LabCorp Restores Operational Capacity After SamSam Attack

Delaware, USA – July 20, 2018 – LabCorp shared the details of the attack, which occurred last weekend. It was started on July 13, around midnight, when adversaries from SamSam group began brute-forcing RDP connections. At 6:00 p.m. on Saturday, July 14, the attackers started to encrypt computers at LabCorp. Organization’s Security Operation Center immediately responded to the threat and informed incident response teams, which allowed them to stop the attack in less than an hour. During this time, adversaries managed to encrypt data on 7000 systems and almost 2000 servers running Microsoft Windows. Currently, the investigation and recovery of data from backups continue. Analysts established with high confidence that the attackers penetrated the network through the compromising of RDP connection, probably using RDPWrap and NLBrute tools. Traffic analysis showed that sensitive data was not stolen.

It seems that the SamSam group had a shock weekend if it would be confirmed that the attack on the MGM hospital is also their job. Earlier this year, attackers have already conducted a series of successful attacks, including an attack on AllScripts in January this year and an attack on the city of Atlanta, which cost the city $1.5 million. To protect against this technique, it is recommended to implement two-factor authentication and SIEM with Brute Force Detection use case can be leveraged to determine the beginning of the attack timely.