SamSam Ransomware

The first appearance of what is known as the “SamSam” ransomware came towards the end of 2015, and some believe the group who are responsible for the malware comes from Eastern Europe.

Among its many victims the ransomware has targeted a number of healthcare organizations like Hancock Health, Allscripts, the Colorado Dept. of Transportation and most famously the city of Atlanta, costing millions of dollars worth of damage.

In the Atlanta attack that began on March 22, 2018, more than a third of the city’s systems were knocked offline, and a large chunk of those systems were deemed to be “mission critical,” like the infrastructure used by police and the courts along with the ability to pay parking tickets and water bills. The attack crippled the city for days and weeks afterwards.

Unlike makers of many other types of ransomware who will attack random masses of victims in a percentages, game hoping for one or two payouts, the group behind SamSam specifically targets its victims and it appears that the attacks are manual, in other words, someone is “behind the keyboard” for each attack.

SamSam usually exploits JBoss, RDP (Remote Desktop Protocol) and VPN vulnerabilities, and uses a variety of hacking tools from Mimikatz and reGeorg to PsExec and PowerSploit.

Once a network is compromised the malware will begin to elevate privileges and once the system is fully compromised the ransomware portion of the attack begins. In many cases the contents of the compromised files are encrypted and renamed “i’m sorry.” An accompanying note to the victims describes the steps involved in decrypting the files, which means sending Bitcoin payment to recover the private asymmetric key and unlock the files.

SamSam Ransom Note

While some companies have chosen to pay, like Allscripts and Hancock Health, who both paid a ransom of roughly $51,000-$55,000 (four Bitcoins at the time), others like the City of Atlanta have oped to fight the malware. Estimates suggest Atlanta is now at over $10 million in cleanup costs.

[This article was written in July 2018, we are sure there are more SamSam attacks to come…]

Interesting Facts:

  • The attackers offer the victims the ability to buy one key first to prove that they will indeed decrypt your files.
  • The Atlanta police lost all dashcam footage as a result of the attack.
  • The SamSam makers don’t sell it’s products on criminal forums.

Sources Used For This Article:

Leave a Reply

Your email address will not be published. Required fields are marked *