back to article Mega medical tester pester: It smacked a big one, that malware scam, if indeed it was SamSam

One of the largest clinical testing specialists in the US, LabCorp Diagnostics, is coming out of recovery mode a week after being hit with ransomware – reportedly SamSam, the same malware that brought the US city of Atlanta to a standstill earlier this year. LabCorp has not confirmed that the malware was SamSam, but several …

  1. sanmigueelbeer

    which raises the question of why defenders don't comb their own networks for open ports in a similar fashion

    Because there is still a boatload of people with the mentality of "(it) won't happen to us".

    1. Waseem Alkurdi
      Alert

      "(it) won't happen to us"

      "It won't, sir! We don't have anything significant on our systems!"

    2. Mark 85

      Because there is still a boatload of people with the mentality of "(it) won't happen to us".

      Add: "Also, it costs money to run scans and checks regularly. We have profits and board bonuses to think about not to mention shareholder value."

      1. Fatman
        Thumb Up

        RE: bonuses and shareholder value

        I wish I could give you a lot more than 1 up vote.

  2. sitta_europea Silver badge

    Not to mention "I insist on using the Administrator password, because I'm a Director!"

    1. Anonymous Coward
      Anonymous Coward

      'I have to have administrator access as I'm CFO'

      coupled with this gem from the same person

      'you can't enforce password complexity or re-use rules because I'll forget them, I'll change them regularly' (between pink and purple)

      All while insisting I offer guarantees that none of their employees could 'steal our data'.

      I gave up trying to explain and found new clients.

      As did their next IT company.

      Their accountants had a similar password policy.

      For their internet facing terminal server.

  3. Sgt_Oddball
    Facepalm

    is it so hard....

    To set up anti brute force techniques?

    I used to have one for RDP that black listed IPs after 5 failed attempts. As well as removing all default users (or at least removing RDP access. No point in making it easy).

    It's not that hard and takes an afternoon if you don't know what you're doing (about an hour if you do).

    1. Lord Elpuss Silver badge

      Re: is it so hard....

      Technically speaking it isn't that hard - but you have to (a) know the vulnerable point exists in order to harden it, and (b) not have a PHB sitting somewhere who insists that he 'must' have outside access to a system even though he keeps forgetting his password and tripping the lockout, then commanding the infosec guys to leave it unprotected.

  4. Anonymous Coward
    Anonymous Coward

    "It has since been reported that the attack...more serious than the notification suggested"

    LabCorp Predictions 'Onion-style'

    LabCorp has just revised its statement about 'no evidence of data theft after alarms triggered'.... After it emerged they hadn't actually look for any... In the vain of: If we don't know a leak or breach existed, then it didn't really, sort of twisted logic / reality. Plus, they're about to flip the company, so the timing is inconvenient according to LabCorp lawyers.

    However, LabCorp, now admits that only data in a limited number of circumstances (everything), on a limited number of members of the public (everyone) was actually leaked to hackers in a limited number of instances (every time).... LabCorp said it is now employing PWC & Equifax to help audit its systems. So all is well / nothing to see here folks!

  5. Gordon Pryra

    Brute Force RDP?

    Seems more likely someone had a weak windows password.

    Not to mention that the attackers would need to know of the workstation that was publicly available to them.

    Maybe some kind of "log-me in" or team view session set up to allow a 3rd party access quickly?

    Dunno, not many things NOT workstations use RDP and dammed few of these are publicly facing. Makes me instantly think of insider help.

    Why the hell are their servers not protected by anti-virus?

    Yeah yeah boiler plate text ""Our investigation has found no evidence of theft or misuse of data"

    Kind of obvious, ransomware is all about not having to go through the hassle of actually doing anything in order to scam cash from your mark.

    "Patient data was not thought to have been breached in an attack."

    They can't be that sure, after all the account they used had access to a large number of shares across the network. They talk about servers being affected, well no offense but an account that has access to the file structure on servers has probably got the keys to the kingdom.

    With the kind of company that allows someone into their network this easily and then has no simple anti-virus on their servers, what expectations can there be of decent security against the files stored therein?

    1. FrankAlphaXII

      Re: Brute Force RDP?

      Their servers don't have anti-virus because many Linux admins still think they don't need it, and Windows admins think it's something the endpoints need but the servers do not. It's extremely foolhardy in either a UNIXlike or Windows environment but nobody ever cares until they get burned.

      I do BC/DR and Emergency Management (same thing really) and I've lost count on the number of Incident Reports and AARs that I've written which point out in all caps, bold and underlined in red that anti-malware software is an absolute must on any machine connected to the network at all. Disabling services on the Windows machines aside from the bare minimum needed for that machine's operation is another area that gets overlooked all the time too.

  6. Pascal Monett Silver badge

    "defenders don't have minutes to mitigate, they have seconds"

    Absolutely logical. The malware works in CPU time, the defendants work in administrative human time.

    The humans don't have a chance if measures are not already in place and ready to go.

    Actually, active measures and surveillance need to be in place if malware is to be stopped.

    So basically we're going to have a decade or more of these shenanigans before a proper anti-propagation network tool is made available and succeeds in stopping cold these kinds of intrusions.

    If the board is ready to pay for it, which they will be after the first intrusion, of course.

    1. Unoriginal Handle

      Re: "defenders don't have minutes to mitigate, they have seconds"

      There are tools available commercially *now* which can protect endpoints of all sorts (laptops, servers, workstations, IoT, SCADA, ....) but a lot of customers are in the "I've got A/V, I'm sorted". No good if the A/V doesn't have a signature for the malware being used against them.

      1. Korev Silver badge

        Re: "defenders don't have minutes to mitigate, they have seconds"

        There's a directory on this computer that's sitting there waiting to be encrypted and then flag an alarm in case this kind of malware gets on. You can't imagine how tempted I am to rename the directory to see what happens...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like