LabCorp, one of the largest medical-testing laboratories in the United States, had many of its computer systems taken offline last weekend by ransomware known as SamSam.
The company, which processes more than 100-million lab tests per year, first reported the breach on Monday, initially describing it as “suspicious activity” detected on the company’s computer systems, prompting fears – and speculation by many in the media – that patient data may have been stolen. Since then, however, LabCorp has clarified in a disclosure filed with the SEC that “there is no evidence of unauthorized transfer or misuse of data.”
LabCorp has explained that its information-security team noticed the ransomware attack immediately after the malware encrypted data on the first such-infected system, and took quick action to contain and eliminate the threat; the firm claims to have neutralized the attack in under an hour. However – and let this be a warning to everyone about how fast ransomware can spread even after being detected – during the 50 minutes in which it was alive and being fought by security personnel, the ransomware is believed to have infected and encrypted data on 7,000 systems, including 350 production servers and over 1,500 other servers.
At present, multiple media venues report that the penetration into LabCorp was achieved via a brute force RDP attack, and that only Windows systems were impacted. At a high level, RDP brute-force attacks involve hackers scanning to find systems to which they can communicate in order to request remote access, and, upon finding such computers, trying numerous passwords until they guess the correct one; as such, RDP brute force attacks generally succeed only when the victim has not adhered to information-security best practices such as requiring multi-factor authentication for remote access, establishing long timeouts after multiple failed login attempts, and alerting administrators of suspicious attempts ot gain access.
Over the last couple years, criminals have increasingly directed ransomware attacks at healthcare-related facilities, perhaps reasoning that such organizations are less likely than other businesses to have the luxury of going offline in order to restore from backups, as delays of such sort can be life threatening. As Pravin Kothari, CEO of cybersecurity solution provider CipherCloud, pointed out to me, “LabCorp connects electronically to many physician electronic medical record/electronic healthcare record (EMR/EHR) systems to both receive requests from physicians for patient testing, and then to return the results,” and, as such, the folks who breached LabCorp may have hoped to leverage their attack to spread ransomware far beyond just the medical testing giant. At present, however, reports are that it appears from logs that the malware was contained.
LabCorp has noted to the SEC that it has “notified the relevant authorities of the suspicious activity and will cooperate in any investigation.”