LabCorp Still Recovering From Ransomware AttackSamSam, Other Ransomware Still Menacing Healthcare Sector
Medical testing laboratory firm LabCorp is still working to fully recover systems functionality nearly a week after a cyberattack that the company now claims involved "a new variant" of ransomware.
"Our investigation has found no evidence of theft or misuse of data," the company says in a statement provided to Information Security Media Group on Friday. Although it confirms that the cyberattack that was detected last weekend involved ransomware, it did not specify the type of ransomware involved.
The company says it's been working to restore full system functionality as quickly as possible. It says that as of Friday, its lab test operations have substantially resumed, and it's working to restore additional systems and functions over the next several days.
Burlington, N.C.-based LabCorp, one of the largest diagnostic lab companies in the world, with $10.8 billion in annual revenue, issued a special 8K filing on July 16 with the U.S. Securities and Exchange Commission saying that it had detected suspicious activity on its IT network the weekend of July 14, but that statement didn't specify that ransomware was involved.
According to some news media reports, the attack on LabCorp involved a variant of SamSam, ransomware. Federal regulators have issued warnings to the healthcare sector about SamSam after a series of attacks.
CSO Online, citing unnamed sources familiar with the organization, reports that hackers used brute force against LabCorp's remote desktop protocol and deployed SamSam to the LabCorp network, allegedly "encrypting thousands of systems and several hundred production servers" between the time the lab company detected suspicious activity on its IT network and began to mitigate the incident.
An alert issued in late March from the Department of Health and Human Services' Healthcare Cybersecurity and Communications Integration Center noted that the SamSam malware, active since 2016, has been largely associated with ransomware attacks against hospitals and others in the healthcare and public health sector. As of March, HHS said the SamSam malware had infected at least 10 entities, including eight healthcare sector organizations, since Dec. 26, 2016.
Among the healthcare sector entities previously hit by SamSam was electronic health records vendor Allscripts, which in January said an attack involving a variant of the SamSam ransomware impacted its cloud-based Professional EHR and Electronic Prescriptions for Controlled Substances services to physician group practices for several days.
But by now, the SamSam victim count in the healthcare sector is undoubtedly higher than HHS's tally earlier this year. HHS did not immediately respond to an ISMG request for comment.
In addition to LabCorp and Allscripts, another healthcare organization recently hit by a SamSam attack is Allied Physicians, a multispecialty practice with about 50 clinicians serving north central Indiana (see Malware Attacks: Tale of Two Healthcare Incidents).
"The healthcare industry is seen by attackers as an enticing target and ransomware is a low-risk, high-reward tool," says Pierson Clair, senior director in the cyber risk practice of security vendor Kroll.
Clair says he's seen ransomware, specifically SamSam and its variants, used to target the healthcare sector as well as many other industries. "Attackers are continuously evolving their tools and methodologies to avoid detection by information security teams. These attackers morph their ransom toolkits in an effort to stay one step ahead of anti-virus and other means of protection. Attackers will find any available weakness in an organization in order to exploit it."
Sequence of Events
In its statement provided Friday to ISMG, LabCorp says that during the weekend of July 14, the company detected suspicious activity on its information technology network. The activity was subsequently determined to be "a new variant of ransomware," the company says.
"LabCorp promptly took certain systems offline as part of its comprehensive response to contain and remove the ransomware from its system. This has temporarily affected some test processing and customer access to test results."
The ransomware was detected only on LabCorp Diagnostics systems; Covance Drug Development's systems - a research unit - were not affected by the ransomware, the company says. "As part of our in-depth and ongoing investigation into this incident, LabCorp has engaged outside security experts and is working with authorities, including law enforcement."
Greg Garcia, who heads the cybersecurity efforts of the Healthcare and Public Health Sector Coordinating Council, which is working to identify and mitigate threats and vulnerabilities facing the healthcare sector, says ransomware is a top worry for industry stakeholders.
"Currently, the flavor of the day certainly seems to be ransomware," Garcia said in a recent interview. "It's an insidious threat and it's taking many different forms. But as we know, cyber adversaries are resourceful and cunning, and the threats change all the time."
But cyberattacks against large healthcare sector players - such as Allscripts and LabCorp - also impact many other organizations that depend on their services.
""The LabCorp data breach is yet another heavy blow in the continued assault on healthcare," says Pravin Kothari, CEO of security vendor CipherCloud. "Consider that LabCorp is one of the largest diagnostic laboratories in the world and is a very critical part of U.S. healthcare infrastructure."
LabCorp has hundreds of networked labs across the U.S., he notes. "This may be one of the largest healthcare networks in the world, with connections to many thousands of physician offices, hospitals and their testing facility offices worldwide," he says.
David Finn, a former healthcare CIO who is now executive vice president of security consulting firm CynergisTek, notes that evolving ransomware variants pose growing threats.
"SamSam has been identified under various names - Samas, SamSamCrypt - and I have to believe it is used as the 'starter' for other variants," Finn notes.
"One of the issues with ransomware is that the rebirth of ransomware we saw four or five years ago has also now morphed. Ransomware is no longer just used by cybercriminals. For a number of reasons we've seen attack groups using ransomware as a cover of other types of attacks," he says.
"Where SamSam is usually connected with the Gold Lowell attack group, we see more groups have adopted ransomware as a tool or decoy to cover or hide other attacks. This was a trend in 2017 and no one really knew if it would continue. I think we have our answer and it is yes."
Steps to Take
Finn notes that in all of the most recent SamSam attacks in the healthcare sector, it appears that Remote Desktop Protocol was the entry point. "So, first limit RDP, and if you can't, then two-factor authentication should eliminate that vector," he says.
Entities should can other steps to prevent becoming a victim of SamSam or other ransomware, he stresses. Those include:
- Prioritizing software updates, including operating systems and applications;
- Conducting regular penetration testing;
- Monitoring for anomalous behaviors;
- Managing access to systems and data, including implementing multifactor authentication;
- Implementing a comprehensive, enterprisewide incident response plan and regularly testing it;
- Backing up and segregating data for recovery.
"When you see ransomware you want to start disconnecting from the internet to limit exfiltration of data and you want to start - based on your plan - isolating network segments that house critical systems," Finn adds.
"These things spread so fast you really don't have time to figure it out. You need to stop the spread as quickly as possible."
—David Finn, CynergisTek
"These things spread so fast you really don't have time to figure it out. You need to stop the spread as quickly as possible. Not unlike an emergency room patient, you need to stop the bleeding and get the environment stable enough to assess the 'patient' and then begin treatment," he says. "Remediation, even from a quickly contained attack, can take months."
After a ransomware attack, entities must strive to "identify what happened in order to put technical controls in place to better protect the organization going forward," Kroll's Clair notes. "There are underlying foundational principles to ransomware response that can help guide an investigation and remediation. However, every variant is different, every environment is different, and every incident requires a response tailored to the specific circumstances of the event."
Brian Wells, CTO at security consulting firm Merlin International, says his firm recommends that organizations follow Federal Information Processing Standard (FIPS) 140-2 Level 4 standards and the National Institute of Standards and Technology's Cyber Controls "to ensure systems are protected and follow regulations for hardened systems to make it harder to break into systems in the first place."
He notes: "Based on reports of how LabCorp reacted and responded to the attack, it seems it had a plan in place to minimize the damage from a cyberattack and reduce its overall impact on the company."