobile has been opened up to everyone, but it requires an Apple device to function.For those who would like to hear the recordings of the Allscripts update calls, they are available below by date:Friday, January 19, 2018Saturday, January 20, 2018Sunday, January 21, 2018Monday, January 22, 2018Tuesday, January 23, 2018Wednesday, January 24, 2018 Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe