Allscripts Recovering from Alleged SamSam Ransomware Attack

EHR giant Allscripts has reportedly been hit by a ransomware incident, which seems to have taken place last Thursday…

As per reports, it’s the SamSam ransomware that has thrown out of gear a limited number of services at Allscripts, the leading EHR (Electronic Health Record) company headquartered in Chicago, IL. Reports indicate that the company is recovering gradually from the ransomware attack.

Healthcare IT News reports- “A limited number of Allscripts services went down Thursday after a ransomware incident, according to an emailed statement from company spokeswoman Concetta Rasiarmos.”

Learn the best ransomware protection steps here to resist ransomware attack.

Salted Hash, which is the IT Security News coverage section of CSOonline.com, reports- “Allscripts, the billion-dollar electronic health record (EHR) company headquartered in Chicago, IL said they were still working to recover from a ransomware attack that left several applications offline after data centers in Raleigh and Charlotte, NC were infected on Thursday.” The report further says- “In a conference call for customers on Saturday, which Salted Hash listened-in on, Allscripts’ Jeremy Maxwell, director of information security, said their PRO EHR and Electronic Prescriptions for Controlled Substances (EPCS) services were the hardest hit by the ransomware attack.”

The Salted Hash report also states that though other services, like direct messaging and some CCDA functionality, too had availability issues, they have since been restored. It’s also reported that EPCS has been restored and the company is working on getting PRO EHR back on the track. The report, dated 21 January, further says- “However, in a call on Sunday Allscripts told providers to prepare for outages to continue through Monday as the company recovers. The recovery is focused on getting data restored via backups and alternative access methods.”

As per reports, the ransomware attack at Allscripts started on Thursday, January 18 around 2 am EST. It took just four hours for it to be get transformed into a full-blown ransomware incident. Ultimately, Allscripts reportedly had to call in response teams from Microsoft and Cisco to assist handle the situation. Reports also say that on Sunday Mandiant had also teamed up with Allscripts for investigating the incident.

Fortunately for Allscripts, there was backup support of the data and backup systems weren’t affected, as per reports. The Salted Hash report says- “Backup systems were not impacted by the ransomware, thus enabling Allscripts to restore systems one-by-one from backup. Full backups are made on Friday, and incremental backups are done nightly at 10:00 p.m. EST. So as the systems are restored, the expectation is that there will be minimal – if any – data loss.”

Healthcare IT News quotes more from the email that Allscripts spokeswoman Concetta Rasiarmos had reportedly written- “We are working diligently to restore these systems, and most importantly, to ensure our clients’ data is protected…We regret any inconvenience caused by this temporary outage.” Rasiarmos has also reportedly made it clear that there is no evidence that any data has been removed from the company’s systems. (The Allscripts client base includes 180,000 physicians across nearly 45,000 ambulatory facilities, 2,500 hospitals, 17,000 post-acute organizations etc).

Reports also say that though Allscripts’ website or Twitter account didn’t mention the incident, users did take to Twitter to express their anger and frustration with the outage. The company meanwhile reportedly remained responsible and directed users to its support team for more information and support.

2018 seems to have started on an eventful note for ransomware criminals, especially those behind the SamSam ransomware (also known as Samas). The ransomware has already struck at some high-profile targets, sabotaging data and file access.

A Bleeping Computer report states- “The SamSam ransomware group seems to have gotten to a “great” start in 2018, hitting several high-profile targets such as hospitals, a city council, and an ICS firm.”

HackerCombat had already written on the SamSam ransomware strike at Hancock Health, a regional hospital in the city of Greenfield, Indiana. We had quoted reports that said that the Hancock Health hospital had paid a $55,000 ransom to the hackers to regain access to its network and data.

The Bleeping Computer report further says- “Reported attacks include the one against the Hancock Health Hospital in of Greenfield, Indiana; Adams Memorial Hospital in Decatur, Indiana; the municipality of Farmington, New Mexico; cloud-based EHR (electronic health records) provider Allscripts; and an unnamed ICS (Industrial Control Systems) company in the US, based on intel Bleeping Computer has received.”

Anyhow, experts state that it’s different variants of the SamSam ransomware that seem to be targeting different organizations.