Incident Of The Week: LabCorp Hit With ‘SamSam’ Ransomware

Company Restoring Systems In Wake Of July 14 Attack



Dan Gunderman
07/20/2018

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. Cyber Security Hub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we review an apparent ransomware event on the medical-testing giant, LabCorp, which conducts various diagnostic tests.

People close to the situation believe the medical company – which holds data on roughly half of the U.S. population – was affected by the SamSam malware strain. The company reportedly does not intend to pay the ransom, but instead replace devices. That has not been confirmed by spokespersons.

According to the Wall Street Journal, the company is investigating suspicious activity but has yet to disclose the extent of the ransomware. The cyber-attack struck a genetic-testing unit on the weekend of July 14.

Similar cyber-attacks worldwide have left enterprises helpless as their files are encrypted and black hats demand steep payment (typically in cryptocurrency) to return them. The method is particularly worrisome in the healthcare space, as these organizations hold sensitive data – protected health information (PHI) – that could be leaked or leveraged.

A spokeswoman said that there is no evidence any data was breached, the WSJ writes.

See Related: Incident Of The Week: 21M Users Affected By Recent Timehop Breach


In a securities filing, LabCorp said it detected “suspicious activity” on a diagnostics network. It indicated that Covance, the company’s drug-development component, was not affected. However, LabCorp workstations, servers and devices were.

Any disruption to Covance was quickly remedied, and due to response protocols, it said. The incident is under investigation by LabCorp as well as security experts and law enforcement.

In its immediate response, the company took parts of its network offline, impacting patient access.

The National Health Information Sharing and Analysis Center reportedly said that hackers demanded $52,000 in bitcoin, or $6,000 for each machine touched by the SamSam bug.

The spokesperson did not confirm the ransom.

See Related: Incident Of The Week: Typeform Data Breach Impacts Customer Base

The same outlet reviewed a note to LabCorp employees delivered Wednesday, which said the company was responding to specific customer inquiries, and working to restore key functions to limit potential impact.

The WSJ added that because the newly acquired genetic-testing component was not fully integrated, the response time may have been slowed.

The occurrence is another in a string of high-profile attacks that have dominated news cycles and uncovered vulnerabilities in large enterprises. It’s particularly worrisome when it occurs in leading medical services companies which house the aforementioned PHI.

Yet, the more awareness around these “gaps” and “vulnerabilities,” the more likely CISOs and others on the security team (and beyond) will be able to act against them. (In this case: allegedly incomplete security controls on the newly acquired branch of the business.)

Be Sure To Check Out: Incident Of The Week: Ticketmaster U.K. Data Breach Impacts 40K

RECOMMENDED