LabCorp Data Breach Fears Were Unfounded. It Was a Ransomware Attack.
Laboratory Corporation of America Holdings or LabCorp has 60 thousand employees worldwide, helps with clinical trials in close to 100 countries, and processes around 2.5 million lab tests every week. This means that LabCorp handles and stores potentially very sensitive data related to the health of millions of people. As you might imagine, when the company announced that it had detected 'suspicious activity' on its IT network, the reactions weren't exactly positive. People were genuinely scared about their health information. As it turns out, they didn't have much to worry about.
The news broke on Monday when the company filed an 8-K filing with the Securities and Exchange Commission. The document didn't say much apart from the fact that over the weekend, some of LabCorp's computers and servers were acting in an unusual manner. Although the filing suggests that the company's IT team had no idea what they were dealing with at the time, a lot of the systems were shut down in order to prevent any real damage.
Yesterday, CSO reported more details about the attack. Apparently, at midnight on July 13, hackers started their attempts to infiltrate LabCorp's network by brute-forcing the remote desktop protocol (RDP) login credentials. By 6 PM on July 14, they were in, and they dropped their payload – a strain of ransomware known as SamSam.
The good news
Obviously, a cyberattack can never be good news, especially for the organization that is targeted, but in this case, we're pretty sure that both LabCorp employees and patients breathed a collective sigh of relief when they learned that the laboratory network had been hit by ransomware.
The alternative was a piece of malware that steals and exposes patients' data which could have had devastating consequences. After carefully reviewing the evidence, LabCorp confidently states that no information has been leaked. So, you can definitely say that it could've been much worse.
Upon learning of the attack, LabCorp's IT team immediately started taking systems offline in an attempt to limit the damage. Within fifty minutes, the infection was contained, but by that time, SamSam had already managed to encrypt the data on 7,000 systems and 1,900 servers.
Despite the substantial damage they caused, the hackers went away empty-handed. According to official announcements, the ransomware was "removed" which suggests that LabCorp had working backups from where they restored the encrypted information. The company says that most of the testing operations have been resumed and that everything will be back to normal within a few days.
All in all, LabCorp's reaction to the attack deserves a certain level of praise. The company reacted quickly, and the ransomware was contained before it could completely break the laboratory network's infrastructure. After that, their responsible management of sensitive data helped ensure that no information will be lost.
The not-so-good news
LabCorp has yet to identify the exact strain of ransomware, but CSO and their sources appear to be pretty certain that it's SamSam because this particular family has hit more than a few healthcare organizations over the past year or so. What's more, while it's not their only infection vector, the SamSam gang often attack victims by brute-forcing RDP credentials.
Again, the details are still unclear, but evidence suggests that LabCorp didn't have two-factor authentication protecting their RDP accounts. In other words, there was evidence that LabCorp is a potential target, and yet, while it did respond well to the attack, it had failed to take the one step that could have stopped it.
Experts often say that a hacker needs to succeed only once to launch a successful attack. The users and the organizations on the other end, however, need to succeed all the time if they're to prevent a security incident. The ransomware attack on LabCorp proves just how correct this statement is.