Photo courtesy of Swascan
SamSam, the ransomware responsible for the costly cyberattack that shut down Atlanta’s computer systems earlier this year is wreaking havoc on organizations and hospitals across the United States. Yesterday (Nov. 6) Symantec said the group behind the SamSam ransomware has gone after at least 67 different targets this year.
Like all ransomware, SamSam encrypts a victim’s files and offers to decrypt them for a ransom payment. However, SamSam differs from other ransomware variants in a couple of ways. Most ransomware is distributed through phishing emails where the ransomware is embedded in an attachment or link. SamSam attacks begin with remote desktop protocol (RDP) compromise via either brute force attacks on networks or by using stolen credentials purchased on the Dark Web. The ransomware then encrypts data across multiple systems before issuing a single ransom demand, which is often as much as $50,000. On top of the encrypted files, SamSam goes after backups as a means of ensuring those infected are left with no option other than to cave in and pay the ransom.
“If successful, these attacks can have a devastating impact on victim organizations, seriously disrupting their operations, destroying business critical information and leading to massive clean-up costs,” Symantec said in its report.
It has been known for a while that SamSam is different from other ransomware variants in that it truly targets its victims. Year-to-date, SamSam has targeted at least 67 different organizations, 80 percent of which have been in the United States. Furthermore, 24 percent of the attacks have targeted the healthcare sector.
Overall, the healthcare industry is getting better at defending against ransomware attacks. However, the industry is struggling to cope with SamSam’s targeted attacks.
“SamSam’s modus operandi is to gain access to an organization’s network, spend time performing reconnaissance by mapping out the network, before encrypting as many computers as possible and presenting the organization with a single ransom demand,” the Symantec blog states.
With having so much personally identifiable information on its networks and essentially unable to operate without its computer systems, healthcare organizations may be targeted because they are more likely to pay the ransom.
SamSam Is Ruthless
SamSam and the group behind the ransomware could be the most sophisticated of their kind. Aside from its targeted attacks, distributing the ransomware across an entire network, and deleting backups, the group goes a step further. In a February attack that Symantec studied, the hackers loaded two different versions of SamSam, in case one strain was detected by security protections. Two days passed between evidence of an intrusion and the encryption of hundreds of the organization’s computers.
Symantec warns that SamSam poses “a grave threat to organizations in the US. The group is skilled and resourceful, capable of using tactics and tools more commonly seen in espionage attacks.”
As for protecting against SamSam, Glen Pendley, deputy CTO at Tenable says, “This ransomware campaign is a reminder of the importance of complete visibility into your attack surface. You need to know what assets you have, where they’re located, and what’s installed on them in order to reduce your overall exposure. It’s basic, but it can help thwart these types of attacks.”