MedStar Health partially restores services after suspected ransomware attack

The organization was reportedly hit with the Samsam ransomware family

MedStar Health said Wednesday it is restoring computer systems following a cyberattack that reportedly involved file-encrypting malware.

The not-for-profit organization, which runs 10 hospitals in the Washington, D.C., area, was hit with ransomware, the Baltimore Sun reported on Wednesday, citing two anonymous sources.

MedStar Health officials could not be immediately reached for comment. The organization issued two statements Wednesday, but did not describe what type of malware infected its systems.

It said in one statement that its IT team has worked continuously to restore access to three main clinical systems. It said no patient data or associate data was compromised.

Ransomware has become one of the most prevalent kinds of malware on the Internet although it has been around for more than a decade.

Several medical facilities have come forward over the last few weeks and publicly said ransomware had disrupted their operations. The targeting of medical groups has added a new and dangerous angle to these kinds of cyberattacks because patient care could be directly impacted.

MedStar encouraged patients on Wednesday to call doctor offices directly to make appointments, as it was still trying to restore its electronic appointment system.

Nonetheless, MedStar said it has been able to keep humming along. Since the attack, it has cared for 3,380 patients a day across 10 hospitals, performed 782 surgeries and delivered 72 babies.

"The malicious malware attack has created many inconveniences and operational challenges for our patients and associates," according to a statement. "With only a few exceptions, we have continued to provide care approximating our normal volume levels."

The Baltimore Sun reported the hackers offered MedStar a bulk decryption discount: three bitcoins to decrypt one computer, or 45 bitcoins, roughly US$18,500, to unlock them all.

That demand is roughly in line with the attackers who struck Hollywood Presbyterian Medical Center in Los Angeles. Allen Stefanek, president and CEO of Hollywood Presbyterian, said in a statement the payment was the "quickest and most efficient way" to restore its systems. 

The ransom note and the Tor hidden website supplied to make a payment was "almost identical" to those who have previously been infected with ransomware called Samsam, the Sun reported.

Just days before MedStar announced its troubles, Cisco's Talos group published a blog post on Samsam, which is also called Samas and MSIL.B/C.

Craig Williams, Cisco's security outreach manager, wrote "this particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom. A particular focus appears to have been placed on the healthcare industry."

Samsam's operators were using JexBoss, a penetration testing tool for JBoss servers, to get access to networks, Williams wrote.

It's unclear how MedStar has been able to restore its systems. But computer security experts closely analyze ransomware and have occasionally been able to find errors in the code that would allow the recovery of the decryption key.

Authorities are largely at a loss for how to stop ransomware. Some of the ransomware gangs, believed to be in Eastern Europe or Russia, are far out of the reach of law enforcement.

Companies and organizations have generally been advised to frequently back up their systems and ensure those systems are segregated to prevent ransomware from encrypting those files as well. But designing such systems is not easy, and small organizations with less to spend on IT may be more vulnerable. 

Join the CSO newsletter!

Error: Please check your email address.

More about BaltimoreCiscoJBoss

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place