The Ransomware Ravaging Allscripts Is Precise and Potentially Devastating

The SamSam malware that is disrupting the EHR provider's clients nationwide is usually delivered manually, and can be extremely difficult to get rid of.

Days after a ransomware attack swept through its systems, electronic health records (EHR) vendor Allscripts has not entirely restored services to its healthcare provider clients.

“I see people mentioning [it’s a] ‘limited’ issue and ‘recovering,’” an internal medicine physician from Connecticut told Healthcare Analytics News™. “But I have talked to dozens of physicians all over the country who have not had access to their patients' charts or vital information for 5 days, and they are frustrated.”

The attack, which occurred late last week, is reported to be a strain of the notorious SamSam ransomware that has infected other healthcare institutions. It brought down Allscripts’ PRO EHR and Electronic Prescriptions for Controlled Substances (EPCS) platforms. EPCS has since been restored, but the company says it is still attempting to restore the EHR services.

On Twitter, numerous healthcare providers and staff have complained of continued disruption, with some claiming their institutions have had to revert to using paper records and, in some cases, cancel appointments.

Ransomware usually gets onto a system via phishing emails or “driveby downloads” from compromised sites, but SamSam is usually different. An attacker forces their way into a network through the remote desktop function on Windows systems before changing privileges across the network and running the malware.

“Typical ransomware will affect 1 system in a file share. SamSam is going to affect every single system that it can access and that’s online,” Adam Dean, practice manager of incident response at GreyCastle Security, told Healthcare Analytics News™. The firm has helped companies, including hospitals, respond to the malware in the past. Dean said that the virus has been around for about a year, and seems proprietary to 1 actor or group of actors.

The virus is no stranger to healthcare, either. Hancock Regional Hospital in Greenfield, Indiana was infected earlier this month. The hospital paid roughly $55,000 in Bitcoin to free their files. The variant affecting Allscripts is believed to differ from that used against the hospital, although a unique variety of SamSam is believed to be deployed in each incidence of its use.

The company, however, says it does not believe it was targeted directly. Dean said that the person or group is looking for certain vulnerabilities, and often exploits healthcare entities either due to the presence of those vulnerabilities or the importance of the information that they manage.

The doctor who spoke with Healthcare Analytics News™ said that he has had difficulty getting answers from Allscripts about when services will be fully restored, despite the company hosting 3 briefings with affected providers since the problem began last week.

“In reality, the best way to remediate the situation is to rebuild the network from the ground up,” Dean said. “You don’t want to pay that ransom, and you don’t want to just clean off the encrypted files and hope it doesn’t come back. Unfortunately, that’s a very long and tedious process, but that’s the only way to be 100% sure that the infection is cleaned off.”

Allscripts did not respond to requests for comment for this story. The company provides EHR services to 45,000 practices and as many as 180,000 physicians.

UPDATE: One week in, many providers report that they are still experiencing service outages resulting from the attack.

Related Coverage:

For Hospitals, the Ransomware Threat is Heare to Stay

Ransomware and Email Top Health IT Concerns

Lessons from a Hospital Ransomware Attack