Nearly a week after bearing the brunt of a ransomware attack, medical testing giant LabCorp is still recovering from the intrusion and has not confirmed any details of the amount of data or servers compromised and impacted respectively.
Thousands of LabCorp servers were shut down and its network was taken offline on Sunday after officials discovered suspicious malicious activity. Customer access and test processes were impacted during recovery efforts from what is believed to be a SamSam ransomware attack, according to an original Wall Street Journal report.
When asked to confirm the report if the cyber intrusion was indeed a SamSam ransomware attack, a spokesman refused to confirm or deny on Friday. A CSO report revealed that the ransomware variant shut down the Allscripts platform for nearly a week in January and is known to use brute force RDP attacks to breach servers and proliferate.
SamSam has notably been leveraging NLBrute, an exploit tool for public-faced RDP instances, and RWDWrap during their attacks which have been successful in several cases. Further, the group also uses various administrative tools in order to navigate a victim’s network before an infection.
The attack reportedly encrypted 7,000 systems, 1,900 servers out of which 350 were production servers. Hackers used a brute force attack on the remote desktop protocol to gain access, according to the report.
An official statement added:
“During the weekend of July 14, 2018, LabCorp detected suspicious activity on its information technology network. The activity was subsequently determined to be a new variant of ransomware.
The official statement suggests that there was no breach of patient data while the report further claimed officials confirmed only Windows systems were impacted.
The RDP connection suggests that most attacks of this detail are bi-directional, which could see LabCorp implement two-factor authentication in the future.
Image credit: Flickr.