The SamSam ransomware attack on Atlanta City was expected to cost around $6 million to resolve; however a confidential document has been obtained by the Atlanta Journal-Constitution that shows the total cost of mitigating the attack and upgrading its systems and security will be $11 million more than expected. The City of Atlanta will be performing a complete overhaul of its software and systems to bring them up to scratch and make it much harder for similar attacks to occur in future. In addition to security upgrades for existing software, new security services needed to be purchased and tablets, computers, laptops and mobile phones had to be replaced.
The SamSam ransomware attack on the Colorado Department of Transportation was also costly. As with the City of Atlanta, the ransom was not paid. The Colorado DOT had to pay around $2 million to resolve the attack. Many victims of ransomware attacks opt to pay the ransom due to the extensive disruption to services that follows an attack if files have to be recovered manually and devices need to be rebuilt. Paying the ransom can also see the clean up bill reduced. However, the FBI does not recommend paying the ransom as this just encourages further attacks and there is no guarantee that paying the ransom will result in keys being obtained to unlock the encrypted files.
These are far from the only SamSam ransomware attacks this year. A new analysis by cybersecurity firms Sophos has shown that the individual(s) behind the ransomware variant has been highly active, conducting, on average, one attack per day since the ransomware was first created two and a half years ago.
Assisted by a cyrptocurrency tracking firm, Sophos determined that the cryptocurrency wallets used by the threat actor behind the attacks had received 223 ransom payments. The total payments received by the threat actor were just short of $6 million, which is six times more than what was initially thought.
The investigation showed that the victims were not just healthcare organizations, government agencies and educational institutions, who were thought to have been extensively targeted. The majority of the attacks were on firms in the private sector, and many of those had not been reported publicly. Only 26% of attacks were on healthcare organizations.
While there has been a reduction in the volume of ransomware attacks over the past 12 months, that is not the case with SamSam ransomware attacks. They are showing no sign of slowing.
In contrast to many ransomware attacks, SamSam ransomware is not sent through spam email, instead brute force attacks on remote desktop protocol connections are favored. The ransomware is deployed manually once access to a network has been gained. The attacker accesses the network and use standard administration tools to move laterally. He deploys the malicious payload on computers and servers then starts the encryption routine. This is often done at night so there is less chance of detection. This method is more effective than spam-delivered campaigns.
With the ransomware crippling businesses, the ransom demands can be higher. The ransom demands are usually in the region of $50,000. The high success rate and lucrative nature of the attacks means they are unlikely to stop any time soon.
Preventing a SamSam ransomware attack is not straightforward. Several steps must be taken to make it harder for access to the network to be gained. Regular vulnerability scans should be conducted and prompt patching is essential. Penetration testing is necessary to identify vulnerabilities before they are exploited. Companies should also use multi-factor authentication, deploy an intrusion detection system, access logs should be routinely checked, admin privileges limited, and regular backups performed.
It is also essential to restrict RDP access and remote connections should only be permitted via VPNs. If not using RDP, it should be disabled. If this is not possible, rate limiting can be implemented to make brute force attempts harder and strong, unique passwords should be used and changed regularly.
According to Sophos, it’s not enough to simply backup files. Samsam ransomware encrypts both files and application configuration files. So restoring files is insufficient as applications will not function correctly. Systems need to be rebuilt, so it is important for businesses to plan for such an eventuality.